Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe

Overview

General Information

Sample name:1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe
Analysis ID:1585998
MD5:3b2dfefa045f3257002ad8313e5d9db2
SHA1:48b70b309dc15e419112e09c48c93145b6634019
SHA256:63f66c8c25bd326511fed28aaf214e602c85c2f7793a47cfd5e0f38842a6b86d
Tags:base64-decodedexeuser-abuse_ch
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Installs a global keyboard hook
Machine Learning detection for sample
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["municipioalcidiadechicamocha.ddnsgeek.com:1997:1"], "Assigned name": "07-01-25", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-Y2VJ1N", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeJoeSecurity_RemcosYara detected Remcos RATJoe Security
      1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeWindows_Trojan_Remcos_b296e965unknownunknown
        • 0x6aaf8:$a1: Remcos restarted by watchdog!
        • 0x6b070:$a3: %02i:%02i:%02i:%03i
        1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeREMCOS_RAT_variantsunknownunknown
        • 0x64d94:$str_a1: C:\Windows\System32\cmd.exe
        • 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
        • 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
        • 0x64e04:$str_b2: Executing file:
        • 0x65c3c:$str_b3: GetDirectListeningPort
        • 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
        • 0x65780:$str_b7: \update.vbs
        • 0x64e2c:$str_b9: Downloaded file:
        • 0x64e18:$str_b10: Downloading file:
        • 0x64ebc:$str_b12: Failed to upload file:
        • 0x65c04:$str_b13: StartForward
        • 0x65c24:$str_b14: StopForward
        • 0x656d8:$str_b15: fso.DeleteFile "
        • 0x6566c:$str_b16: On Error Resume Next
        • 0x65708:$str_b17: fso.DeleteFolder "
        • 0x64eac:$str_b18: Uploaded file:
        • 0x64e6c:$str_b19: Unable to delete:
        • 0x656a0:$str_b20: while fso.FileExists("
        • 0x65349:$str_c0: [Firefox StoredLogins not found]
        Click to see the 1 entries

        Dropped Files

        SourceRuleDescriptionAuthorStrings
        C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000000.00000002.4578041421.000000000235F000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            00000000.00000000.2119477224.0000000000457000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
              00000000.00000000.2119477224.0000000000457000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
                00000000.00000000.2119477224.0000000000457000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                  00000000.00000000.2119477224.0000000000457000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
                  • 0x146f8:$a1: Remcos restarted by watchdog!
                  • 0x14c70:$a3: %02i:%02i:%02i:%03i
                  Click to see the 10 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  0.2.1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe.400000.0.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                    0.2.1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                      0.2.1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe.400000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                        0.2.1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe.400000.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                        • 0x6aaf8:$a1: Remcos restarted by watchdog!
                        • 0x6b070:$a3: %02i:%02i:%02i:%03i
                        0.2.1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe.400000.0.unpackREMCOS_RAT_variantsunknownunknown
                        • 0x64d94:$str_a1: C:\Windows\System32\cmd.exe
                        • 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                        • 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                        • 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                        • 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                        • 0x64e04:$str_b2: Executing file:
                        • 0x65c3c:$str_b3: GetDirectListeningPort
                        • 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                        • 0x65780:$str_b7: \update.vbs
                        • 0x64e2c:$str_b9: Downloaded file:
                        • 0x64e18:$str_b10: Downloading file:
                        • 0x64ebc:$str_b12: Failed to upload file:
                        • 0x65c04:$str_b13: StartForward
                        • 0x65c24:$str_b14: StopForward
                        • 0x656d8:$str_b15: fso.DeleteFile "
                        • 0x6566c:$str_b16: On Error Resume Next
                        • 0x65708:$str_b17: fso.DeleteFolder "
                        • 0x64eac:$str_b18: Uploaded file:
                        • 0x64e6c:$str_b19: Unable to delete:
                        • 0x656a0:$str_b20: while fso.FileExists("
                        • 0x65349:$str_c0: [Firefox StoredLogins not found]
                        Click to see the 7 entries

                        Sigma Signatures

                        Stealing of Sensitive Information

                        barindex
                        Sigma detected: Remcos
                        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe, ProcessId: 1664, TargetFilename: C:\ProgramData\remcos\logs.dat

                        Suricata Signatures

                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2025-01-08T15:59:28.810103+010020365941Malware Command and Control Activity Detected192.168.2.649709179.15.136.61997TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2025-01-08T15:59:31.456177+010028033043Unknown Traffic192.168.2.649710178.237.33.5080TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2025-01-08T15:59:27.982408+010028349361A Network Trojan was detected192.168.2.6551801.1.1.153UDP

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus / Scanner detection for submitted sample
                        Source: 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeAvira: detected
                        Found malware configuration
                        Source: 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeMalware Configuration Extractor: Remcos {"Host:Port:Password": ["municipioalcidiadechicamocha.ddnsgeek.com:1997:1"], "Assigned name": "07-01-25", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-Y2VJ1N", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
                        Multi AV Scanner detection for submitted file
                        Source: 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeReversingLabs: Detection: 73%
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.2.1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.4578041421.000000000235F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.2119477224.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4577712852.0000000000811000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4577712852.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe PID: 1664, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                        Machine Learning detection for sample
                        Source: 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeJoe Sandbox ML: detected
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_0043294A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,0_2_0043294A
                        Source: 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe, 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_570bf3f4-3

                        Exploits

                        barindex
                        Yara detected UAC Bypass using CMSTP
                        Source: Yara matchFile source: 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.2.1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.2119477224.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe PID: 1664, type: MEMORYSTR

                        Privilege Escalation

                        barindex
                        Contains functionality to bypass UAC (CMSTPLUA)
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_00406764 _wcslen,CoGetObject,0_2_00406764
                        Source: 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040B335
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_0041B43F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,0_2_0041B43F
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040B53A
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_0044D5F9 FindFirstFileExA,0_2_0044D5F9
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,0_2_004089A9
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_00406AC2 FindFirstFileW,FindNextFileW,0_2_00406AC2
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,0_2_00407A8C
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_00418C79 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00418C79
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,0_2_00408DA7
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00406F06

                        Networking

                        barindex
                        Suricata IDS alerts for network traffic
                        Source: Network trafficSuricata IDS: 2834936 - Severity 1 - ETPRO MALWARE Observed DNS Query to Abused DDNS (ddnsgeek .com) : 192.168.2.6:55180 -> 1.1.1.1:53
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49709 -> 179.15.136.6:1997
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: municipioalcidiadechicamocha.ddnsgeek.com
                        Source: global trafficTCP traffic: 192.168.2.6:49709 -> 179.15.136.6:1997
                        Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                        Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                        Source: Joe Sandbox ViewASN Name: ColombiaMovilCO ColombiaMovilCO
                        Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:49710 -> 178.237.33.50:80
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_00426107 recv,0_2_00426107
                        Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                        Source: global trafficDNS traffic detected: DNS query: municipioalcidiadechicamocha.ddnsgeek.com
                        Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                        Source: 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe, 00000000.00000003.2155073840.0000000000833000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/O
                        Source: 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe, 00000000.00000002.4577712852.0000000000811000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
                        Source: 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeString found in binary or memory: http://geoplugin.net/json.gp/C
                        Source: 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe, 00000000.00000003.2155073840.0000000000811000.00000004.00000020.00020000.00000000.sdmp, 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe, 00000000.00000002.4577712852.0000000000811000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp2
                        Source: 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe, 00000000.00000003.2155073840.0000000000811000.00000004.00000020.00020000.00000000.sdmp, 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe, 00000000.00000002.4577712852.0000000000811000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp5
                        Source: 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe, 00000000.00000003.2155073840.0000000000811000.00000004.00000020.00020000.00000000.sdmp, 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe, 00000000.00000002.4577712852.0000000000811000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp9
                        Source: 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe, 00000000.00000003.2155073840.0000000000811000.00000004.00000020.00020000.00000000.sdmp, 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe, 00000000.00000002.4577712852.0000000000811000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpE
                        Source: 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe, 00000000.00000003.2155073840.0000000000811000.00000004.00000020.00020000.00000000.sdmp, 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe, 00000000.00000002.4577712852.0000000000811000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpO
                        Source: 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe, 00000000.00000002.4577712852.00000000007CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpSystem32
                        Source: 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe, 00000000.00000003.2155073840.0000000000811000.00000004.00000020.00020000.00000000.sdmp, 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe, 00000000.00000002.4577712852.0000000000811000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpT
                        Source: 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe, 00000000.00000003.2155073840.0000000000811000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpX

                        Key, Mouse, Clipboard, Microphone and Screen Capturing

                        barindex
                        Contains functionality to register a low level keyboard hook
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_004099E4 SetWindowsHookExA 0000000D,004099D0,000000000_2_004099E4
                        Installs a global keyboard hook
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeJump to behavior
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_004159C6
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_004159C6
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_004159C6
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_00409B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,0_2_00409B10
                        Source: Yara matchFile source: 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.2.1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.2119477224.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe PID: 1664, type: MEMORYSTR

                        E-Banking Fraud

                        barindex
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.2.1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.4578041421.000000000235F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.2119477224.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4577712852.0000000000811000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4577712852.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe PID: 1664, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                        Spam, unwanted Advertisements and Ransom Demands

                        barindex
                        Contains functionalty to change the wallpaper
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_0041BB87 SystemParametersInfoW,0_2_0041BB87

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe, type: SAMPLEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 0.2.1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 0.2.1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 0.2.1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 0.0.1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 0.0.1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 0.0.1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 00000000.00000000.2119477224.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: Process Memory Space: 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe PID: 1664, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeProcess Stats: CPU usage > 49%
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_0041ACD1 OpenProcess,NtSuspendProcess,CloseHandle,0_2_0041ACD1
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_0041ACFD OpenProcess,NtResumeProcess,CloseHandle,0_2_0041ACFD
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,0_2_004158B9
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_004520E20_2_004520E2
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_0041D0810_2_0041D081
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_0043D0A80_2_0043D0A8
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_004371600_2_00437160
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_004361BA0_2_004361BA
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_004262640_2_00426264
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_004313870_2_00431387
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_0041E5EF0_2_0041E5EF
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_0044C7490_2_0044C749
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_004267DB0_2_004267DB
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_0043C9ED0_2_0043C9ED
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_00432A590_2_00432A59
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_0043CC1C0_2_0043CC1C
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_00434D320_2_00434D32
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_0043CE4B0_2_0043CE4B
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_00440E300_2_00440E30
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_00426E830_2_00426E83
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_00412F450_2_00412F45
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_00452F100_2_00452F10
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_00426FBD0_2_00426FBD
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: String function: 00401F66 appears 50 times
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: String function: 004020E7 appears 40 times
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: String function: 004338B5 appears 42 times
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: String function: 00433FC0 appears 55 times
                        Source: 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 0.2.1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 0.2.1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 0.2.1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 0.0.1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 0.0.1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 0.0.1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 00000000.00000000.2119477224.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: Process Memory Space: 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe PID: 1664, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@1/2@2/2
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,0_2_00416AB7
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_0040E219 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,0_2_0040E219
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_0041A64F FindResourceA,LoadResource,LockResource,SizeofResource,0_2_0041A64F
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_00419BD4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_00419BD4
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\json[1].jsonJump to behavior
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-Y2VJ1N
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCommand line argument: Software\0_2_0040D767
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCommand line argument: Rmc-Y2VJ1N0_2_0040D767
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCommand line argument: Exe0_2_0040D767
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCommand line argument: Exe0_2_0040D767
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCommand line argument: Rmc-Y2VJ1N0_2_0040D767
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCommand line argument: 0DG0_2_0040D767
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCommand line argument: Inj0_2_0040D767
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCommand line argument: Inj0_2_0040D767
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCommand line argument: BG0_2_0040D767
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCommand line argument: BG0_2_0040D767
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCommand line argument: BG0_2_0040D767
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCommand line argument: @CG0_2_0040D767
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCommand line argument: BG0_2_0040D767
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCommand line argument: exepath0_2_0040D767
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCommand line argument: @CG0_2_0040D767
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCommand line argument: exepath0_2_0040D767
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCommand line argument: BG0_2_0040D767
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCommand line argument: licence0_2_0040D767
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCommand line argument: `=G0_2_0040D767
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCommand line argument: dCG0_2_0040D767
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCommand line argument: Administrator0_2_0040D767
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCommand line argument: User0_2_0040D767
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCommand line argument: del0_2_0040D767
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCommand line argument: del0_2_0040D767
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCommand line argument: del0_2_0040D767
                        Source: 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeReversingLabs: Detection: 73%
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeSection loaded: winmm.dllJump to behavior
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                        Source: 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                        Source: 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                        Source: 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                        Source: 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                        Source: 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                        Source: 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                        Source: 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                        Source: 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                        Source: 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                        Source: 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_0041BCF3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041BCF3
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_00434006 push ecx; ret 0_2_00434019
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_004567F0 push eax; ret 0_2_0045680E
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_00455EBF push ecx; ret 0_2_00455ED2
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_00406128 ShellExecuteW,URLDownloadToFileW,0_2_00406128
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_00419BD4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_00419BD4
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_0041BCF3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041BCF3
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                        Malware Analysis System Evasion

                        barindex
                        Delayed program exit found
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_0040E54F Sleep,ExitProcess,0_2_0040E54F
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,0_2_004198D2
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeWindow / User API: threadDelayed 3423Jump to behavior
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeWindow / User API: threadDelayed 6048Jump to behavior
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeWindow / User API: foregroundWindowGot 1768Jump to behavior
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe TID: 5908Thread sleep count: 252 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe TID: 5908Thread sleep time: -126000s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe TID: 4552Thread sleep count: 3423 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe TID: 4552Thread sleep time: -10269000s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe TID: 4552Thread sleep count: 6048 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe TID: 4552Thread sleep time: -18144000s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040B335
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_0041B43F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,0_2_0041B43F
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040B53A
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_0044D5F9 FindFirstFileExA,0_2_0044D5F9
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,0_2_004089A9
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_00406AC2 FindFirstFileW,FindNextFileW,0_2_00406AC2
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,0_2_00407A8C
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_00418C79 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00418C79
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,0_2_00408DA7
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00406F06
                        Source: 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe, 00000000.00000003.2155142009.000000000084C000.00000004.00000020.00020000.00000000.sdmp, 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe, 00000000.00000002.4577909694.000000000084C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWPG
                        Source: 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe, 00000000.00000003.2155142009.000000000084C000.00000004.00000020.00020000.00000000.sdmp, 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe, 00000000.00000002.4577712852.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe, 00000000.00000002.4577909694.000000000084C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeAPI call chain: ExitProcess graph end nodegraph_0-47656
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_0043A66D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0043A66D
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_0041BCF3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041BCF3
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_00442564 mov eax, dword ptr fs:[00000030h]0_2_00442564
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_0044E93E GetProcessHeap,0_2_0044E93E
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_00434178 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00434178
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_0043A66D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0043A66D
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_00433B54 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00433B54
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_00433CE7 SetUnhandledExceptionFilter,0_2_00433CE7
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe0_2_00410F36
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_00418764 mouse_event,0_2_00418764
                        Source: 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe, 00000000.00000002.4577712852.00000000007CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerGl
                        Source: 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe, 00000000.00000002.4577712852.00000000007CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager1N\
                        Source: 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe, 00000000.00000002.4577909694.0000000000843000.00000004.00000020.00020000.00000000.sdmp, 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe, 00000000.00000002.4577712852.00000000007CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                        Source: 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe, 00000000.00000002.4577909694.0000000000843000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager2w1K
                        Source: 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe, 00000000.00000002.4577712852.00000000007CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager1N\6
                        Source: 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe, 00000000.00000002.4577909694.0000000000843000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerjwK
                        Source: 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe, 00000000.00000002.4577909694.0000000000843000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager#wBK
                        Source: 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe, 00000000.00000002.4577712852.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe, 00000000.00000002.4577712852.0000000000811000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                        Source: 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe, 00000000.00000002.4577712852.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, logs.dat.0.drBinary or memory string: [Program Manager]
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_00433E1A cpuid 0_2_00433E1A
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: GetLocaleInfoA,0_2_0040E679
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: GetLocaleInfoW,0_2_004510CA
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_004470BE
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_004511F3
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: GetLocaleInfoW,0_2_004512FA
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_004513C7
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: GetLocaleInfoW,0_2_004475A7
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_00450A8F
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_00450D52
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_00450D07
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_00450DED
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00450E7A
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_00404915 GetLocalTime,CreateEventA,CreateThread,0_2_00404915
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_0041A7B2 GetComputerNameExW,GetUserNameW,0_2_0041A7B2
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: 0_2_0044801F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_0044801F
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Stealing of Sensitive Information

                        barindex
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.2.1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.4578041421.000000000235F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.2119477224.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4577712852.0000000000811000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4577712852.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe PID: 1664, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                        Contains functionality to steal Chrome passwords or cookies
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data0_2_0040B21B
                        Contains functionality to steal Firefox passwords or cookies
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\0_2_0040B335
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: \key3.db0_2_0040B335

                        Remote Access Functionality

                        barindex
                        Detected Remcos RAT
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-Y2VJ1NJump to behavior
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.2.1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.4578041421.000000000235F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.2119477224.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4577712852.0000000000811000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4577712852.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe PID: 1664, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                        Source: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeCode function: cmd.exe0_2_00405042

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                        Native API                        		1
                        DLL Side-Loading                        		1
                        DLL Side-Loading                        		1
                        Deobfuscate/Decode Files or Information                        		1
                        OS Credential Dumping                        		2
                        System Time Discovery                        		Remote Services11
                        Archive Collected Data                        		12
                        Ingress Tool Transfer                        		Exfiltration Over Other Network Medium1
                        System Shutdown/Reboot
                        CredentialsDomainsDefault Accounts12
                        Command and Scripting Interpreter                        		1
                        Windows Service                        		1
                        Bypass User Account Control                        		2
                        Obfuscated Files or Information                        		211
                        Input Capture                        		1
                        Account Discovery                        		Remote Desktop Protocol211
                        Input Capture                        		2
                        Encrypted Channel                        		Exfiltration Over Bluetooth1
                        Defacement
                        Email AddressesDNS ServerDomain Accounts2
                        Service Execution                        		Logon Script (Windows)1
                        Access Token Manipulation                        		1
                        DLL Side-Loading                        		2
                        Credentials In Files                        		1
                        System Service Discovery                        		SMB/Windows Admin Shares3
                        Clipboard Data                        		1
                        Non-Standard Port                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                        Windows Service                        		1
                        Bypass User Account Control                        		NTDS2
                        File and Directory Discovery                        		Distributed Component Object ModelInput Capture1
                        Remote Access Software                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script11
                        Process Injection                        		1
                        Masquerading                        		LSA Secrets23
                        System Information Discovery                        		SSHKeylogging2
                        Non-Application Layer Protocol                        		Scheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                        Virtualization/Sandbox Evasion                        		Cached Domain Credentials21
                        Security Software Discovery                        		VNCGUI Input Capture12
                        Application Layer Protocol                        		Data Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                        Access Token Manipulation                        		DCSync1
                        Virtualization/Sandbox Evasion                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                        Process Injection                        		Proc Filesystem2
                        Process Discovery                        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                        Application Window Discovery                        		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                        System Owner/User Discovery                        		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe74%ReversingLabsWin32.Backdoor.Remcos
                        1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe100%AviraBDS/Backdoor.Gen
                        1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe100%Joe Sandbox ML

                        Dropped Files

                        No Antivirus matches

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        municipioalcidiadechicamocha.ddnsgeek.com0%Avira URL Cloudsafe

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        geoplugin.net
                        		178.237.33.50
                        		truefalse
                          		high
                          municipioalcidiadechicamocha.ddnsgeek.com
                          		179.15.136.6
                          		truetrue
                            		unknown

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            http://geoplugin.net/json.gpfalse
                              		high
                              municipioalcidiadechicamocha.ddnsgeek.comtrue
                              • Avira URL Cloud: safe
                              		unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://geoplugin.net/json.gpT1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe, 00000000.00000003.2155073840.0000000000811000.00000004.00000020.00020000.00000000.sdmp, 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe, 00000000.00000002.4577712852.0000000000811000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://geoplugin.net/json.gp21736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe, 00000000.00000003.2155073840.0000000000811000.00000004.00000020.00020000.00000000.sdmp, 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe, 00000000.00000002.4577712852.0000000000811000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://geoplugin.net/O1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe, 00000000.00000003.2155073840.0000000000833000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://geoplugin.net/json.gpX1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe, 00000000.00000003.2155073840.0000000000811000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://geoplugin.net/json.gp51736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe, 00000000.00000003.2155073840.0000000000811000.00000004.00000020.00020000.00000000.sdmp, 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe, 00000000.00000002.4577712852.0000000000811000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://geoplugin.net/json.gpE1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe, 00000000.00000003.2155073840.0000000000811000.00000004.00000020.00020000.00000000.sdmp, 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe, 00000000.00000002.4577712852.0000000000811000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://geoplugin.net/json.gp/C1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exefalse
                                            		high
                                            http://geoplugin.net/json.gp91736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe, 00000000.00000003.2155073840.0000000000811000.00000004.00000020.00020000.00000000.sdmp, 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe, 00000000.00000002.4577712852.0000000000811000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              http://geoplugin.net/json.gpSystem321736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe, 00000000.00000002.4577712852.00000000007CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                http://geoplugin.net/json.gpO1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe, 00000000.00000003.2155073840.0000000000811000.00000004.00000020.00020000.00000000.sdmp, 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe, 00000000.00000002.4577712852.0000000000811000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high

                                                  World Map of Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public IPs

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  179.15.136.6
                                                  		municipioalcidiadechicamocha.ddnsgeek.comColombia
                                                  		27831ColombiaMovilCOtrue
                                                  178.237.33.50
                                                  		geoplugin.netNetherlands
                                                  		8455ATOM86-ASATOM86NLfalse

                                                  General Information

                                                  Joe Sandbox version:41.0.0 Charoite
                                                  Analysis ID:1585998
                                                  Start date and time:2025-01-08 15:58:36 +01:00
                                                  Joe Sandbox product:CloudBasic
                                                  Overall analysis duration:0h 6m 37s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:full
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                  Number of analysed new started processes analysed:5
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Sample name:1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe
                                                  Detection:MAL
                                                  Classification:mal100.rans.troj.spyw.expl.evad.winEXE@1/2@2/2
                                                  EGA Information:
                                                  • Successful, ratio: 100%
                                                  HCA Information:
                                                  • Successful, ratio: 100%
                                                  • Number of executed functions: 37
                                                  • Number of non-executed functions: 204
                                                  Cookbook Comments:
                                                  • Found application associated with file extension: .exe
                                                  • Override analysis time to 240s for sample files taking high CPU consumption

                                                  Warnings

                                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                  • Excluded IPs from analysis (whitelisted): 13.107.246.45, 52.149.20.212
                                                  • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                  • VT rate limit hit for: 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  09:59:59API Interceptor6649691x Sleep call for process: 1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe modified

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  178.237.33.50DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                  • geoplugin.net/json.gp
                                                  c2.htaGet hashmaliciousRemcosBrowse
                                                  • geoplugin.net/json.gp
                                                  c2.htaGet hashmaliciousRemcosBrowse
                                                  • geoplugin.net/json.gp
                                                  RailProvides_nopump.exeGet hashmaliciousRemcosBrowse
                                                  • geoplugin.net/json.gp
                                                  c2.htaGet hashmaliciousRemcosBrowse
                                                  • geoplugin.net/json.gp
                                                  17360626254f6ab0798f0d71fe81e2d058a575b873a7088f40695d7fd8031d0961d3a3694a780.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                  • geoplugin.net/json.gp
                                                  Tax_Refund_Claim_2024_Australian_Taxation_Office.jsGet hashmaliciousRemcosBrowse
                                                  • geoplugin.net/json.gp
                                                  c2.htaGet hashmaliciousRemcosBrowse
                                                  • geoplugin.net/json.gp
                                                  4XYAW8PbZH.exeGet hashmaliciousRemcosBrowse
                                                  • geoplugin.net/json.gp
                                                  iGhDjzEiDU.exeGet hashmaliciousRemcosBrowse
                                                  • geoplugin.net/json.gp

                                                  Domains

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  geoplugin.netDHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                  • 178.237.33.50
                                                  c2.htaGet hashmaliciousRemcosBrowse
                                                  • 178.237.33.50
                                                  c2.htaGet hashmaliciousRemcosBrowse
                                                  • 178.237.33.50
                                                  RailProvides_nopump.exeGet hashmaliciousRemcosBrowse
                                                  • 178.237.33.50
                                                  c2.htaGet hashmaliciousRemcosBrowse
                                                  • 178.237.33.50
                                                  17360626254f6ab0798f0d71fe81e2d058a575b873a7088f40695d7fd8031d0961d3a3694a780.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                  • 178.237.33.50
                                                  Tax_Refund_Claim_2024_Australian_Taxation_Office.jsGet hashmaliciousRemcosBrowse
                                                  • 178.237.33.50
                                                  c2.htaGet hashmaliciousRemcosBrowse
                                                  • 178.237.33.50
                                                  4XYAW8PbZH.exeGet hashmaliciousRemcosBrowse
                                                  • 178.237.33.50
                                                  iGhDjzEiDU.exeGet hashmaliciousRemcosBrowse
                                                  • 178.237.33.50

                                                  ASNs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  ATOM86-ASATOM86NL17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                  • 178.237.33.50
                                                  DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                  • 178.237.33.50
                                                  c2.htaGet hashmaliciousRemcosBrowse
                                                  • 178.237.33.50
                                                  c2.htaGet hashmaliciousRemcosBrowse
                                                  • 178.237.33.50
                                                  RailProvides_nopump.exeGet hashmaliciousRemcosBrowse
                                                  • 178.237.33.50
                                                  c2.htaGet hashmaliciousRemcosBrowse
                                                  • 178.237.33.50
                                                  9W9jJCj9EV.batGet hashmaliciousRemcosBrowse
                                                  • 178.237.33.50
                                                  17360626254f6ab0798f0d71fe81e2d058a575b873a7088f40695d7fd8031d0961d3a3694a780.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                  • 178.237.33.50
                                                  Tax_Refund_Claim_2024_Australian_Taxation_Office.jsGet hashmaliciousRemcosBrowse
                                                  • 178.237.33.50
                                                  c2.htaGet hashmaliciousRemcosBrowse
                                                  • 178.237.33.50
                                                  ColombiaMovilCOsh4.elfGet hashmaliciousMiraiBrowse
                                                  • 177.252.126.19
                                                  armv5l.elfGet hashmaliciousUnknownBrowse
                                                  • 191.93.155.250
                                                  Fantazy.x86.elfGet hashmaliciousUnknownBrowse
                                                  • 179.12.199.43
                                                  armv5l.elfGet hashmaliciousUnknownBrowse
                                                  • 191.91.160.57
                                                  kwari.arm.elfGet hashmaliciousUnknownBrowse
                                                  • 181.204.131.174
                                                  2LDJIyMl2r.exeGet hashmaliciousRemcosBrowse
                                                  • 181.71.216.203
                                                  telnet.ppc.elfGet hashmaliciousUnknownBrowse
                                                  • 177.252.126.11
                                                  loligang.mpsl.elfGet hashmaliciousMiraiBrowse
                                                  • 186.181.45.206
                                                  armv6l.elfGet hashmaliciousUnknownBrowse
                                                  • 186.180.36.76
                                                  nshkmips.elfGet hashmaliciousMiraiBrowse
                                                  • 191.92.238.158

                                                  JA3 Fingerprints

                                                  No context

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  C:\ProgramData\remcos\logs.dat

                                                  Download File
                                                  Process:C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):144
                                                  Entropy (8bit):3.379519383183141
                                                  Encrypted:false
                                                  SSDEEP:3:rgls1kBFiNU5JWRal2Jl+7R0DAlBG45klovDl6v:MlsOBgNU5YcIeeDAlOWAv
                                                  MD5:FE8E7AF14B5B09D78C81DE3B2B89C524
                                                  SHA1:EF4B0C0F88D87BD2D8A0622FD21D96A5A483F843
                                                  SHA-256:CCD2D6ED5FAAE764F471217B7694BBC36C707C7532A262227D08A78D0FCD3088
                                                  SHA-512:CE700A67D6A784A498660D363C766109DC68A9ED9FD72A7FE63AA9C23C15B1819FDE88A7AB8708307D9CC8ED290141707975532E9DE340F6DCF69B2D5BB763B4
                                                  Malicious:true
                                                  Yara Hits:
                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                                                  Reputation:low
                                                  Preview:....[.2.0.2.5./.0.1./.0.8. .0.9.:.5.9.:.2.7. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\json[1].json

                                                  Download File
                                                  Process:C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe
                                                  File Type:JSON data
                                                  Category:dropped
                                                  Size (bytes):963
                                                  Entropy (8bit):5.019506780280991
                                                  Encrypted:false
                                                  SSDEEP:12:tkluWJmnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzd:qlupdRNuKyGX85jvXhNlT3/7AcV9Wro
                                                  MD5:7459F6DA71CD5EAF9DBE2D20CA9434AC
                                                  SHA1:4F60E33E15277F7A632D8CD058EC7DF4728B40BC
                                                  SHA-256:364A445C3A222EE10A8816F78283BBD0503A5E5824B2A7F5DCD8E6DA9148AF6A
                                                  SHA-512:3A862711D78F6F97F07E01ACC0DCB54F595A23AACEA9F2BB9606382805E1E92C1ACE09E1446F312F3B6D4EE63435ABEF46F0C16F015BD505347A1BCF2E149841
                                                  Malicious:false
                                                  Reputation:moderate, very likely benign file
                                                  Preview:{. "geoplugin_request":"8.46.123.189",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                  Static File Info

                                                  General

                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                  Entropy (8bit):6.586552167358971
                                                  TrID:
                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                  • DOS Executable Generic (2002/1) 0.02%
                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                  File name:1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe
                                                  File size:493'056 bytes
                                                  MD5:3b2dfefa045f3257002ad8313e5d9db2
                                                  SHA1:48b70b309dc15e419112e09c48c93145b6634019
                                                  SHA256:63f66c8c25bd326511fed28aaf214e602c85c2f7793a47cfd5e0f38842a6b86d
                                                  SHA512:ada39e1f3cba0c6307062eaeebd1b9ac53d57ee5195ba1c645f3d4b03dc3cb1e24c0c4dfc9a7d4e042981cd5561f9a5a2b55ad3e5df9b4efa74cf7e5eedea58a
                                                  SSDEEP:12288:L9PgP3HAMwIGjY4vce6lnBthn5HSRVMf139F5woxr+IwtHwBtFhCsvZD5W+P32:Z43HfwIGYMcn5PJrZw+
                                                  TLSH:DDA4BE01B6D2C072D57625300D26E775DEBDBD212835897BB3DA1D67FE30180E63AAB2
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........)...H...H...H....(..H....*..H....+..H...0]..H..&....H... ...H... ...H... ...H...0J..H...H...I...!...H...!&..H...!...H..Rich.H.

                                                  File Icon

                                                  Icon Hash:95694d05214c1b33

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x433b4a
                                                  Entrypoint Section:.text
                                                  Digitally signed:false
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                  DLL Characteristics:TERMINAL_SERVER_AWARE
                                                  Time Stamp:0x6752B172 [Fri Dec 6 08:10:26 2024 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:
                                                  OS Version Major:5
                                                  OS Version Minor:1
                                                  File Version Major:5
                                                  File Version Minor:1
                                                  Subsystem Version Major:5
                                                  Subsystem Version Minor:1
                                                  Import Hash:e77512f955eaf60ccff45e02d69234de

                                                  Entrypoint Preview

                                                  Instruction
                                                  call 00007F160C614F83h
                                                  jmp 00007F160C6148DFh
                                                  push ebp
                                                  mov ebp, esp
                                                  sub esp, 00000324h
                                                  push ebx
                                                  push 00000017h
                                                  call 00007F160C636DB9h
                                                  test eax, eax
                                                  je 00007F160C614A67h
                                                  mov ecx, dword ptr [ebp+08h]
                                                  int 29h
                                                  push 00000003h
                                                  call 00007F160C614C24h
                                                  mov dword ptr [esp], 000002CCh
                                                  lea eax, dword ptr [ebp-00000324h]
                                                  push 00000000h
                                                  push eax
                                                  call 00007F160C616F3Bh
                                                  add esp, 0Ch
                                                  mov dword ptr [ebp-00000274h], eax
                                                  mov dword ptr [ebp-00000278h], ecx
                                                  mov dword ptr [ebp-0000027Ch], edx
                                                  mov dword ptr [ebp-00000280h], ebx
                                                  mov dword ptr [ebp-00000284h], esi
                                                  mov dword ptr [ebp-00000288h], edi
                                                  mov word ptr [ebp-0000025Ch], ss
                                                  mov word ptr [ebp-00000268h], cs
                                                  mov word ptr [ebp-0000028Ch], ds
                                                  mov word ptr [ebp-00000290h], es
                                                  mov word ptr [ebp-00000294h], fs
                                                  mov word ptr [ebp-00000298h], gs
                                                  pushfd
                                                  pop dword ptr [ebp-00000264h]
                                                  mov eax, dword ptr [ebp+04h]
                                                  mov dword ptr [ebp-0000026Ch], eax
                                                  lea eax, dword ptr [ebp+04h]
                                                  mov dword ptr [ebp-00000260h], eax
                                                  mov dword ptr [ebp-00000324h], 00010001h
                                                  mov eax, dword ptr [eax-04h]
                                                  push 00000050h
                                                  mov dword ptr [ebp-00000270h], eax
                                                  lea eax, dword ptr [ebp-58h]
                                                  push 00000000h
                                                  push eax
                                                  call 00007F160C616EB1h

                                                  Rich Headers

                                                  Programming Language:
                                                  • [C++] VS2008 SP1 build 30729
                                                  • [IMP] VS2008 SP1 build 30729

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x6e0200x104.rdata
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x760000x4ac4.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x7b0000x3b88.reloc
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x6c5100x38.rdata
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x6c5e80x18.rdata
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x6c5480x40.rdata
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x570000x4f4.rdata
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x10000x55f2d0x56000c9fb1fecb5f01a3c88e2bc00eccd57c4False0.5739377043968024data6.621523378040251IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                  .rdata0x570000x18b000x18c000ba285a9a28b1dec254a7539ab18f8d0False0.4981455176767677OpenPGP Secret Key Version 65.75873851406894IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .data0x700000x5d8c0xe0006414e748130e7e668ba2ba172d63448False0.22684151785714285data3.093339598098017IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                  .rsrc0x760000x4ac40x4c00f0bfff813f77def16068c13927eda284False0.27641858552631576data3.982613314281073IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .reloc0x7b0000x3b880x3c00b875bbd60cc90da8a22f40034fe9606eFalse0.7575520833333333data6.702930468027394IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                  Resources

                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                  RT_ICON0x7618c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.3421985815602837
                                                  RT_ICON0x765f40x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.27704918032786885
                                                  RT_ICON0x76f7c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.23686679174484052
                                                  RT_ICON0x780240x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.22977178423236513
                                                  RT_RCDATA0x7a5cc0x4b7data1.0091135045567523
                                                  RT_GROUP_ICON0x7aa840x3edataEnglishUnited States0.8064516129032258

                                                  Imports

                                                  DLLImport
                                                  KERNEL32.dllExpandEnvironmentStringsA, GetLongPathNameW, CopyFileW, GetLocaleInfoA, CreateToolhelp32Snapshot, Process32NextW, Process32FirstW, VirtualProtect, SetLastError, VirtualFree, VirtualAlloc, LoadLibraryA, GetNativeSystemInfo, HeapAlloc, GetProcessHeap, FreeLibrary, IsBadReadPtr, GetTempPathW, OpenProcess, OpenMutexA, lstrcatW, GetCurrentProcessId, GetTempFileNameW, GetSystemDirectoryA, GlobalAlloc, GlobalLock, GetTickCount, GlobalUnlock, WriteProcessMemory, ResumeThread, GetThreadContext, ReadProcessMemory, CreateProcessW, SetThreadContext, LocalAlloc, GlobalFree, MulDiv, SizeofResource, QueryDosDeviceW, FindFirstVolumeW, GetConsoleScreenBufferInfo, SetConsoleTextAttribute, lstrlenW, GetStdHandle, SetFilePointer, FindResourceA, LockResource, LoadResource, LocalFree, FindVolumeClose, GetVolumePathNamesForVolumeNameW, lstrcpyW, SetConsoleOutputCP, FormatMessageA, FindFirstFileA, AllocConsole, lstrcmpW, GetModuleFileNameA, lstrcpynA, QueryPerformanceFrequency, QueryPerformanceCounter, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, HeapSize, WriteConsoleW, SetStdHandle, SetEnvironmentVariableW, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindFirstFileExA, HeapReAlloc, ReadConsoleW, GetConsoleMode, GetConsoleCP, FlushFileBuffers, GetFileType, GetTimeZoneInformation, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetTimeFormatW, GetDateFormatW, GetACP, GetModuleHandleExW, MoveFileExW, LoadLibraryExW, RaiseException, RtlUnwind, GetCPInfo, GetStringTypeW, GetLocaleInfoW, LCMapStringW, CompareStringW, MultiByteToWideChar, DecodePointer, EncodePointer, TlsFree, TlsSetValue, GetFileSize, TerminateThread, GetLastError, GetModuleHandleA, RemoveDirectoryW, MoveFileW, SetFilePointerEx, CreateDirectoryW, GetLogicalDriveStringsA, DeleteFileW, FindNextFileA, DeleteFileA, SetFileAttributesW, GetFileAttributesW, FindClose, lstrlenA, GetDriveTypeA, FindNextFileW, GetFileSizeEx, FindFirstFileW, GetModuleHandleW, ExitProcess, GetProcAddress, CreateMutexA, GetCurrentProcess, CreateProcessA, PeekNamedPipe, CreatePipe, TerminateProcess, ReadFile, HeapFree, HeapCreate, CreateEventA, GetLocalTime, CreateThread, SetEvent, CreateEventW, WaitForSingleObject, Sleep, GetModuleFileNameW, CloseHandle, ExitThread, CreateFileW, WriteFile, FindNextVolumeW, TlsGetValue, TlsAlloc, SwitchToThread, WideCharToMultiByte, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, IsProcessorFeaturePresent, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, WaitForSingleObjectEx, ResetEvent, InitializeCriticalSectionAndSpinCount, SetEndOfFile
                                                  USER32.dllDefWindowProcA, TranslateMessage, DispatchMessageA, GetMessageA, GetWindowTextW, wsprintfW, GetClipboardData, UnhookWindowsHookEx, GetForegroundWindow, ToUnicodeEx, GetKeyboardLayout, SetWindowsHookExA, CloseClipboard, OpenClipboard, GetKeyboardState, CallNextHookEx, GetKeyboardLayoutNameA, GetKeyState, GetWindowTextLengthW, GetWindowThreadProcessId, SetForegroundWindow, SetClipboardData, EnumWindows, ExitWindowsEx, EmptyClipboard, ShowWindow, SetWindowTextW, MessageBoxW, IsWindowVisible, CreateWindowExA, SendInput, EnumDisplaySettingsW, mouse_event, MapVirtualKeyA, TrackPopupMenu, CreatePopupMenu, AppendMenuA, RegisterClassExA, GetCursorPos, SystemParametersInfoW, GetIconInfo, GetSystemMetrics, CloseWindow, DrawIcon
                                                  GDI32.dllBitBlt, CreateCompatibleBitmap, CreateCompatibleDC, StretchBlt, GetDIBits, DeleteDC, DeleteObject, CreateDCA, GetObjectA, SelectObject
                                                  ADVAPI32.dllLookupPrivilegeValueA, CryptAcquireContextA, CryptGenRandom, CryptReleaseContext, GetUserNameW, RegEnumKeyExA, QueryServiceStatus, CloseServiceHandle, OpenSCManagerW, OpenSCManagerA, ControlService, StartServiceW, QueryServiceConfigW, ChangeServiceConfigW, OpenServiceW, EnumServicesStatusW, AdjustTokenPrivileges, RegDeleteKeyA, OpenProcessToken, RegCreateKeyA, RegCloseKey, RegQueryInfoKeyW, RegQueryValueExA, RegCreateKeyExW, RegEnumKeyExW, RegSetValueExW, RegSetValueExA, RegOpenKeyExA, RegOpenKeyExW, RegCreateKeyW, RegDeleteValueW, RegEnumValueW, RegQueryValueExW
                                                  SHELL32.dllShellExecuteExA, Shell_NotifyIconA, ExtractIconA, ShellExecuteW
                                                  ole32.dllCoInitializeEx, CoGetObject, CoUninitialize
                                                  SHLWAPI.dllStrToIntA, PathFileExistsW, PathFileExistsA
                                                  WINMM.dllmciSendStringA, mciSendStringW, waveInClose, waveInStop, waveInStart, waveInUnprepareHeader, waveInOpen, waveInAddBuffer, waveInPrepareHeader, PlaySoundW
                                                  WS2_32.dllsend, WSAStartup, socket, connect, WSAGetLastError, recv, closesocket, inet_ntoa, htons, htonl, getservbyname, ntohs, getservbyport, gethostbyaddr, inet_addr, WSASetLastError, gethostbyname
                                                  urlmon.dllURLOpenBlockingStreamW, URLDownloadToFileW
                                                  gdiplus.dllGdipAlloc, GdiplusStartup, GdipGetImageEncoders, GdipLoadImageFromStream, GdipSaveImageToStream, GdipGetImageEncodersSize, GdipFree, GdipDisposeImage, GdipCloneImage
                                                  WININET.dllInternetOpenUrlW, InternetOpenW, InternetCloseHandle, InternetReadFile

                                                  Possible Origin

                                                  Language of compilation systemCountry where language is spokenMap
                                                  EnglishUnited States

                                                  Network Behavior

                                                  Suricata IDS Alerts

                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                  2025-01-08T15:59:27.982408+01002834936ETPRO MALWARE Observed DNS Query to Abused DDNS (ddnsgeek .com)1192.168.2.6551801.1.1.153UDP
                                                  2025-01-08T15:59:28.810103+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649709179.15.136.61997TCP
                                                  2025-01-08T15:59:31.456177+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.649710178.237.33.5080TCP

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Jan 8, 2025 15:59:28.107433081 CET497091997192.168.2.6179.15.136.6
                                                  Jan 8, 2025 15:59:28.112217903 CET199749709179.15.136.6192.168.2.6
                                                  Jan 8, 2025 15:59:28.112409115 CET497091997192.168.2.6179.15.136.6
                                                  Jan 8, 2025 15:59:28.118123055 CET497091997192.168.2.6179.15.136.6
                                                  Jan 8, 2025 15:59:28.122982979 CET199749709179.15.136.6192.168.2.6
                                                  Jan 8, 2025 15:59:28.754676104 CET199749709179.15.136.6192.168.2.6
                                                  Jan 8, 2025 15:59:28.810102940 CET497091997192.168.2.6179.15.136.6
                                                  Jan 8, 2025 15:59:28.882750988 CET199749709179.15.136.6192.168.2.6
                                                  Jan 8, 2025 15:59:28.887278080 CET497091997192.168.2.6179.15.136.6
                                                  Jan 8, 2025 15:59:28.892101049 CET199749709179.15.136.6192.168.2.6
                                                  Jan 8, 2025 15:59:28.892199993 CET497091997192.168.2.6179.15.136.6
                                                  Jan 8, 2025 15:59:28.897030115 CET199749709179.15.136.6192.168.2.6
                                                  Jan 8, 2025 15:59:29.216356993 CET199749709179.15.136.6192.168.2.6
                                                  Jan 8, 2025 15:59:29.220773935 CET497091997192.168.2.6179.15.136.6
                                                  Jan 8, 2025 15:59:29.225630045 CET199749709179.15.136.6192.168.2.6
                                                  Jan 8, 2025 15:59:29.355505943 CET199749709179.15.136.6192.168.2.6
                                                  Jan 8, 2025 15:59:29.403719902 CET497091997192.168.2.6179.15.136.6
                                                  Jan 8, 2025 15:59:30.818301916 CET4971080192.168.2.6178.237.33.50
                                                  Jan 8, 2025 15:59:30.824517965 CET8049710178.237.33.50192.168.2.6
                                                  Jan 8, 2025 15:59:30.824702024 CET4971080192.168.2.6178.237.33.50
                                                  Jan 8, 2025 15:59:30.824976921 CET4971080192.168.2.6178.237.33.50
                                                  Jan 8, 2025 15:59:30.831047058 CET8049710178.237.33.50192.168.2.6
                                                  Jan 8, 2025 15:59:31.456108093 CET8049710178.237.33.50192.168.2.6
                                                  Jan 8, 2025 15:59:31.456176996 CET4971080192.168.2.6178.237.33.50
                                                  Jan 8, 2025 15:59:31.496723890 CET497091997192.168.2.6179.15.136.6
                                                  Jan 8, 2025 15:59:31.501641989 CET199749709179.15.136.6192.168.2.6
                                                  Jan 8, 2025 15:59:32.456455946 CET8049710178.237.33.50192.168.2.6
                                                  Jan 8, 2025 15:59:32.456513882 CET4971080192.168.2.6178.237.33.50
                                                  Jan 8, 2025 15:59:36.633281946 CET199749709179.15.136.6192.168.2.6
                                                  Jan 8, 2025 15:59:36.634876966 CET497091997192.168.2.6179.15.136.6
                                                  Jan 8, 2025 15:59:36.639645100 CET199749709179.15.136.6192.168.2.6
                                                  Jan 8, 2025 16:00:06.948946953 CET199749709179.15.136.6192.168.2.6
                                                  Jan 8, 2025 16:00:06.950520039 CET497091997192.168.2.6179.15.136.6
                                                  Jan 8, 2025 16:00:06.955311060 CET199749709179.15.136.6192.168.2.6
                                                  Jan 8, 2025 16:00:37.053644896 CET199749709179.15.136.6192.168.2.6
                                                  Jan 8, 2025 16:00:37.057401896 CET497091997192.168.2.6179.15.136.6
                                                  Jan 8, 2025 16:00:37.062199116 CET199749709179.15.136.6192.168.2.6
                                                  Jan 8, 2025 16:01:07.046379089 CET199749709179.15.136.6192.168.2.6
                                                  Jan 8, 2025 16:01:07.048649073 CET497091997192.168.2.6179.15.136.6
                                                  Jan 8, 2025 16:01:07.053566933 CET199749709179.15.136.6192.168.2.6
                                                  Jan 8, 2025 16:01:20.779212952 CET4971080192.168.2.6178.237.33.50
                                                  Jan 8, 2025 16:01:21.138319016 CET4971080192.168.2.6178.237.33.50
                                                  Jan 8, 2025 16:01:21.747638941 CET4971080192.168.2.6178.237.33.50
                                                  Jan 8, 2025 16:01:23.044529915 CET4971080192.168.2.6178.237.33.50
                                                  Jan 8, 2025 16:01:25.451374054 CET4971080192.168.2.6178.237.33.50
                                                  Jan 8, 2025 16:01:30.435173988 CET4971080192.168.2.6178.237.33.50
                                                  Jan 8, 2025 16:01:37.080728054 CET199749709179.15.136.6192.168.2.6
                                                  Jan 8, 2025 16:01:37.082350969 CET497091997192.168.2.6179.15.136.6
                                                  Jan 8, 2025 16:01:37.087105989 CET199749709179.15.136.6192.168.2.6
                                                  Jan 8, 2025 16:01:40.044548035 CET4971080192.168.2.6178.237.33.50
                                                  Jan 8, 2025 16:02:07.107937098 CET199749709179.15.136.6192.168.2.6
                                                  Jan 8, 2025 16:02:07.109800100 CET497091997192.168.2.6179.15.136.6
                                                  Jan 8, 2025 16:02:07.114584923 CET199749709179.15.136.6192.168.2.6
                                                  Jan 8, 2025 16:02:37.072588921 CET199749709179.15.136.6192.168.2.6
                                                  Jan 8, 2025 16:02:37.077820063 CET497091997192.168.2.6179.15.136.6
                                                  Jan 8, 2025 16:02:37.084659100 CET199749709179.15.136.6192.168.2.6
                                                  Jan 8, 2025 16:03:07.082614899 CET199749709179.15.136.6192.168.2.6
                                                  Jan 8, 2025 16:03:07.084528923 CET497091997192.168.2.6179.15.136.6
                                                  Jan 8, 2025 16:03:07.089309931 CET199749709179.15.136.6192.168.2.6

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Jan 8, 2025 15:59:27.982408047 CET5518053192.168.2.61.1.1.1
                                                  Jan 8, 2025 15:59:28.104314089 CET53551801.1.1.1192.168.2.6
                                                  Jan 8, 2025 15:59:30.805536032 CET6181553192.168.2.61.1.1.1
                                                  Jan 8, 2025 15:59:30.813924074 CET53618151.1.1.1192.168.2.6

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                  Jan 8, 2025 15:59:27.982408047 CET192.168.2.61.1.1.10x2164Standard query (0)municipioalcidiadechicamocha.ddnsgeek.comA (IP address)IN (0x0001)false
                                                  Jan 8, 2025 15:59:30.805536032 CET192.168.2.61.1.1.10x6d17Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                  Jan 8, 2025 15:59:28.104314089 CET1.1.1.1192.168.2.60x2164No error (0)municipioalcidiadechicamocha.ddnsgeek.com179.15.136.6A (IP address)IN (0x0001)false
                                                  Jan 8, 2025 15:59:30.813924074 CET1.1.1.1192.168.2.60x6d17No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                  HTTP Request Dependency Graph

                                                  • geoplugin.net

                                                  HTTP Packets

                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  0192.168.2.649710178.237.33.50801664C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe
                                                  TimestampBytes transferredDirectionData
                                                  Jan 8, 2025 15:59:30.824976921 CET71OUTGET /json.gp HTTP/1.1
                                                  Host: geoplugin.net
                                                  Cache-Control: no-cache
                                                  Jan 8, 2025 15:59:31.456108093 CET1171INHTTP/1.1 200 OK
                                                  date: Wed, 08 Jan 2025 14:59:31 GMT
                                                  server: Apache
                                                  content-length: 963
                                                  content-type: application/json; charset=utf-8
                                                  cache-control: public, max-age=300
                                                  access-control-allow-origin: *
                                                  Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 [TRUNCATED]
                                                  Data Ascii: { "geoplugin_request":"8.46.123.189", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                  Statistics

                                                  CPU Usage

                                                  Click to jump to process

                                                  Memory Usage

                                                  Click to jump to process

                                                  High Level Behavior Distribution

                                                  Click to dive into process behavior distribution

                                                  System Behavior

                                                  General

                                                  Target ID:0
                                                  Start time:09:59:27
                                                  Start date:08/01/2025
                                                  Path:C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe"
                                                  Imagebase:0x400000
                                                  File size:493'056 bytes
                                                  MD5 hash:3B2DFEFA045F3257002AD8313E5D9DB2
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.4578041421.000000000235F000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000000.2119477224.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000000.2119477224.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000000.2119477224.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000000.2119477224.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.4577712852.0000000000811000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.4577712852.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:low
                                                  Has exited:false

                                                  Disassembly

                                                  Reset < >

                                                    Execution Graph

                                                    Execution Coverage:4.2%
                                                    Dynamic/Decrypted Code Coverage:0%
                                                    Signature Coverage:23.1%
                                                    Total number of Nodes:1309
                                                    Total number of Limit Nodes:58
                                                    execution_graph 46029 41d4e0 46030 41d4f6 ctype ___scrt_fastfail 46029->46030 46031 431fa9 21 API calls 46030->46031 46044 41d6f3 46030->46044 46036 41d6a6 ___scrt_fastfail 46031->46036 46033 41d744 46034 41d770 46034->46033 46054 41d484 21 API calls ___scrt_fastfail 46034->46054 46035 41d704 46035->46033 46035->46034 46046 431fa9 46035->46046 46036->46033 46038 431fa9 21 API calls 46036->46038 46042 41d6ce ___scrt_fastfail 46038->46042 46040 41d73d ___scrt_fastfail 46040->46033 46051 43265f 46040->46051 46042->46033 46043 431fa9 21 API calls 46042->46043 46043->46044 46044->46033 46045 41d081 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_fastfail 46044->46045 46045->46035 46047 431fb3 46046->46047 46048 431fb7 46046->46048 46047->46040 46055 43a89c 46048->46055 46064 43257f 46051->46064 46053 432667 46053->46034 46054->46033 46060 446b0f _strftime 46055->46060 46056 446b4d 46063 445364 20 API calls __dosmaperr 46056->46063 46058 446b38 RtlAllocateHeap 46059 431fbc 46058->46059 46058->46060 46059->46040 46060->46056 46060->46058 46062 442210 7 API calls 2 library calls 46060->46062 46062->46060 46063->46059 46065 432598 46064->46065 46068 43258e 46064->46068 46066 431fa9 21 API calls 46065->46066 46065->46068 46067 4325b9 46066->46067 46067->46068 46070 43294a CryptAcquireContextA 46067->46070 46068->46053 46071 432966 46070->46071 46072 43296b CryptGenRandom 46070->46072 46071->46068 46072->46071 46073 432980 CryptReleaseContext 46072->46073 46073->46071 46074 426040 46079 426107 recv 46074->46079 46080 44e8c6 46081 44e8d1 46080->46081 46082 44e8f9 46081->46082 46083 44e8ea 46081->46083 46084 44e908 46082->46084 46102 455583 27 API calls 2 library calls 46082->46102 46101 445364 20 API calls __dosmaperr 46083->46101 46089 44b9ce 46084->46089 46088 44e8ef ___scrt_fastfail 46090 44b9e6 46089->46090 46091 44b9db 46089->46091 46093 44b9ee 46090->46093 46099 44b9f7 _strftime 46090->46099 46109 446b0f 21 API calls 3 library calls 46091->46109 46103 446ad5 46093->46103 46095 44ba21 RtlReAllocateHeap 46097 44b9e3 46095->46097 46095->46099 46096 44b9fc 46110 445364 20 API calls __dosmaperr 46096->46110 46097->46088 46099->46095 46099->46096 46111 442210 7 API calls 2 library calls 46099->46111 46101->46088 46102->46084 46104 446ae0 RtlFreeHeap 46103->46104 46108 446b09 _free 46103->46108 46105 446af5 46104->46105 46104->46108 46112 445364 20 API calls __dosmaperr 46105->46112 46107 446afb GetLastError 46107->46108 46108->46097 46109->46097 46110->46097 46111->46099 46112->46107 46113 4260a1 46118 42611e send 46113->46118 46119 425e66 46120 425e7b 46119->46120 46122 425f1b 46119->46122 46121 425f6a 46120->46121 46120->46122 46123 425efe 46120->46123 46124 425f87 46120->46124 46130 425f35 46120->46130 46132 425ec9 46120->46132 46134 425fae 46120->46134 46147 424364 50 API calls ctype 46120->46147 46121->46124 46151 424b8b 21 API calls 46121->46151 46123->46122 46123->46130 46149 424364 50 API calls ctype 46123->46149 46124->46122 46124->46134 46135 424f88 46124->46135 46130->46121 46130->46122 46150 41f085 54 API calls 46130->46150 46132->46122 46132->46123 46148 41f085 54 API calls 46132->46148 46134->46122 46152 4255d7 28 API calls 46134->46152 46136 424fa7 ___scrt_fastfail 46135->46136 46138 424fb6 46136->46138 46142 424fdb 46136->46142 46153 41e0a7 21 API calls 46136->46153 46138->46142 46146 424fbb 46138->46146 46154 41fae4 47 API calls 46138->46154 46141 424fc4 46141->46142 46156 424195 21 API calls 2 library calls 46141->46156 46142->46134 46144 42505e 46144->46142 46145 431fa9 21 API calls 46144->46145 46145->46146 46146->46141 46146->46142 46155 41cf7e 50 API calls 46146->46155 46147->46132 46148->46132 46149->46130 46150->46130 46151->46124 46152->46122 46153->46138 46154->46144 46155->46141 46156->46142 46157 43a9a8 46159 43a9b4 _swprintf ___DestructExceptionObject 46157->46159 46158 43a9c2 46175 445364 20 API calls __dosmaperr 46158->46175 46159->46158 46162 43a9ec 46159->46162 46161 43a9c7 46176 43a837 26 API calls _Deallocate 46161->46176 46170 444adc EnterCriticalSection 46162->46170 46165 43a9f7 46171 43aa98 46165->46171 46168 43a9d2 std::_Locinfo::_Locinfo_dtor 46170->46165 46173 43aaa6 46171->46173 46172 43aa02 46177 43aa1f LeaveCriticalSection std::_Lockit::~_Lockit 46172->46177 46173->46172 46178 448426 39 API calls 2 library calls 46173->46178 46175->46161 46176->46168 46177->46168 46178->46173 46179 414dba 46194 41a52b 46179->46194 46181 414dc3 46204 401fbd 46181->46204 46185 414dde 46186 4161f2 46185->46186 46209 401eea 46185->46209 46213 401d8c 46186->46213 46189 4161fb 46190 401eea 26 API calls 46189->46190 46191 416207 46190->46191 46192 401eea 26 API calls 46191->46192 46193 416213 46192->46193 46195 41a539 46194->46195 46196 43a89c ___crtLCMapStringA 21 API calls 46195->46196 46197 41a543 InternetOpenW InternetOpenUrlW 46196->46197 46198 41a56c InternetReadFile 46197->46198 46202 41a58f 46198->46202 46199 41a5bc InternetCloseHandle InternetCloseHandle 46201 41a5ce 46199->46201 46201->46181 46202->46198 46202->46199 46203 401eea 26 API calls 46202->46203 46219 401f86 46202->46219 46203->46202 46205 401fcc 46204->46205 46228 402501 46205->46228 46207 401fea 46208 404468 60 API calls ctype 46207->46208 46208->46185 46211 4021b9 46209->46211 46210 4021e8 46210->46186 46211->46210 46233 40262e 26 API calls _Deallocate 46211->46233 46215 40200a 46213->46215 46214 40203a 46214->46189 46215->46214 46234 402654 26 API calls 46215->46234 46217 40202b 46235 4026ba 26 API calls _Deallocate 46217->46235 46220 401f8e 46219->46220 46223 402325 46220->46223 46222 401fa4 46222->46202 46224 40232f 46223->46224 46226 40233a 46224->46226 46227 40294a 28 API calls 46224->46227 46226->46222 46227->46226 46229 40250d 46228->46229 46231 40252b 46229->46231 46232 40261a 28 API calls 46229->46232 46231->46207 46232->46231 46233->46210 46234->46217 46235->46214 46236 4339ce 46237 4339da ___DestructExceptionObject 46236->46237 46268 4336c3 46237->46268 46239 4339e1 46240 433b34 46239->46240 46243 433a0b 46239->46243 46568 433b54 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 46240->46568 46242 433b3b 46569 4426ce 28 API calls _abort 46242->46569 46254 433a4a ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 46243->46254 46562 4434e1 5 API calls __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 46243->46562 46245 433b41 46570 442680 28 API calls _abort 46245->46570 46248 433a24 46250 433a2a 46248->46250 46563 443485 5 API calls __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 46248->46563 46249 433b49 46252 433aab 46279 433c6e 46252->46279 46254->46252 46564 43ee04 38 API calls 3 library calls 46254->46564 46262 433acd 46262->46242 46263 433ad1 46262->46263 46264 433ada 46263->46264 46566 442671 28 API calls _abort 46263->46566 46567 433852 13 API calls 2 library calls 46264->46567 46267 433ae2 46267->46250 46269 4336cc 46268->46269 46571 433e1a IsProcessorFeaturePresent 46269->46571 46271 4336d8 46572 4379fe 10 API calls 3 library calls 46271->46572 46273 4336dd 46274 4336e1 46273->46274 46573 44336e IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 46273->46573 46274->46239 46276 4336ea 46277 4336f8 46276->46277 46574 437a27 8 API calls 3 library calls 46276->46574 46277->46239 46575 436060 46279->46575 46282 433ab1 46283 443432 46282->46283 46577 44ddd9 46283->46577 46285 433aba 46288 40d767 46285->46288 46286 44343b 46286->46285 46581 44e0e3 38 API calls 46286->46581 46583 41bcf3 LoadLibraryA GetProcAddress 46288->46583 46290 40d783 GetModuleFileNameW 46588 40e168 46290->46588 46292 40d79f 46293 401fbd 28 API calls 46292->46293 46294 40d7ae 46293->46294 46295 401fbd 28 API calls 46294->46295 46296 40d7bd 46295->46296 46603 41afd3 46296->46603 46300 40d7cf 46301 401d8c 26 API calls 46300->46301 46302 40d7d8 46301->46302 46303 40d835 46302->46303 46304 40d7eb 46302->46304 46628 401d64 46303->46628 46882 40e986 111 API calls 46304->46882 46307 40d845 46310 401d64 28 API calls 46307->46310 46308 40d7fd 46309 401d64 28 API calls 46308->46309 46313 40d809 46309->46313 46311 40d864 46310->46311 46633 404cbf 46311->46633 46883 40e937 68 API calls 46313->46883 46314 40d873 46637 405ce6 46314->46637 46317 40d824 46884 40e155 68 API calls 46317->46884 46318 40d87f 46640 401eef 46318->46640 46321 40d88b 46322 401eea 26 API calls 46321->46322 46323 40d894 46322->46323 46325 401eea 26 API calls 46323->46325 46324 401eea 26 API calls 46326 40dc9f 46324->46326 46327 40d89d 46325->46327 46565 433ca4 GetModuleHandleW 46326->46565 46328 401d64 28 API calls 46327->46328 46329 40d8a6 46328->46329 46644 401ebd 46329->46644 46331 40d8b1 46332 401d64 28 API calls 46331->46332 46333 40d8ca 46332->46333 46334 401d64 28 API calls 46333->46334 46336 40d8e5 46334->46336 46335 40d946 46337 401d64 28 API calls 46335->46337 46353 40e134 46335->46353 46336->46335 46885 4085b4 46336->46885 46343 40d95d 46337->46343 46339 40d912 46340 401eef 26 API calls 46339->46340 46341 40d91e 46340->46341 46344 401eea 26 API calls 46341->46344 46342 40d9a4 46648 40bed7 46342->46648 46343->46342 46349 4124b7 3 API calls 46343->46349 46345 40d927 46344->46345 46889 4124b7 RegOpenKeyExA 46345->46889 46347 40d9aa 46348 40d82d 46347->46348 46651 41a473 46347->46651 46348->46324 46354 40d988 46349->46354 46352 40d9c5 46355 40da18 46352->46355 46668 40697b 46352->46668 46967 412902 30 API calls 46353->46967 46354->46342 46892 412902 30 API calls 46354->46892 46357 401d64 28 API calls 46355->46357 46361 40da21 46357->46361 46360 40e14a 46968 4112b5 64 API calls ___scrt_fastfail 46360->46968 46369 40da32 46361->46369 46370 40da2d 46361->46370 46364 40d9e4 46893 40699d 30 API calls 46364->46893 46365 40d9ee 46368 401d64 28 API calls 46365->46368 46377 40d9f7 46368->46377 46374 401d64 28 API calls 46369->46374 46896 4069ba CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 46370->46896 46371 40d9e9 46894 4064d0 97 API calls 46371->46894 46375 40da3b 46374->46375 46672 41ae18 46375->46672 46377->46355 46380 40da13 46377->46380 46378 40da46 46676 401e18 46378->46676 46895 4064d0 97 API calls 46380->46895 46381 40da51 46680 401e13 46381->46680 46384 40da5a 46385 401d64 28 API calls 46384->46385 46386 40da63 46385->46386 46387 401d64 28 API calls 46386->46387 46388 40da7d 46387->46388 46389 401d64 28 API calls 46388->46389 46390 40da97 46389->46390 46391 401d64 28 API calls 46390->46391 46392 40dab0 46391->46392 46394 401d64 28 API calls 46392->46394 46424 40db1d 46392->46424 46393 40db2c 46395 40db35 46393->46395 46420 40dbb1 ___scrt_fastfail 46393->46420 46396 40dac5 _wcslen 46394->46396 46397 401d64 28 API calls 46395->46397 46401 401d64 28 API calls 46396->46401 46396->46424 46398 40db3e 46397->46398 46399 401d64 28 API calls 46398->46399 46402 40db50 46399->46402 46400 40dcaa ___scrt_fastfail 46956 41265d RegOpenKeyExA 46400->46956 46403 40dae0 46401->46403 46405 401d64 28 API calls 46402->46405 46406 401d64 28 API calls 46403->46406 46407 40db62 46405->46407 46408 40daf5 46406->46408 46410 401d64 28 API calls 46407->46410 46897 40c89e 46408->46897 46409 40dcef 46411 401d64 28 API calls 46409->46411 46412 40db8b 46410->46412 46413 40dd16 46411->46413 46417 401d64 28 API calls 46412->46417 46694 401f66 46413->46694 46416 401e18 26 API calls 46419 40db14 46416->46419 46422 40db9c 46417->46422 46421 401e13 26 API calls 46419->46421 46684 4128a2 46420->46684 46421->46424 46954 40bc67 46 API calls _wcslen 46422->46954 46423 40dd25 46698 4126d2 RegCreateKeyA 46423->46698 46424->46393 46424->46400 46428 40dc45 ctype 46433 401d64 28 API calls 46428->46433 46429 40dbac 46429->46420 46431 401d64 28 API calls 46432 40dd47 46431->46432 46704 43a5f7 46432->46704 46434 40dc5c 46433->46434 46434->46409 46438 40dc70 46434->46438 46437 40dd5e 46959 41bec0 87 API calls ___scrt_fastfail 46437->46959 46440 401d64 28 API calls 46438->46440 46439 40dd81 46444 401f66 28 API calls 46439->46444 46442 40dc7e 46440->46442 46445 41ae18 28 API calls 46442->46445 46443 40dd65 CreateThread 46443->46439 47660 41c97f 10 API calls 46443->47660 46446 40dd96 46444->46446 46447 40dc87 46445->46447 46449 401f66 28 API calls 46446->46449 46955 40e219 112 API calls 46447->46955 46450 40dda5 46449->46450 46708 41a696 46450->46708 46451 40dc8c 46451->46409 46453 40dc93 46451->46453 46453->46348 46455 401d64 28 API calls 46456 40ddb6 46455->46456 46457 401d64 28 API calls 46456->46457 46458 40ddcb 46457->46458 46459 401d64 28 API calls 46458->46459 46460 40ddeb 46459->46460 46461 43a5f7 _strftime 42 API calls 46460->46461 46462 40ddf8 46461->46462 46463 401d64 28 API calls 46462->46463 46464 40de03 46463->46464 46465 401d64 28 API calls 46464->46465 46466 40de14 46465->46466 46467 401d64 28 API calls 46466->46467 46468 40de29 46467->46468 46469 401d64 28 API calls 46468->46469 46470 40de3a 46469->46470 46471 40de41 StrToIntA 46470->46471 46732 409517 46471->46732 46474 401d64 28 API calls 46475 40de5c 46474->46475 46476 40dea1 46475->46476 46477 40de68 46475->46477 46479 401d64 28 API calls 46476->46479 46960 43361d 22 API calls 3 library calls 46477->46960 46481 40deb1 46479->46481 46480 40de71 46482 401d64 28 API calls 46480->46482 46484 40def9 46481->46484 46485 40debd 46481->46485 46483 40de84 46482->46483 46486 40de8b CreateThread 46483->46486 46488 401d64 28 API calls 46484->46488 46961 43361d 22 API calls 3 library calls 46485->46961 46486->46476 47658 419138 109 API calls 2 library calls 46486->47658 46490 40df02 46488->46490 46489 40dec6 46491 401d64 28 API calls 46489->46491 46493 40df6c 46490->46493 46494 40df0e 46490->46494 46492 40ded8 46491->46492 46497 40dedf CreateThread 46492->46497 46495 401d64 28 API calls 46493->46495 46496 401d64 28 API calls 46494->46496 46498 40df75 46495->46498 46499 40df1e 46496->46499 46497->46484 47657 419138 109 API calls 2 library calls 46497->47657 46500 40df81 46498->46500 46501 40dfba 46498->46501 46502 401d64 28 API calls 46499->46502 46504 401d64 28 API calls 46500->46504 46757 41a7b2 GetComputerNameExW GetUserNameW 46501->46757 46505 40df33 46502->46505 46507 40df8a 46504->46507 46962 40c854 32 API calls 46505->46962 46512 401d64 28 API calls 46507->46512 46508 401e18 26 API calls 46509 40dfce 46508->46509 46511 401e13 26 API calls 46509->46511 46514 40dfd7 46511->46514 46515 40df9f 46512->46515 46513 40df46 46516 401e18 26 API calls 46513->46516 46517 40dfe0 SetProcessDEPPolicy 46514->46517 46518 40dfe3 CreateThread 46514->46518 46525 43a5f7 _strftime 42 API calls 46515->46525 46519 40df52 46516->46519 46517->46518 46520 40e004 46518->46520 46521 40dff8 CreateThread 46518->46521 47630 40e54f 46518->47630 46522 401e13 26 API calls 46519->46522 46523 40e019 46520->46523 46524 40e00d CreateThread 46520->46524 46521->46520 47659 410f36 138 API calls 46521->47659 46526 40df5b CreateThread 46522->46526 46528 40e073 46523->46528 46530 401f66 28 API calls 46523->46530 46524->46523 47661 411524 38 API calls ___scrt_fastfail 46524->47661 46527 40dfac 46525->46527 46526->46493 47662 40196b 49 API calls _strftime 46526->47662 46963 40b95c 7 API calls 46527->46963 46768 41246e RegOpenKeyExA 46528->46768 46531 40e046 46530->46531 46964 404c9e 28 API calls 46531->46964 46534 40e053 46536 401f66 28 API calls 46534->46536 46539 40e062 46536->46539 46537 40e12a 46780 40cbac 46537->46780 46538 41ae18 28 API calls 46541 40e0a4 46538->46541 46542 41a696 79 API calls 46539->46542 46771 412584 RegOpenKeyExW 46541->46771 46544 40e067 46542->46544 46546 401eea 26 API calls 46544->46546 46546->46528 46549 401e13 26 API calls 46552 40e0c5 46549->46552 46550 40e0ed DeleteFileW 46551 40e0f4 46550->46551 46550->46552 46554 41ae18 28 API calls 46551->46554 46552->46550 46552->46551 46553 40e0db Sleep 46552->46553 46965 401e07 46553->46965 46555 40e104 46554->46555 46776 41297a RegOpenKeyExW 46555->46776 46558 40e117 46559 401e13 26 API calls 46558->46559 46560 40e121 46559->46560 46561 401e13 26 API calls 46560->46561 46561->46537 46562->46248 46563->46254 46564->46252 46565->46262 46566->46264 46567->46267 46568->46242 46569->46245 46570->46249 46571->46271 46572->46273 46573->46276 46574->46274 46576 433c81 GetStartupInfoW 46575->46576 46576->46282 46578 44dde2 46577->46578 46580 44ddeb 46577->46580 46582 44dcd8 51 API calls 4 library calls 46578->46582 46580->46286 46581->46286 46582->46580 46584 41bd32 LoadLibraryA GetProcAddress 46583->46584 46585 41bd22 GetModuleHandleA GetProcAddress 46583->46585 46586 41bd5b 32 API calls 46584->46586 46587 41bd4b LoadLibraryA GetProcAddress 46584->46587 46585->46584 46586->46290 46587->46586 46969 41a64f FindResourceA 46588->46969 46591 43a89c ___crtLCMapStringA 21 API calls 46592 40e192 ctype 46591->46592 46593 401f86 28 API calls 46592->46593 46594 40e1ad 46593->46594 46595 401eef 26 API calls 46594->46595 46596 40e1b8 46595->46596 46597 401eea 26 API calls 46596->46597 46598 40e1c1 46597->46598 46599 43a89c ___crtLCMapStringA 21 API calls 46598->46599 46600 40e1d2 ctype 46599->46600 46972 406052 46600->46972 46602 40e205 46602->46292 46620 41afe6 46603->46620 46604 401eea 26 API calls 46605 41b088 46604->46605 46606 401eea 26 API calls 46605->46606 46609 41b090 46606->46609 46607 41b058 46610 403b60 28 API calls 46607->46610 46611 401eea 26 API calls 46609->46611 46612 41b064 46610->46612 46615 40d7c6 46611->46615 46613 401eef 26 API calls 46612->46613 46616 41b06d 46613->46616 46614 401eef 26 API calls 46614->46620 46624 40e8bd 46615->46624 46617 401eea 26 API calls 46616->46617 46619 41b075 46617->46619 46618 401eea 26 API calls 46618->46620 46979 41bfb9 28 API calls 46619->46979 46620->46607 46620->46614 46620->46618 46623 41b056 46620->46623 46975 403b60 46620->46975 46978 41bfb9 28 API calls 46620->46978 46623->46604 46625 40e8ca 46624->46625 46627 40e8da 46625->46627 46996 40200a 26 API calls 46625->46996 46627->46300 46629 401d6c 46628->46629 46630 401d74 46629->46630 46997 401fff 28 API calls 46629->46997 46630->46307 46634 404ccb 46633->46634 46998 402e78 46634->46998 46636 404cee 46636->46314 47007 404bc4 46637->47007 46639 405cf4 46639->46318 46641 401efe 46640->46641 46643 401f0a 46641->46643 47016 4021b9 26 API calls 46641->47016 46643->46321 46646 401ec9 46644->46646 46645 401ee4 46645->46331 46646->46645 46647 402325 28 API calls 46646->46647 46647->46645 47017 401e8f 46648->47017 46650 40bee1 CreateMutexA GetLastError 46650->46347 47019 41b16b 46651->47019 46653 41a481 47023 412513 RegOpenKeyExA 46653->47023 46656 401eef 26 API calls 46657 41a4af 46656->46657 46658 401eea 26 API calls 46657->46658 46659 41a4b7 46658->46659 46660 41a50a 46659->46660 46661 412513 31 API calls 46659->46661 46660->46352 46662 41a4dd 46661->46662 46663 41a4e8 StrToIntA 46662->46663 46664 41a4ff 46663->46664 46665 41a4f6 46663->46665 46667 401eea 26 API calls 46664->46667 47028 41c112 28 API calls 46665->47028 46667->46660 46669 40698f 46668->46669 46670 4124b7 3 API calls 46669->46670 46671 406996 46670->46671 46671->46364 46671->46365 46673 41ae2c 46672->46673 47029 40b027 46673->47029 46675 41ae34 46675->46378 46677 401e27 46676->46677 46679 401e33 46677->46679 47038 402121 26 API calls 46677->47038 46679->46381 46682 402121 46680->46682 46681 402150 46681->46384 46682->46681 47039 402718 26 API calls _Deallocate 46682->47039 46685 4128c0 46684->46685 46686 406052 28 API calls 46685->46686 46687 4128d5 46686->46687 46688 401fbd 28 API calls 46687->46688 46689 4128e5 46688->46689 46690 4126d2 29 API calls 46689->46690 46691 4128ef 46690->46691 46692 401eea 26 API calls 46691->46692 46693 4128fc 46692->46693 46693->46428 46695 401f6e 46694->46695 47040 402301 46695->47040 46699 412722 46698->46699 46702 4126eb 46698->46702 46700 401eea 26 API calls 46699->46700 46701 40dd3b 46700->46701 46701->46431 46703 4126fd RegSetValueExA RegCloseKey 46702->46703 46703->46699 46705 43a610 _strftime 46704->46705 47044 43994e 46705->47044 46709 41a747 46708->46709 46710 41a6ac GetLocalTime 46708->46710 46712 401eea 26 API calls 46709->46712 46711 404cbf 28 API calls 46710->46711 46713 41a6ee 46711->46713 46714 41a74f 46712->46714 46715 405ce6 28 API calls 46713->46715 46716 401eea 26 API calls 46714->46716 46717 41a6fa 46715->46717 46718 40ddaa 46716->46718 47078 4027cb 46717->47078 46718->46455 46720 41a706 46721 405ce6 28 API calls 46720->46721 46722 41a712 46721->46722 47081 406478 76 API calls 46722->47081 46724 41a720 46725 401eea 26 API calls 46724->46725 46726 41a72c 46725->46726 46727 401eea 26 API calls 46726->46727 46728 41a735 46727->46728 46729 401eea 26 API calls 46728->46729 46730 41a73e 46729->46730 46731 401eea 26 API calls 46730->46731 46731->46709 46733 409536 _wcslen 46732->46733 46734 409541 46733->46734 46735 409558 46733->46735 46736 40c89e 32 API calls 46734->46736 46737 40c89e 32 API calls 46735->46737 46738 409549 46736->46738 46739 409560 46737->46739 46741 401e18 26 API calls 46738->46741 46740 401e18 26 API calls 46739->46740 46742 40956e 46740->46742 46743 409553 46741->46743 46744 401e13 26 API calls 46742->46744 46746 401e13 26 API calls 46743->46746 46745 409576 46744->46745 47101 40856b 28 API calls 46745->47101 46748 4095ad 46746->46748 47086 409837 46748->47086 46749 409588 47102 4028cf 46749->47102 46753 409593 46754 401e18 26 API calls 46753->46754 46755 40959d 46754->46755 46756 401e13 26 API calls 46755->46756 46756->46743 47282 403b40 46757->47282 46761 41a80d 46762 4028cf 28 API calls 46761->46762 46763 41a817 46762->46763 46764 401e13 26 API calls 46763->46764 46765 41a820 46764->46765 46766 401e13 26 API calls 46765->46766 46767 40dfc3 46766->46767 46767->46508 46769 41248f RegQueryValueExA RegCloseKey 46768->46769 46770 40e08b 46768->46770 46769->46770 46770->46537 46770->46538 46772 4125b0 RegQueryValueExW RegCloseKey 46771->46772 46773 4125dd 46771->46773 46772->46773 46774 403b40 28 API calls 46773->46774 46775 40e0ba 46774->46775 46775->46549 46777 412992 RegDeleteValueW 46776->46777 46778 4129a6 46776->46778 46777->46778 46779 4129a2 46777->46779 46778->46558 46779->46558 46781 40cbc5 46780->46781 46782 41246e 3 API calls 46781->46782 46783 40cbcc 46782->46783 46784 40cbeb 46783->46784 47304 401602 46783->47304 46788 413fd4 46784->46788 46786 40cbd9 47307 4127d5 RegCreateKeyA 46786->47307 46789 413feb 46788->46789 47324 41aa83 46789->47324 46791 413ff6 46792 401d64 28 API calls 46791->46792 46793 41400f 46792->46793 46794 43a5f7 _strftime 42 API calls 46793->46794 46795 41401c 46794->46795 46796 414021 Sleep 46795->46796 46797 41402e 46795->46797 46796->46797 46798 401f66 28 API calls 46797->46798 46799 41403d 46798->46799 46800 401d64 28 API calls 46799->46800 46801 41404b 46800->46801 46802 401fbd 28 API calls 46801->46802 46803 414053 46802->46803 46804 41afd3 28 API calls 46803->46804 46805 41405b 46804->46805 47328 404262 WSAStartup 46805->47328 46807 414065 46808 401d64 28 API calls 46807->46808 46809 41406e 46808->46809 46810 401d64 28 API calls 46809->46810 46859 4140ed 46809->46859 46811 414087 46810->46811 46814 401d64 28 API calls 46811->46814 46812 401d64 28 API calls 46812->46859 46813 401fbd 28 API calls 46813->46859 46815 414098 46814->46815 46817 401d64 28 API calls 46815->46817 46816 41afd3 28 API calls 46816->46859 46818 4140a9 46817->46818 46819 401d64 28 API calls 46818->46819 46821 4140ba 46819->46821 46820 4085b4 28 API calls 46820->46859 46823 401d64 28 API calls 46821->46823 46822 401eef 26 API calls 46822->46859 46824 4140cb 46823->46824 46825 401d64 28 API calls 46824->46825 46826 4140dd 46825->46826 47461 404101 87 API calls 46826->47461 46829 414244 WSAGetLastError 47462 41bc86 30 API calls 46829->47462 46833 401f66 28 API calls 46836 414259 46833->46836 46836->46833 46837 41a696 79 API calls 46836->46837 46840 401d8c 26 API calls 46836->46840 46841 401d64 28 API calls 46836->46841 46842 43a5f7 _strftime 42 API calls 46836->46842 46836->46859 46879 414b22 CreateThread 46836->46879 46880 401eea 26 API calls 46836->46880 46881 401e13 26 API calls 46836->46881 47463 404c9e 28 API calls 46836->47463 47465 40a767 84 API calls 46836->47465 47466 4047eb 98 API calls 46836->47466 46837->46836 46839 404cbf 28 API calls 46839->46859 46840->46836 46841->46836 46843 414b80 Sleep 46842->46843 46843->46836 46844 405ce6 28 API calls 46844->46859 46845 4027cb 28 API calls 46845->46859 46846 401f66 28 API calls 46846->46859 46847 41a696 79 API calls 46847->46859 46848 401eea 26 API calls 46848->46859 46851 4082dc 28 API calls 46851->46859 46852 440c61 26 API calls 46852->46859 46853 41265d 3 API calls 46853->46859 46854 412513 31 API calls 46854->46859 46855 403b40 28 API calls 46855->46859 46859->46812 46859->46813 46859->46816 46859->46820 46859->46822 46859->46829 46859->46836 46859->46839 46859->46844 46859->46845 46859->46846 46859->46847 46859->46848 46859->46851 46859->46852 46859->46853 46859->46854 46859->46855 46860 41ad56 28 API calls 46859->46860 46861 401d64 28 API calls 46859->46861 47329 413f9a 46859->47329 47334 4041f1 46859->47334 47341 404915 46859->47341 47356 40428c connect 46859->47356 47416 41a97d 46859->47416 47419 413683 46859->47419 47422 40cbf1 46859->47422 47428 41adfe 46859->47428 47431 41aed8 46859->47431 46860->46859 46862 4144ed GetTickCount 46861->46862 46863 41ad56 28 API calls 46862->46863 46867 414507 46863->46867 46865 41ad56 28 API calls 46865->46867 46867->46865 46869 41aed8 28 API calls 46867->46869 46871 405ce6 28 API calls 46867->46871 46872 40275c 28 API calls 46867->46872 46873 4027cb 28 API calls 46867->46873 46875 401eea 26 API calls 46867->46875 46876 401e13 26 API calls 46867->46876 47435 41acb0 GetLastInputInfo GetTickCount 46867->47435 47436 41ac62 46867->47436 47441 40e679 GetLocaleInfoA 46867->47441 47444 4027ec 28 API calls 46867->47444 47445 4045d5 46867->47445 47464 404468 60 API calls ctype 46867->47464 46869->46867 46871->46867 46872->46867 46873->46867 46875->46867 46876->46867 46879->46836 47623 419e99 103 API calls 46879->47623 46880->46836 46881->46836 46882->46308 46883->46317 46886 4085c0 46885->46886 46887 402e78 28 API calls 46886->46887 46888 4085e4 46887->46888 46888->46339 46890 4124e1 RegQueryValueExA RegCloseKey 46889->46890 46891 41250b 46889->46891 46890->46891 46891->46335 46892->46342 46893->46371 46894->46365 46895->46355 46896->46369 46898 40c8ba 46897->46898 46899 40c8da 46898->46899 46900 40c90f 46898->46900 46902 40c8d0 46898->46902 47624 41a75b 29 API calls 46899->47624 46901 41b16b 2 API calls 46900->46901 46906 40c914 46901->46906 46904 40ca03 GetLongPathNameW 46902->46904 46905 403b40 28 API calls 46904->46905 46908 40ca18 46905->46908 46909 40c918 46906->46909 46910 40c96a 46906->46910 46907 40c8e3 46911 401e18 26 API calls 46907->46911 46912 403b40 28 API calls 46908->46912 46914 403b40 28 API calls 46909->46914 46913 403b40 28 API calls 46910->46913 46915 40c8ed 46911->46915 46916 40ca27 46912->46916 46917 40c978 46913->46917 46918 40c926 46914->46918 46920 401e13 26 API calls 46915->46920 47627 40cc37 28 API calls 46916->47627 46923 403b40 28 API calls 46917->46923 46924 403b40 28 API calls 46918->46924 46920->46902 46921 40ca3a 47628 402860 28 API calls 46921->47628 46926 40c98e 46923->46926 46927 40c93c 46924->46927 46925 40ca45 47629 402860 28 API calls 46925->47629 47626 402860 28 API calls 46926->47626 47625 402860 28 API calls 46927->47625 46931 40ca4f 46934 401e13 26 API calls 46931->46934 46932 40c999 46935 401e18 26 API calls 46932->46935 46933 40c947 46936 401e18 26 API calls 46933->46936 46937 40ca59 46934->46937 46938 40c9a4 46935->46938 46939 40c952 46936->46939 46940 401e13 26 API calls 46937->46940 46941 401e13 26 API calls 46938->46941 46942 401e13 26 API calls 46939->46942 46944 40ca62 46940->46944 46945 40c9ad 46941->46945 46943 40c95b 46942->46943 46947 401e13 26 API calls 46943->46947 46948 401e13 26 API calls 46944->46948 46946 401e13 26 API calls 46945->46946 46946->46915 46947->46915 46949 40ca6b 46948->46949 46950 401e13 26 API calls 46949->46950 46951 40ca74 46950->46951 46952 401e13 26 API calls 46951->46952 46953 40ca7d 46952->46953 46953->46416 46954->46429 46955->46451 46957 412683 RegQueryValueExA RegCloseKey 46956->46957 46958 4126a7 46956->46958 46957->46958 46958->46409 46959->46443 46960->46480 46961->46489 46962->46513 46963->46501 46964->46534 46966 401e0c 46965->46966 46967->46360 46970 40e183 46969->46970 46971 41a66c LoadResource LockResource SizeofResource 46969->46971 46970->46591 46971->46970 46973 401f86 28 API calls 46972->46973 46974 406066 46973->46974 46974->46602 46980 403c30 46975->46980 46978->46620 46979->46623 46981 403c39 46980->46981 46984 403c59 46981->46984 46985 403c68 46984->46985 46990 4032a4 46985->46990 46987 403c74 46988 402325 28 API calls 46987->46988 46989 403b73 46988->46989 46989->46620 46991 4032b0 46990->46991 46992 4032ad 46990->46992 46995 4032b6 28 API calls 46991->46995 46992->46987 46996->46627 46999 402e85 46998->46999 47000 402e98 46999->47000 47002 402ea9 46999->47002 47003 402eae 46999->47003 47005 403445 28 API calls 47000->47005 47002->46636 47003->47002 47006 40225b 26 API calls 47003->47006 47005->47002 47006->47002 47008 404bd0 47007->47008 47011 40245c 47008->47011 47010 404be4 47010->46639 47012 402469 47011->47012 47014 402478 47012->47014 47015 402ad3 28 API calls 47012->47015 47014->47010 47015->47014 47016->46643 47018 401e94 47017->47018 47020 41b193 47019->47020 47021 41b178 GetCurrentProcess IsWow64Process 47019->47021 47020->46653 47021->47020 47022 41b18f 47021->47022 47022->46653 47024 412541 RegQueryValueExA RegCloseKey 47023->47024 47025 412569 47023->47025 47024->47025 47026 401f66 28 API calls 47025->47026 47027 41257e 47026->47027 47027->46656 47028->46664 47030 40b02f 47029->47030 47033 40b04b 47030->47033 47032 40b045 47032->46675 47034 40b055 47033->47034 47036 40b060 47034->47036 47037 40b138 28 API calls 47034->47037 47036->47032 47037->47036 47038->46679 47039->46681 47041 40230d 47040->47041 47042 402325 28 API calls 47041->47042 47043 401f80 47042->47043 47043->46423 47062 43a555 47044->47062 47046 43999b 47071 4392ee 38 API calls 2 library calls 47046->47071 47048 439960 47048->47046 47049 439975 47048->47049 47061 40dd54 47048->47061 47069 445364 20 API calls __dosmaperr 47049->47069 47051 43997a 47070 43a837 26 API calls _Deallocate 47051->47070 47054 4399a7 47055 4399d6 47054->47055 47072 43a59a 42 API calls __Toupper 47054->47072 47058 439a42 47055->47058 47073 43a501 26 API calls 2 library calls 47055->47073 47074 43a501 26 API calls 2 library calls 47058->47074 47059 439b09 _strftime 47059->47061 47075 445364 20 API calls __dosmaperr 47059->47075 47061->46437 47061->46439 47063 43a55a 47062->47063 47064 43a56d 47062->47064 47076 445364 20 API calls __dosmaperr 47063->47076 47064->47048 47066 43a55f 47077 43a837 26 API calls _Deallocate 47066->47077 47068 43a56a 47068->47048 47069->47051 47070->47061 47071->47054 47072->47054 47073->47058 47074->47059 47075->47061 47076->47066 47077->47068 47082 401e9b 47078->47082 47080 4027d9 47080->46720 47081->46724 47083 401ea7 47082->47083 47084 40245c 28 API calls 47083->47084 47085 401eb9 47084->47085 47085->47080 47087 409855 47086->47087 47088 4124b7 3 API calls 47087->47088 47089 40985c 47088->47089 47090 409870 47089->47090 47091 40988a 47089->47091 47093 4095cf 47090->47093 47094 409875 47090->47094 47105 4082dc 47091->47105 47093->46474 47096 4082dc 28 API calls 47094->47096 47098 409883 47096->47098 47131 409959 29 API calls 47098->47131 47100 409888 47100->47093 47101->46749 47273 402d8b 47102->47273 47104 4028dd 47104->46753 47106 4082eb 47105->47106 47132 408431 47106->47132 47108 408309 47109 4098a5 47108->47109 47137 40affa 47109->47137 47112 4098f6 47114 401f66 28 API calls 47112->47114 47113 4098ce 47115 401f66 28 API calls 47113->47115 47116 409901 47114->47116 47117 4098d8 47115->47117 47118 401f66 28 API calls 47116->47118 47119 41ae18 28 API calls 47117->47119 47120 409910 47118->47120 47121 4098e6 47119->47121 47123 41a696 79 API calls 47120->47123 47141 40a876 31 API calls ___crtLCMapStringA 47121->47141 47125 409915 CreateThread 47123->47125 47124 4098ed 47126 401eea 26 API calls 47124->47126 47127 409930 CreateThread 47125->47127 47128 40993c CreateThread 47125->47128 47153 4099a9 47125->47153 47126->47112 47127->47128 47150 409993 47127->47150 47129 401e13 26 API calls 47128->47129 47147 4099b5 47128->47147 47130 409950 47129->47130 47130->47093 47131->47100 47272 40999f 135 API calls 47131->47272 47133 40843d 47132->47133 47135 40845b 47133->47135 47136 402f0d 28 API calls 47133->47136 47135->47108 47136->47135 47139 40b006 47137->47139 47138 4098c3 47138->47112 47138->47113 47139->47138 47142 403b9e 47139->47142 47141->47124 47143 403ba8 47142->47143 47145 403bb3 47143->47145 47146 403cfd 28 API calls 47143->47146 47145->47138 47146->47145 47156 40a3f4 47147->47156 47205 4099e4 47150->47205 47227 409e48 47153->47227 47184 40a402 47156->47184 47157 4099be 47158 40a45c Sleep GetForegroundWindow GetWindowTextLengthW 47159 40b027 28 API calls 47158->47159 47159->47184 47162 41acb0 GetLastInputInfo GetTickCount 47162->47184 47164 40a4a2 GetWindowTextW 47164->47184 47166 401e13 26 API calls 47166->47184 47167 40a5ff 47169 401e13 26 API calls 47167->47169 47168 40affa 28 API calls 47168->47184 47169->47157 47170 40a569 Sleep 47170->47184 47173 401f66 28 API calls 47173->47184 47174 40a4f1 47176 4082dc 28 API calls 47174->47176 47174->47184 47189 40a876 31 API calls ___crtLCMapStringA 47174->47189 47176->47174 47178 405ce6 28 API calls 47178->47184 47180 4028cf 28 API calls 47180->47184 47181 41ae18 28 API calls 47181->47184 47182 409d58 27 API calls 47182->47184 47183 401eea 26 API calls 47183->47184 47184->47157 47184->47158 47184->47162 47184->47164 47184->47166 47184->47167 47184->47168 47184->47170 47184->47173 47184->47174 47184->47178 47184->47180 47184->47181 47184->47182 47184->47183 47185 433529 5 API calls __Init_thread_wait 47184->47185 47186 4338b5 29 API calls __onexit 47184->47186 47187 4334df EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 47184->47187 47188 4082a8 28 API calls 47184->47188 47190 40b0dd 28 API calls 47184->47190 47191 40ae58 44 API calls 2 library calls 47184->47191 47192 440c61 47184->47192 47196 404c9e 28 API calls 47184->47196 47185->47184 47186->47184 47187->47184 47188->47184 47189->47174 47190->47184 47191->47184 47193 440c6d 47192->47193 47197 440a5d 47193->47197 47196->47184 47198 440a74 47197->47198 47199 440ab5 47198->47199 47203 445364 20 API calls __dosmaperr 47198->47203 47199->47184 47201 440aab 47204 43a837 26 API calls _Deallocate 47201->47204 47203->47201 47204->47199 47206 409a63 GetMessageA 47205->47206 47207 4099ff SetWindowsHookExA 47205->47207 47208 409a75 TranslateMessage DispatchMessageA 47206->47208 47220 40999c 47206->47220 47207->47206 47210 409a1b GetLastError 47207->47210 47208->47206 47208->47220 47221 41ad56 47210->47221 47214 409a3e 47215 401f66 28 API calls 47214->47215 47216 409a4d 47215->47216 47217 41a696 79 API calls 47216->47217 47218 409a52 47217->47218 47219 401eea 26 API calls 47218->47219 47219->47220 47222 440c61 26 API calls 47221->47222 47223 41ad77 47222->47223 47224 401f66 28 API calls 47223->47224 47225 409a31 47224->47225 47226 404c9e 28 API calls 47225->47226 47226->47214 47228 409e5d Sleep 47227->47228 47247 409d97 47228->47247 47230 4099b2 47231 409e9d CreateDirectoryW 47235 409e6f 47231->47235 47232 409eae GetFileAttributesW 47232->47235 47233 409ec5 SetFileAttributesW 47233->47235 47235->47228 47235->47230 47235->47231 47235->47232 47235->47233 47237 401d64 28 API calls 47235->47237 47245 409f10 47235->47245 47260 41b59f 47235->47260 47236 409f3f PathFileExistsW 47236->47245 47237->47235 47238 401f86 28 API calls 47238->47245 47240 40a048 SetFileAttributesW 47240->47235 47241 401eea 26 API calls 47241->47245 47242 406052 28 API calls 47242->47245 47243 401eef 26 API calls 47243->47245 47245->47236 47245->47238 47245->47240 47245->47241 47245->47242 47245->47243 47246 401eea 26 API calls 47245->47246 47269 41b62a 32 API calls 47245->47269 47270 41b697 CreateFileW SetFilePointer WriteFile CloseHandle 47245->47270 47246->47235 47248 409e44 47247->47248 47253 409dad 47247->47253 47248->47235 47249 409dcc CreateFileW 47250 409dda GetFileSize 47249->47250 47249->47253 47251 409e0f CloseHandle 47250->47251 47250->47253 47251->47253 47252 409e21 47252->47248 47257 4082dc 28 API calls 47252->47257 47253->47249 47253->47251 47253->47252 47254 409e04 Sleep 47253->47254 47255 409dfd 47253->47255 47254->47251 47271 40a7f0 83 API calls 47255->47271 47258 409e3d 47257->47258 47259 4098a5 126 API calls 47258->47259 47259->47248 47261 41b5b2 CreateFileW 47260->47261 47263 41b5ef 47261->47263 47264 41b5eb 47261->47264 47265 41b606 WriteFile 47263->47265 47266 41b5f6 SetFilePointer 47263->47266 47264->47235 47267 41b61b CloseHandle 47265->47267 47268 41b619 47265->47268 47266->47265 47266->47267 47267->47264 47268->47267 47269->47245 47270->47245 47271->47254 47274 402d97 47273->47274 47277 4030f7 47274->47277 47276 402dab 47276->47104 47278 403101 47277->47278 47280 403115 47278->47280 47281 4036c2 28 API calls 47278->47281 47280->47276 47281->47280 47283 403b48 47282->47283 47289 403b7a 47283->47289 47286 403cbb 47293 403dc2 47286->47293 47288 403cc9 47288->46761 47290 403b86 47289->47290 47291 403b9e 28 API calls 47290->47291 47292 403b5a 47291->47292 47292->47286 47294 403dce 47293->47294 47297 402ffd 47294->47297 47296 403de3 47296->47288 47298 40300e 47297->47298 47299 4032a4 28 API calls 47298->47299 47300 40301a 47299->47300 47302 40302e 47300->47302 47303 4035e8 28 API calls 47300->47303 47302->47296 47303->47302 47310 4395ca 47304->47310 47308 412814 47307->47308 47309 4127ed RegSetValueExA RegCloseKey 47307->47309 47308->46784 47309->47308 47313 43954b 47310->47313 47312 401608 47312->46786 47314 43955a 47313->47314 47315 43956e 47313->47315 47321 445364 20 API calls __dosmaperr 47314->47321 47320 43956a __alldvrm 47315->47320 47323 447611 11 API calls 2 library calls 47315->47323 47317 43955f 47322 43a837 26 API calls _Deallocate 47317->47322 47320->47312 47321->47317 47322->47320 47323->47320 47327 41aac9 ctype ___scrt_fastfail 47324->47327 47325 401f66 28 API calls 47326 41ab3e 47325->47326 47326->46791 47327->47325 47328->46807 47330 413fb3 getaddrinfo WSASetLastError 47329->47330 47331 413fa9 47329->47331 47330->46859 47467 413e37 35 API calls ___std_exception_copy 47331->47467 47333 413fae 47333->47330 47335 404206 socket 47334->47335 47336 4041fd 47334->47336 47338 404220 47335->47338 47339 404224 CreateEventW 47335->47339 47468 404262 WSAStartup 47336->47468 47338->46859 47339->46859 47340 404202 47340->47335 47340->47338 47342 4049b1 47341->47342 47343 40492a 47341->47343 47342->46859 47344 404933 47343->47344 47345 404987 CreateEventA CreateThread 47343->47345 47346 404942 GetLocalTime 47343->47346 47344->47345 47345->47342 47470 404b1d 47345->47470 47347 41ad56 28 API calls 47346->47347 47348 40495b 47347->47348 47469 404c9e 28 API calls 47348->47469 47350 404968 47351 401f66 28 API calls 47350->47351 47352 404977 47351->47352 47353 41a696 79 API calls 47352->47353 47354 40497c 47353->47354 47355 401eea 26 API calls 47354->47355 47355->47345 47357 4043e1 47356->47357 47358 4042b3 47356->47358 47359 4043e7 WSAGetLastError 47357->47359 47408 404343 47357->47408 47360 4042e8 47358->47360 47363 404cbf 28 API calls 47358->47363 47358->47408 47361 4043f7 47359->47361 47359->47408 47474 420161 27 API calls 47360->47474 47364 4042f7 47361->47364 47365 4043fc 47361->47365 47368 4042d4 47363->47368 47371 401f66 28 API calls 47364->47371 47479 41bc86 30 API calls 47365->47479 47367 4042f0 47367->47364 47370 404306 47367->47370 47372 401f66 28 API calls 47368->47372 47369 40440b 47480 404c9e 28 API calls 47369->47480 47380 404315 47370->47380 47381 40434c 47370->47381 47375 404448 47371->47375 47373 4042e3 47372->47373 47376 41a696 79 API calls 47373->47376 47378 401f66 28 API calls 47375->47378 47376->47360 47377 404418 47379 401f66 28 API calls 47377->47379 47382 404457 47378->47382 47384 404427 47379->47384 47386 401f66 28 API calls 47380->47386 47476 420f44 56 API calls 47381->47476 47383 41a696 79 API calls 47382->47383 47383->47408 47387 41a696 79 API calls 47384->47387 47389 404324 47386->47389 47390 40442c 47387->47390 47388 404354 47391 404389 47388->47391 47392 404359 47388->47392 47393 401f66 28 API calls 47389->47393 47395 401eea 26 API calls 47390->47395 47478 4202fa 28 API calls 47391->47478 47396 401f66 28 API calls 47392->47396 47397 404333 47393->47397 47395->47408 47399 404368 47396->47399 47400 41a696 79 API calls 47397->47400 47398 404391 47401 4043be CreateEventW CreateEventW 47398->47401 47403 401f66 28 API calls 47398->47403 47402 401f66 28 API calls 47399->47402 47414 404338 47400->47414 47401->47408 47404 404377 47402->47404 47406 4043a7 47403->47406 47407 41a696 79 API calls 47404->47407 47409 401f66 28 API calls 47406->47409 47410 40437c 47407->47410 47408->46859 47411 4043b6 47409->47411 47477 4205a2 54 API calls 47410->47477 47413 41a696 79 API calls 47411->47413 47415 4043bb 47413->47415 47475 41dc25 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 47414->47475 47415->47401 47481 41a955 GlobalMemoryStatusEx 47416->47481 47418 41a992 47418->46859 47482 413646 47419->47482 47423 40cc0d 47422->47423 47424 41246e 3 API calls 47423->47424 47426 40cc14 47424->47426 47425 40cc2c 47425->46859 47426->47425 47427 4124b7 3 API calls 47426->47427 47427->47425 47429 401f86 28 API calls 47428->47429 47430 41ae13 47429->47430 47430->46859 47432 41aee5 47431->47432 47433 401f86 28 API calls 47432->47433 47434 41aef7 47433->47434 47434->46859 47435->46867 47437 436060 ___scrt_fastfail 47436->47437 47438 41ac81 GetForegroundWindow GetWindowTextW 47437->47438 47439 403b40 28 API calls 47438->47439 47440 41acab 47439->47440 47440->46867 47442 401f66 28 API calls 47441->47442 47443 40e69e 47442->47443 47443->46867 47444->46867 47453 4045ec 47445->47453 47446 43a89c ___crtLCMapStringA 21 API calls 47446->47453 47448 40465b 47450 404666 47448->47450 47448->47453 47449 401f86 28 API calls 47449->47453 47535 4047eb 98 API calls 47450->47535 47451 401eef 26 API calls 47451->47453 47453->47446 47453->47448 47453->47449 47453->47451 47455 401eea 26 API calls 47453->47455 47523 404688 47453->47523 47534 40455b 59 API calls 47453->47534 47454 40466d 47456 401eea 26 API calls 47454->47456 47455->47453 47457 404676 47456->47457 47458 401eea 26 API calls 47457->47458 47459 40467f 47458->47459 47459->46836 47461->46859 47462->46836 47463->46836 47464->46867 47465->46836 47466->46836 47467->47333 47468->47340 47469->47350 47473 404b29 101 API calls 47470->47473 47472 404b26 47473->47472 47474->47367 47475->47408 47476->47388 47477->47414 47478->47398 47479->47369 47480->47377 47481->47418 47485 413619 47482->47485 47486 41362e ___scrt_initialize_default_local_stdio_options 47485->47486 47489 43e2ed 47486->47489 47492 43b040 47489->47492 47493 43b080 47492->47493 47494 43b068 47492->47494 47493->47494 47495 43b088 47493->47495 47516 445364 20 API calls __dosmaperr 47494->47516 47518 4392ee 38 API calls 2 library calls 47495->47518 47498 43b06d 47517 43a837 26 API calls _Deallocate 47498->47517 47500 43b098 47519 43b7c6 20 API calls 2 library calls 47500->47519 47503 41363c 47503->46859 47504 43b110 47520 43be34 50 API calls 3 library calls 47504->47520 47507 43b11b 47521 43b830 20 API calls _free 47507->47521 47508 43b078 47509 433d3c 47508->47509 47510 433d47 IsProcessorFeaturePresent 47509->47510 47511 433d45 47509->47511 47513 4341b4 47510->47513 47511->47503 47522 434178 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 47513->47522 47515 434297 47515->47503 47516->47498 47517->47508 47518->47500 47519->47504 47520->47507 47521->47508 47522->47515 47533 4046a3 47523->47533 47524 4047d8 47525 401eea 26 API calls 47524->47525 47526 4047e1 47525->47526 47526->47448 47527 403b60 28 API calls 47527->47533 47528 401eef 26 API calls 47528->47533 47529 401eea 26 API calls 47529->47533 47530 401fbd 28 API calls 47530->47533 47531 401ebd 28 API calls 47532 404772 CreateEventA CreateThread WaitForSingleObject CloseHandle 47531->47532 47532->47533 47536 414b9b 47532->47536 47533->47524 47533->47527 47533->47528 47533->47529 47533->47530 47533->47531 47534->47453 47535->47454 47537 401fbd 28 API calls 47536->47537 47538 414bbd SetEvent 47537->47538 47539 414bd2 47538->47539 47540 403b60 28 API calls 47539->47540 47541 414bec 47540->47541 47542 401fbd 28 API calls 47541->47542 47543 414bfc 47542->47543 47544 401fbd 28 API calls 47543->47544 47545 414c0e 47544->47545 47546 41afd3 28 API calls 47545->47546 47547 414c17 47546->47547 47548 4161f2 47547->47548 47550 414de3 47547->47550 47551 414c37 GetTickCount 47547->47551 47549 401d8c 26 API calls 47548->47549 47552 4161fb 47549->47552 47550->47548 47610 414d99 47550->47610 47553 41ad56 28 API calls 47551->47553 47555 401eea 26 API calls 47552->47555 47556 414c4d 47553->47556 47559 416207 47555->47559 47615 41acb0 GetLastInputInfo GetTickCount 47556->47615 47558 414d7d 47558->47548 47561 401eea 26 API calls 47559->47561 47560 414c54 47562 41ad56 28 API calls 47560->47562 47563 416213 47561->47563 47564 414c5f 47562->47564 47565 41ac62 30 API calls 47564->47565 47566 414c6d 47565->47566 47567 41aed8 28 API calls 47566->47567 47568 414c7b 47567->47568 47569 401d64 28 API calls 47568->47569 47570 414c89 47569->47570 47616 4027ec 28 API calls 47570->47616 47572 414c97 47617 40275c 28 API calls 47572->47617 47574 414ca6 47575 4027cb 28 API calls 47574->47575 47576 414cb5 47575->47576 47618 40275c 28 API calls 47576->47618 47578 414cc4 47579 4027cb 28 API calls 47578->47579 47580 414cd0 47579->47580 47619 40275c 28 API calls 47580->47619 47582 414cda 47620 404468 60 API calls ctype 47582->47620 47584 414ce9 47585 401eea 26 API calls 47584->47585 47586 414cf2 47585->47586 47587 401eea 26 API calls 47586->47587 47588 414cfe 47587->47588 47589 401eea 26 API calls 47588->47589 47590 414d0a 47589->47590 47591 401eea 26 API calls 47590->47591 47592 414d16 47591->47592 47593 401eea 26 API calls 47592->47593 47594 414d22 47593->47594 47595 401eea 26 API calls 47594->47595 47596 414d2e 47595->47596 47597 401e13 26 API calls 47596->47597 47598 414d3a 47597->47598 47599 401eea 26 API calls 47598->47599 47600 414d43 47599->47600 47601 401eea 26 API calls 47600->47601 47602 414d4c 47601->47602 47603 401d64 28 API calls 47602->47603 47604 414d57 47603->47604 47605 43a5f7 _strftime 42 API calls 47604->47605 47606 414d64 47605->47606 47607 414d69 47606->47607 47608 414d8f 47606->47608 47611 414d82 47607->47611 47612 414d77 47607->47612 47609 401d64 28 API calls 47608->47609 47609->47610 47610->47548 47622 404ab1 83 API calls 47610->47622 47614 404915 104 API calls 47611->47614 47621 4049ba 81 API calls 47612->47621 47614->47558 47615->47560 47616->47572 47617->47574 47618->47578 47619->47582 47620->47584 47621->47558 47622->47558 47624->46907 47625->46933 47626->46932 47627->46921 47628->46925 47629->46931 47632 40e56a 47630->47632 47631 4124b7 3 API calls 47631->47632 47632->47631 47633 40e59c 47632->47633 47634 40e60e 47632->47634 47636 40e5fe Sleep 47632->47636 47635 4082dc 28 API calls 47633->47635 47633->47636 47640 41ae18 28 API calls 47633->47640 47645 401e13 26 API calls 47633->47645 47648 401f66 28 API calls 47633->47648 47652 4126d2 29 API calls 47633->47652 47663 40bf04 73 API calls ___scrt_fastfail 47633->47663 47664 412774 29 API calls 47633->47664 47637 4082dc 28 API calls 47634->47637 47635->47633 47636->47632 47638 40e619 47637->47638 47641 41ae18 28 API calls 47638->47641 47640->47633 47642 40e625 47641->47642 47665 412774 29 API calls 47642->47665 47645->47633 47646 40e638 47647 401e13 26 API calls 47646->47647 47649 40e644 47647->47649 47648->47633 47650 401f66 28 API calls 47649->47650 47651 40e655 47650->47651 47653 4126d2 29 API calls 47651->47653 47652->47633 47654 40e668 47653->47654 47666 411699 TerminateProcess WaitForSingleObject 47654->47666 47656 40e670 ExitProcess 47667 411637 61 API calls 47659->47667 47664->47633 47665->47646 47666->47656

                                                    Executed Functions

                                                    Function 0041BCF3 Relevance: 115.6, APIs: 40, Strings: 26, Instructions: 140libraryloaderCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD08
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BD11
                                                    • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD28
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BD2B
                                                    • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD3D
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BD40
                                                    • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD51
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BD54
                                                    • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD65
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                                                    • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD75
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                                                    • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD85
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                                                    • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD95
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BD98
                                                    • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BDA9
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                                                    • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDB9
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BDBC
                                                    • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDCD
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BDD0
                                                    • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDE1
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BDE4
                                                    • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDF5
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                                                    • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BE05
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BE08
                                                    • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE16
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BE19
                                                    • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040D783), ref: 0041BE26
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BE29
                                                    • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040D783), ref: 0041BE3B
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BE3E
                                                    • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040D783), ref: 0041BE4B
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BE4E
                                                    • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040D783), ref: 0041BE60
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BE63
                                                    • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040D783), ref: 0041BE70
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BE73
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AddressProc$HandleLibraryLoadModule
                                                    • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                    • API String ID: 384173800-625181639
                                                    • Opcode ID: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                                    • Instruction ID: 9dbe04c74af77a7e1246f7e7b4568b240d3cb110e698a9ec5713b860520f9e80
                                                    • Opcode Fuzzy Hash: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                                    • Instruction Fuzzy Hash: EC31EEA0E4031C7ADA107FB69C49E5B7E9CD940B953110827B508D3162FB7DA980DEEE
                                                    Function 0040D767 Relevance: 95.3, APIs: 13, Strings: 41, Instructions: 799COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 5 40d767-40d7e9 call 41bcf3 GetModuleFileNameW call 40e168 call 401fbd * 2 call 41afd3 call 40e8bd call 401d8c call 43e830 22 40d835-40d8fd call 401d64 call 401e8f call 401d64 call 404cbf call 405ce6 call 401eef call 401eea * 2 call 401d64 call 401ebd call 40541d call 401d64 call 404bb1 call 401d64 call 404bb1 5->22 23 40d7eb-40d830 call 40e986 call 401d64 call 401e8f call 40fcba call 40e937 call 40e155 5->23 69 40d950-40d96b call 401d64 call 40b125 22->69 70 40d8ff-40d94a call 4085b4 call 401eef call 401eea call 401e8f call 4124b7 22->70 49 40dc96-40dca7 call 401eea 23->49 79 40d9a5-40d9ac call 40bed7 69->79 80 40d96d-40d98c call 401e8f call 4124b7 69->80 70->69 102 40e134-40e154 call 401e8f call 412902 call 4112b5 70->102 88 40d9b5-40d9bc 79->88 89 40d9ae-40d9b0 79->89 80->79 98 40d98e-40d9a4 call 401e8f call 412902 80->98 93 40d9c0-40d9cc call 41a473 88->93 94 40d9be 88->94 92 40dc95 89->92 92->49 103 40d9d5-40d9d9 93->103 104 40d9ce-40d9d0 93->104 94->93 98->79 107 40da18-40da2b call 401d64 call 401e8f 103->107 108 40d9db call 40697b 103->108 104->103 127 40da32-40daba call 401d64 call 41ae18 call 401e18 call 401e13 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f 107->127 128 40da2d call 4069ba 107->128 118 40d9e0-40d9e2 108->118 121 40d9e4-40d9e9 call 40699d call 4064d0 118->121 122 40d9ee-40da01 call 401d64 call 401e8f 118->122 121->122 122->107 138 40da03-40da09 122->138 163 40db22-40db26 127->163 164 40dabc-40dad5 call 401d64 call 401e8f call 43a621 127->164 128->127 138->107 140 40da0b-40da11 138->140 140->107 142 40da13 call 4064d0 140->142 142->107 165 40dcaa-40dd01 call 436060 call 4022f8 call 401e8f * 2 call 41265d call 4082d7 163->165 166 40db2c-40db33 163->166 164->163 189 40dad7-40db1d call 401d64 call 401e8f call 401d64 call 401e8f call 40c89e call 401e18 call 401e13 164->189 220 40dd06-40dd5c call 401d64 call 401e8f call 401f66 call 401e8f call 4126d2 call 401d64 call 401e8f call 43a5f7 165->220 168 40dbb1-40dbbb call 4082d7 166->168 169 40db35-40dbaf call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 40bc67 166->169 179 40dbc0-40dbe4 call 4022f8 call 4338d8 168->179 169->179 196 40dbf3 179->196 197 40dbe6-40dbf1 call 436060 179->197 189->163 203 40dbf5-40dc40 call 401e07 call 43e359 call 4022f8 call 401e8f call 4022f8 call 401e8f call 4128a2 196->203 197->203 257 40dc45-40dc6a call 4338e1 call 401d64 call 40b125 203->257 272 40dd79-40dd7b 220->272 273 40dd5e 220->273 257->220 274 40dc70-40dc91 call 401d64 call 41ae18 call 40e219 257->274 276 40dd81 272->276 277 40dd7d-40dd7f 272->277 275 40dd60-40dd77 call 41bec0 CreateThread 273->275 274->220 292 40dc93 274->292 280 40dd87-40de66 call 401f66 * 2 call 41a696 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 43a5f7 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f StrToIntA call 409517 call 401d64 call 401e8f 275->280 276->280 277->275 330 40dea1 280->330 331 40de68-40de9f call 43361d call 401d64 call 401e8f CreateThread 280->331 292->92 333 40dea3-40debb call 401d64 call 401e8f 330->333 331->333 342 40def9-40df0c call 401d64 call 401e8f 333->342 343 40debd-40def4 call 43361d call 401d64 call 401e8f CreateThread 333->343 353 40df6c-40df7f call 401d64 call 401e8f 342->353 354 40df0e-40df67 call 401d64 call 401e8f call 401d64 call 401e8f call 40c854 call 401e18 call 401e13 CreateThread 342->354 343->342 365 40df81-40dfb5 call 401d64 call 401e8f call 401d64 call 401e8f call 43a5f7 call 40b95c 353->365 366 40dfba-40dfde call 41a7b2 call 401e18 call 401e13 353->366 354->353 365->366 386 40dfe0-40dfe1 SetProcessDEPPolicy 366->386 387 40dfe3-40dff6 CreateThread 366->387 386->387 390 40e004-40e00b 387->390 391 40dff8-40e002 CreateThread 387->391 394 40e019-40e020 390->394 395 40e00d-40e017 CreateThread 390->395 391->390 398 40e022-40e025 394->398 399 40e033-40e038 394->399 395->394 402 40e073-40e08e call 401e8f call 41246e 398->402 403 40e027-40e031 398->403 401 40e03d-40e06e call 401f66 call 404c9e call 401f66 call 41a696 call 401eea 399->401 401->402 414 40e094-40e0d4 call 41ae18 call 401e07 call 412584 call 401e13 call 401e07 402->414 415 40e12a-40e12f call 40cbac call 413fd4 402->415 403->401 433 40e0ed-40e0f2 DeleteFileW 414->433 415->102 434 40e0f4-40e125 call 41ae18 call 401e07 call 41297a call 401e13 * 2 433->434 435 40e0d6-40e0d9 433->435 434->415 435->434 436 40e0db-40e0e8 Sleep call 401e07 435->436 436->433
                                                    APIs
                                                      • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD08
                                                      • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD11
                                                      • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD28
                                                      • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD2B
                                                      • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD3D
                                                      • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD40
                                                      • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD51
                                                      • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD54
                                                      • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD65
                                                      • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                                                      • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD75
                                                      • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                                                      • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD85
                                                      • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                                                      • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD95
                                                      • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD98
                                                      • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BDA9
                                                      • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                                                      • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDB9
                                                      • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BDBC
                                                      • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDCD
                                                      • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BDD0
                                                      • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDE1
                                                      • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BDE4
                                                      • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDF5
                                                      • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                                                      • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BE05
                                                      • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BE08
                                                      • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE16
                                                    • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe,00000104), ref: 0040D790
                                                      • Part of subcall function 0040FCBA: __EH_prolog.LIBCMT ref: 0040FCBF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                                    • String ID: 0DG$@CG$@CG$Access Level: $Administrator$C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe$Exe$Exe$Inj$Remcos Agent initialized$Rmc-Y2VJ1N$Software\$User$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$`=G$dCG$del$del$exepath$licence$license_code.txt$BG$BG$BG$BG$BG
                                                    • API String ID: 2830904901-3029659214
                                                    • Opcode ID: a1e1641ac996dd8d3d4c21876c80dae499284de3cda9a76a993c65e0cbfa66c7
                                                    • Instruction ID: 3e021a1a4b13f59cbd2257f1e4af8b1458c06fff599f70b9144805750af3581d
                                                    • Opcode Fuzzy Hash: a1e1641ac996dd8d3d4c21876c80dae499284de3cda9a76a993c65e0cbfa66c7
                                                    • Instruction Fuzzy Hash: 31329260B043406ADA18B776DC57BBE269A8FC1748F04443FB8467B2E2DE7C9D45839E
                                                    Function 004099E4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65windowCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1259 4099e4-4099fd 1260 409a63-409a73 GetMessageA 1259->1260 1261 4099ff-409a19 SetWindowsHookExA 1259->1261 1262 409a75-409a8d TranslateMessage DispatchMessageA 1260->1262 1263 409a8f 1260->1263 1261->1260 1266 409a1b-409a61 GetLastError call 41ad56 call 404c9e call 401f66 call 41a696 call 401eea 1261->1266 1262->1260 1262->1263 1264 409a91-409a96 1263->1264 1266->1264
                                                    APIs
                                                    • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00409A01
                                                    • SetWindowsHookExA.USER32(0000000D,004099D0,00000000), ref: 00409A0F
                                                    • GetLastError.KERNEL32 ref: 00409A1B
                                                      • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00409A6B
                                                    • TranslateMessage.USER32(?), ref: 00409A7A
                                                    • DispatchMessageA.USER32(?), ref: 00409A85
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                    • String ID: Keylogger initialization failure: error $`#v
                                                    • API String ID: 3219506041-3226811161
                                                    • Opcode ID: 1c1c47e8679d2b224dd733d0129ac0d0ac4193f5d3ce86d790f17fa939d258fc
                                                    • Instruction ID: 51093fa3456b5fa5e68b97b38f4420b838fb12217e42543f2b1c539fb4fc9beb
                                                    • Opcode Fuzzy Hash: 1c1c47e8679d2b224dd733d0129ac0d0ac4193f5d3ce86d790f17fa939d258fc
                                                    • Instruction Fuzzy Hash: 281194716043015FC710AB7AAC4996B77ECAB94B15B10057FFC45D2291FB34DE01CBAA
                                                    Function 0040E54F Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 88sleepCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                      • Part of subcall function 004124B7: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                                      • Part of subcall function 004124B7: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                                                      • Part of subcall function 004124B7: RegCloseKey.KERNEL32(?), ref: 00412500
                                                    • Sleep.KERNEL32(00000BB8), ref: 0040E603
                                                    • ExitProcess.KERNEL32 ref: 0040E672
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseExitOpenProcessQuerySleepValue
                                                    • String ID: 5.3.0 Pro$override$pth_unenc$BG
                                                    • API String ID: 2281282204-3981147832
                                                    • Opcode ID: ef5e2cde1c6eacbd3823fb9ed910c6fe3935d25d8f4b30635bdf8653ba33eb6e
                                                    • Instruction ID: 5cf4e9032f47a3efac01ff8ef37086889acd92013af90c8396a8a4e29292548f
                                                    • Opcode Fuzzy Hash: ef5e2cde1c6eacbd3823fb9ed910c6fe3935d25d8f4b30635bdf8653ba33eb6e
                                                    • Instruction Fuzzy Hash: 7B21A131B0031027C608767A891BA6F359A9B91719F90443EF805A72D7EE7D8A6083DF
                                                    Function 00404915 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60timethreadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1420 404915-404924 1421 4049b1 1420->1421 1422 40492a-404931 1420->1422 1423 4049b3-4049b7 1421->1423 1424 404933-404937 1422->1424 1425 404939-404940 1422->1425 1426 404987-4049af CreateEventA CreateThread 1424->1426 1425->1426 1427 404942-404982 GetLocalTime call 41ad56 call 404c9e call 401f66 call 41a696 call 401eea 1425->1427 1426->1423 1427->1426
                                                    APIs
                                                    • GetLocalTime.KERNEL32(00000001,00473EE8,004745A8,00000000,?,?,?,?,?,00414D8A,?,00000001), ref: 00404946
                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00473EE8,004745A8,00000000,?,?,?,?,?,00414D8A,?,00000001), ref: 00404994
                                                    • CreateThread.KERNEL32(00000000,00000000,00404B1D,?,00000000,00000000), ref: 004049A7
                                                    Strings
                                                    • KeepAlive | Enabled | Timeout: , xrefs: 0040495C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Create$EventLocalThreadTime
                                                    • String ID: KeepAlive | Enabled | Timeout:
                                                    • API String ID: 2532271599-1507639952
                                                    • Opcode ID: a36eacb2df50b02e654fe97b9ad9f3b4b14a6fc902c8466c71e8a12677958319
                                                    • Instruction ID: b3b3bd05b27f7402d17ec3e4b95caf04d044377deb2a76ff13a13b362c137b93
                                                    • Opcode Fuzzy Hash: a36eacb2df50b02e654fe97b9ad9f3b4b14a6fc902c8466c71e8a12677958319
                                                    • Instruction Fuzzy Hash: C2113AB19042543AC710A7BA8C09BCB7FAC9F86364F04407BF50462192D7789845CBFA
                                                    Function 0043294A Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,00000001,004326D2,00000024,?,?,?), ref: 0043295C
                                                    • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,0042CBCE,?), ref: 00432972
                                                    • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,0042CBCE,?), ref: 00432984
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Crypt$Context$AcquireRandomRelease
                                                    • String ID:
                                                    • API String ID: 1815803762-0
                                                    • Opcode ID: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                                    • Instruction ID: 265e42ecfadf18463eab4f7c57cd3d944434f2f899047e0b797dffc1cacfdca9
                                                    • Opcode Fuzzy Hash: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                                    • Instruction Fuzzy Hash: 06E06531318311BBEB310E21BC08F577AE4AF89B72F650A3AF251E40E4D2A288019A1C
                                                    Function 0041A7B2 Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetComputerNameExW.KERNEL32(00000001,?,0000002B,00474358), ref: 0041A7CF
                                                    • GetUserNameW.ADVAPI32(?,0040DFC3), ref: 0041A7E7
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Name$ComputerUser
                                                    • String ID:
                                                    • API String ID: 4229901323-0
                                                    • Opcode ID: d080141cef9e3990b2f6bec53120ee530cdf67b1126702e4f13589ad74e7334c
                                                    • Instruction ID: 0a408ea7b536296bc4698588bf682dce528bd2697060893402f21fe22c13e40a
                                                    • Opcode Fuzzy Hash: d080141cef9e3990b2f6bec53120ee530cdf67b1126702e4f13589ad74e7334c
                                                    • Instruction Fuzzy Hash: 8801FF7290011CAADB14EB90DC45ADDBBBCEF44715F10017AB501B21D5EFB4AB898A98
                                                    Function 0040E679 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004145AD,00473EE8,00474A30,00473EE8,00000000,00473EE8,?,00473EE8,5.3.0 Pro), ref: 0040E68D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: InfoLocale
                                                    • String ID:
                                                    • API String ID: 2299586839-0
                                                    • Opcode ID: 2f0bd58ff2c46692be8fd04023cab22914861fe3b087e1ba55e03f3e1b92ba33
                                                    • Instruction ID: fdf89a5244b67fc368892e36cd71d3b7bc7b33248e42f87f25a9228cb5794c84
                                                    • Opcode Fuzzy Hash: 2f0bd58ff2c46692be8fd04023cab22914861fe3b087e1ba55e03f3e1b92ba33
                                                    • Instruction Fuzzy Hash: E6D05E607002197BEA109291DC0AE9B7A9CE700B66F000165BA01E72C0E9A0AF008AE1
                                                    Function 00426107 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: recv
                                                    • String ID:
                                                    • API String ID: 1507349165-0
                                                    • Opcode ID: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                                                    • Instruction ID: fbcf0fb35859d26dd0bec2a34c6193cd90ff2e5205aa97c5c9b80f8ed11fde70
                                                    • Opcode Fuzzy Hash: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                                                    • Instruction Fuzzy Hash: 35B09279118202FFCA051B60DC0887ABEBAABCC381F108D2DB586501B0CA37C451AB26
                                                    Function 00413FD4 Relevance: 53.3, APIs: 5, Strings: 25, Instructions: 813sleepnetworkCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 447 413fd4-41401f call 401faa call 41aa83 call 401faa call 401d64 call 401e8f call 43a5f7 460 414021-414028 Sleep 447->460 461 41402e-41407c call 401f66 call 401d64 call 401fbd call 41afd3 call 404262 call 401d64 call 40b125 447->461 460->461 476 4140f0-41418a call 401f66 call 401d64 call 401fbd call 41afd3 call 401d64 * 2 call 4085b4 call 4027cb call 401eef call 401eea * 2 call 401d64 call 405422 461->476 477 41407e-4140ed call 401d64 call 4022f8 call 401d64 call 401e8f call 401d64 call 4022f8 call 401d64 call 401e8f call 401d64 call 4022f8 call 401d64 call 401e8f call 404101 461->477 530 41419a-4141a1 476->530 531 41418c-414198 476->531 477->476 532 4141a6-414242 call 40541d call 404cbf call 405ce6 call 4027cb call 401f66 call 41a696 call 401eea * 2 call 401d64 call 401e8f call 401d64 call 401e8f call 413f9a 530->532 531->532 559 414244-41428a WSAGetLastError call 41bc86 call 404c9e call 401f66 call 41a696 call 401eea 532->559 560 41428f-41429d call 4041f1 532->560 582 414b54-414b66 call 4047eb call 4020b4 559->582 565 4142ca-4142df call 404915 call 40428c 560->565 566 41429f-4142c5 call 401f66 * 2 call 41a696 560->566 581 4142e5-414432 call 401d64 * 2 call 404cbf call 405ce6 call 4027cb call 405ce6 call 4027cb call 401f66 call 41a696 call 401eea * 4 call 41a97d call 413683 call 4082dc call 440c61 call 401d64 call 401fbd call 4022f8 call 401e8f * 2 call 41265d 565->581 565->582 566->582 647 414434-414441 call 40541d 581->647 648 414446-41446d call 401e8f call 412513 581->648 596 414b68-414b88 call 401d64 call 401e8f call 43a5f7 Sleep 582->596 597 414b8e-414b96 call 401d8c 582->597 596->597 597->476 647->648 654 414474-414830 call 403b40 call 40cbf1 call 41adfe call 41aed8 call 41ad56 call 401d64 GetTickCount call 41ad56 call 41acb0 call 41ad56 * 2 call 41ac62 call 41aed8 * 5 call 40e679 call 41aed8 call 4027ec call 40275c call 4027cb call 40275c call 4027cb * 3 call 40275c call 4027cb call 405ce6 call 4027cb call 405ce6 call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 405ce6 call 4027cb * 5 call 40275c call 4027cb call 40275c call 4027cb * 7 call 40275c 648->654 655 41446f-414471 648->655 781 414832 call 404468 654->781 655->654 782 414837-414abb call 401eea * 50 call 401e13 call 401eea * 6 call 401e13 call 4045d5 781->782 900 414ac0-414ac7 782->900 901 414ac9-414ad0 900->901 902 414adb-414ae2 900->902 901->902 903 414ad2-414ad4 901->903 904 414ae4-414ae9 call 40a767 902->904 905 414aee-414b20 call 405415 call 401f66 * 2 call 41a696 902->905 903->902 904->905 916 414b22-414b2e CreateThread 905->916 917 414b34-414b4f call 401eea * 2 call 401e13 905->917 916->917 917->582
                                                    APIs
                                                    • Sleep.KERNEL32(00000000,00000029,004742F8,?,00000000), ref: 00414028
                                                    • WSAGetLastError.WS2_32 ref: 00414249
                                                    • Sleep.KERNEL32(00000000,00000002), ref: 00414B88
                                                      • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Sleep$ErrorLastLocalTime
                                                    • String ID: | $%I64u$5.3.0 Pro$@CG$C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$Exe$Rmc-Y2VJ1N$TLS Off$TLS On $TUF$XCG$XCG$XCG$`=G$dCG$hlight$name$>G$>G$BG
                                                    • API String ID: 524882891-922868455
                                                    • Opcode ID: d87e8caa7572595075e7298c32b86889769859a0b55a2115f334d47f6d2759e2
                                                    • Instruction ID: 1c0fcd5d2769b0c1ed3f5537d8c306574ebe830810c6f13c8178cbf41d879861
                                                    • Opcode Fuzzy Hash: d87e8caa7572595075e7298c32b86889769859a0b55a2115f334d47f6d2759e2
                                                    • Instruction Fuzzy Hash: 3B525E31A001145ADB18F771DDA6AEE73A59F90708F1041BFB80A771E2EF385E85CA9D
                                                    Function 0040A3F4 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 158sleepCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • __Init_thread_footer.LIBCMT ref: 0040A456
                                                    • Sleep.KERNEL32(000001F4), ref: 0040A461
                                                    • GetForegroundWindow.USER32 ref: 0040A467
                                                    • GetWindowTextLengthW.USER32(00000000), ref: 0040A470
                                                    • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040A4A4
                                                    • Sleep.KERNEL32(000003E8), ref: 0040A574
                                                      • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,?,0040AF3F,?,?,?,?,?,00000000), ref: 00409D84
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                    • String ID: [${ User has been idle for $ minutes }$4]G$4]G$4]G$]
                                                    • API String ID: 911427763-1497357211
                                                    • Opcode ID: 04cc7eafda87e2f954416aa54820f6384b634bf120f851fbe548fbfea1a1b6bc
                                                    • Instruction ID: afbd458ed10e5c7c401a96cf43e60d64e5e0c384de04be689a5a7141a0feef4c
                                                    • Opcode Fuzzy Hash: 04cc7eafda87e2f954416aa54820f6384b634bf120f851fbe548fbfea1a1b6bc
                                                    • Instruction Fuzzy Hash: 8851B1716043409BC224FB21D85AAAE7794BF84318F40493FF846A72D2DF7C9D55869F
                                                    Function 00409E48 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • Sleep.KERNEL32(00001388), ref: 00409E62
                                                      • Part of subcall function 00409D97: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                                      • Part of subcall function 00409D97: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                                      • Part of subcall function 00409D97: Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                                      • Part of subcall function 00409D97: CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                                    • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409E9E
                                                    • GetFileAttributesW.KERNEL32(00000000), ref: 00409EAF
                                                    • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00409EC6
                                                    • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409F40
                                                      • Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B643
                                                    • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00465900,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A049
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                    • String ID: @CG$@CG$XCG$XCG$xAG$xAG
                                                    • API String ID: 3795512280-3163867910
                                                    • Opcode ID: 431120ea2e0ec05f5d77566325f4bfbe655a1002eb612d18d4f3077bf3784cb0
                                                    • Instruction ID: 8be46055dc56f0d2ec4b071ca6400761e29966989419bbb2416efbd82a73718c
                                                    • Opcode Fuzzy Hash: 431120ea2e0ec05f5d77566325f4bfbe655a1002eb612d18d4f3077bf3784cb0
                                                    • Instruction Fuzzy Hash: 06517C616043005ACB05BB71D866ABF769AAFD1309F00053FF886B71E2DF3DA945869A
                                                    Function 0040428C Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 147networkCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1102 40428c-4042ad connect 1103 4043e1-4043e5 1102->1103 1104 4042b3-4042b6 1102->1104 1107 4043e7-4043f5 WSAGetLastError 1103->1107 1108 40445f 1103->1108 1105 4043da-4043dc 1104->1105 1106 4042bc-4042bf 1104->1106 1109 404461-404465 1105->1109 1110 4042c1-4042e8 call 404cbf call 401f66 call 41a696 1106->1110 1111 4042eb-4042f5 call 420161 1106->1111 1107->1108 1112 4043f7-4043fa 1107->1112 1108->1109 1110->1111 1122 404306-404313 call 420383 1111->1122 1123 4042f7-404301 1111->1123 1115 404439-40443e 1112->1115 1116 4043fc-404437 call 41bc86 call 404c9e call 401f66 call 41a696 call 401eea 1112->1116 1119 404443-40445c call 401f66 * 2 call 41a696 1115->1119 1116->1108 1119->1108 1136 404315-404338 call 401f66 * 2 call 41a696 1122->1136 1137 40434c-404357 call 420f44 1122->1137 1123->1119 1163 40433b-404347 call 4201a1 1136->1163 1148 404389-404396 call 4202fa 1137->1148 1149 404359-404387 call 401f66 * 2 call 41a696 call 4205a2 1137->1149 1160 404398-4043bb call 401f66 * 2 call 41a696 1148->1160 1161 4043be-4043d7 CreateEventW * 2 1148->1161 1149->1163 1160->1161 1161->1105 1163->1108
                                                    APIs
                                                    • connect.WS2_32(?,?,?), ref: 004042A5
                                                    • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043CB
                                                    • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043D5
                                                    • WSAGetLastError.WS2_32(?,?,?,0040192B), ref: 004043E7
                                                      • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                    • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                    • API String ID: 994465650-2151626615
                                                    • Opcode ID: 3ddcc2c8b25d131ed1d8981cf26e6009bfc8be3c208b881942b02508a6528955
                                                    • Instruction ID: feeaa4dc0a5480c3be004408dd81f6e2390fe6c9429734df96c13844dfc6b1ca
                                                    • Opcode Fuzzy Hash: 3ddcc2c8b25d131ed1d8981cf26e6009bfc8be3c208b881942b02508a6528955
                                                    • Instruction Fuzzy Hash: 3E4116B1B002026BCB04B77A8C4B66E7A55AB81354B40016FE901676D3FE79AD6087DF
                                                    Function 0040C89E Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1177 40c89e-40c8c3 call 401e52 1180 40c8c9 1177->1180 1181 40c9ed-40ca13 call 401e07 GetLongPathNameW call 403b40 1177->1181 1182 40c8d0-40c8d5 1180->1182 1183 40c9c2-40c9c7 1180->1183 1184 40c905-40c90a 1180->1184 1185 40c9d8 1180->1185 1186 40c9c9-40c9ce call 43ac1f 1180->1186 1187 40c8da-40c8e8 call 41a75b call 401e18 1180->1187 1188 40c8fb-40c900 1180->1188 1189 40c9bb-40c9c0 1180->1189 1190 40c90f-40c916 call 41b16b 1180->1190 1202 40ca18-40ca85 call 403b40 call 40cc37 call 402860 * 2 call 401e13 * 5 1181->1202 1192 40c9dd-40c9e2 call 43ac1f 1182->1192 1183->1192 1184->1192 1185->1192 1199 40c9d3-40c9d6 1186->1199 1211 40c8ed 1187->1211 1188->1192 1189->1192 1203 40c918-40c968 call 403b40 call 43ac1f call 403b40 call 402860 call 401e18 call 401e13 * 2 1190->1203 1204 40c96a-40c9b6 call 403b40 call 43ac1f call 403b40 call 402860 call 401e18 call 401e13 * 2 1190->1204 1205 40c9e3-40c9e8 call 4082d7 1192->1205 1199->1185 1199->1205 1216 40c8f1-40c8f6 call 401e13 1203->1216 1204->1211 1205->1181 1211->1216 1216->1181
                                                    APIs
                                                    • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040CA04
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: LongNamePath
                                                    • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                    • API String ID: 82841172-425784914
                                                    • Opcode ID: 5638771ac5714ddadc0d5b1694dde0f121ac45befe08588207784c80853873f1
                                                    • Instruction ID: a37aa742da7f535015bd00beacd4484d13b2c9c5bc690283ee024c69455bfc47
                                                    • Opcode Fuzzy Hash: 5638771ac5714ddadc0d5b1694dde0f121ac45befe08588207784c80853873f1
                                                    • Instruction Fuzzy Hash: 68413A721442009AC214F721DD97DAFB7A4AE90759F10063FB546720E2FE7CAA49C69F
                                                    Function 0041A473 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 59COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                      • Part of subcall function 0041B16B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B17C
                                                      • Part of subcall function 0041B16B: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B183
                                                      • Part of subcall function 00412513: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                      • Part of subcall function 00412513: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                      • Part of subcall function 00412513: RegCloseKey.KERNEL32(?), ref: 0041255F
                                                    • StrToIntA.SHLWAPI(00000000,0046BC48,?,00000000,00000000,00474358,00000003,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0041A4E9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Process$CloseCurrentOpenQueryValueWow64
                                                    • String ID: (32 bit)$ (64 bit)$0JG$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                    • API String ID: 782494840-3211212173
                                                    • Opcode ID: 26c60f6affbee6d217ba86e1928e9c23d3fea0a75ab30a776bd0b760c07e420e
                                                    • Instruction ID: ceb3f8158c83cee62a9ab3acf094014ca2543c25b31c887bfc35cbf025930a6e
                                                    • Opcode Fuzzy Hash: 26c60f6affbee6d217ba86e1928e9c23d3fea0a75ab30a776bd0b760c07e420e
                                                    • Instruction Fuzzy Hash: F611CAA050020566C704B765DC9BDBF765ADB90304F40453FB506E31D2EB6C8E8583EE
                                                    Function 0041A52B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68networkfileCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1348 41a52b-41a56a call 401faa call 43a89c InternetOpenW InternetOpenUrlW 1353 41a56c-41a58d InternetReadFile 1348->1353 1354 41a5b3-41a5b6 1353->1354 1355 41a58f-41a5af call 401f86 call 402f08 call 401eea 1353->1355 1356 41a5b8-41a5ba 1354->1356 1357 41a5bc-41a5c9 InternetCloseHandle * 2 call 43a897 1354->1357 1355->1354 1356->1353 1356->1357 1361 41a5ce-41a5d8 1357->1361
                                                    APIs
                                                    • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041A54E
                                                    • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041A564
                                                    • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041A57D
                                                    • InternetCloseHandle.WININET(00000000), ref: 0041A5C3
                                                    • InternetCloseHandle.WININET(00000000), ref: 0041A5C6
                                                    Strings
                                                    • http://geoplugin.net/json.gp, xrefs: 0041A55E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Internet$CloseHandleOpen$FileRead
                                                    • String ID: http://geoplugin.net/json.gp
                                                    • API String ID: 3121278467-91888290
                                                    • Opcode ID: 14c6614d3ac3538854dee68680e3e9c55e87a9eb929117dbc6e549c036042252
                                                    • Instruction ID: 987b679836a9d55d587b89d74e0435f254c545d991055b4d64d2ada4334a4818
                                                    • Opcode Fuzzy Hash: 14c6614d3ac3538854dee68680e3e9c55e87a9eb929117dbc6e549c036042252
                                                    • Instruction Fuzzy Hash: C111C4311093126BD224EA169C45DBF7FEDEF86365F00043EF905E2192DB689848C6BA
                                                    Function 00409D97 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1366 409d97-409da7 1367 409e44-409e47 1366->1367 1368 409dad-409daf 1366->1368 1369 409db2-409dd8 call 401e07 CreateFileW 1368->1369 1372 409e18 1369->1372 1373 409dda-409de8 GetFileSize 1369->1373 1374 409e1b-409e1f 1372->1374 1375 409dea 1373->1375 1376 409e0f-409e16 CloseHandle 1373->1376 1374->1369 1377 409e21-409e24 1374->1377 1378 409df4-409dfb 1375->1378 1379 409dec-409df2 1375->1379 1376->1374 1377->1367 1380 409e26-409e2d 1377->1380 1381 409e04-409e09 Sleep 1378->1381 1382 409dfd-409dff call 40a7f0 1378->1382 1379->1376 1379->1378 1380->1367 1383 409e2f-409e3f call 4082dc call 4098a5 1380->1383 1381->1376 1382->1381 1383->1367
                                                    APIs
                                                    • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                                    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                                    • Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                                    • CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: File$CloseCreateHandleSizeSleep
                                                    • String ID: `AG
                                                    • API String ID: 1958988193-3058481221
                                                    • Opcode ID: b0d5ab9d96485228d01e653f577d9a536d0e325b1c446dee4fcf46d6e6ae2c45
                                                    • Instruction ID: 61dc848fc85204ea7fc5a67171cad01df1347b3512dd41eabc6ad436608203b4
                                                    • Opcode Fuzzy Hash: b0d5ab9d96485228d01e653f577d9a536d0e325b1c446dee4fcf46d6e6ae2c45
                                                    • Instruction Fuzzy Hash: 3A11C4303407406AE731E764E88962B7A9AAB91311F44057EF18562AE3D7389CD1829D
                                                    Function 004126D2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37registryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1388 4126d2-4126e9 RegCreateKeyA 1389 412722 1388->1389 1390 4126eb-412720 call 4022f8 call 401e8f RegSetValueExA RegCloseKey 1388->1390 1391 412724-412730 call 401eea 1389->1391 1390->1391
                                                    APIs
                                                    • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004126E1
                                                    • RegSetValueExA.KERNEL32(?,HgF,00000000,?,00000000,00000000,004742F8,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412709
                                                    • RegCloseKey.KERNEL32(?,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412714
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseCreateValue
                                                    • String ID: HgF$pth_unenc
                                                    • API String ID: 1818849710-3662775637
                                                    • Opcode ID: 1bd7bc63bfcb718f8a00b857ba0206b1347799401e36ec3cc1597cb67c32c774
                                                    • Instruction ID: d7c223529d0a909ac1d5b5cf1be9cbd74eb10d05c00374dbcf2eb8abb0eb8976
                                                    • Opcode Fuzzy Hash: 1bd7bc63bfcb718f8a00b857ba0206b1347799401e36ec3cc1597cb67c32c774
                                                    • Instruction Fuzzy Hash: 98F09032040104FBCB019FA0ED55EEF37ACEF04751F108139FD06A61A1EA75DE04EA94
                                                    Function 004098A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • CreateThread.KERNEL32(00000000,00000000,004099A9,?,00000000,00000000), ref: 0040992A
                                                    • CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040993A
                                                    • CreateThread.KERNEL32(00000000,00000000,Function_000099B5,?,00000000,00000000), ref: 00409946
                                                      • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
                                                      • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateThread$LocalTimewsprintf
                                                    • String ID: Offline Keylogger Started
                                                    • API String ID: 465354869-4114347211
                                                    • Opcode ID: 7dd086592dd2feb5cbf2408a3828b0047df0053d07ac6005fceb7baaed354c62
                                                    • Instruction ID: 39d66220788a70d2f795ee3c864da876fba87127a7a6d83764b6ce8c19119ba3
                                                    • Opcode Fuzzy Hash: 7dd086592dd2feb5cbf2408a3828b0047df0053d07ac6005fceb7baaed354c62
                                                    • Instruction Fuzzy Hash: 8011A7B25003097ED220BA36DC87CBF765CDA813A8B40053EF845222D3EA785E54C6FB
                                                    Function 004127D5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                    • RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                    • RegCloseKey.KERNEL32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseCreateValue
                                                    • String ID: TUF
                                                    • API String ID: 1818849710-3431404234
                                                    • Opcode ID: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                                    • Instruction ID: 4d8f19d4f5fba69279ea975c705bdc3302fb28fe13ea63ccb444db4f968143a5
                                                    • Opcode Fuzzy Hash: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                                    • Instruction Fuzzy Hash: 8DE03071540204BFEF115B909C05FDB3BA8EB05B95F004161FA05F6191D271CE14D7A4
                                                    Function 00404688 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,?), ref: 00404778
                                                    • CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 0040478C
                                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000,?,?,00000000), ref: 00404797
                                                    • CloseHandle.KERNEL32(?,?,00000000,00000000,?,?,00000000), ref: 004047A0
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                    • String ID:
                                                    • API String ID: 3360349984-0
                                                    • Opcode ID: 72b013782cf94b1f3d34b8331976b904c6ebf93714f67b57431e08570f282644
                                                    • Instruction ID: f4983b6e647f91c6eb1a16b69ab68a2f9d5597509a23169db7b615edd0c6cdea
                                                    • Opcode Fuzzy Hash: 72b013782cf94b1f3d34b8331976b904c6ebf93714f67b57431e08570f282644
                                                    • Instruction Fuzzy Hash: 34417171508301ABC700FB61CC55D7FB7E9AFD5315F00093EF892A32E2EA389909866A
                                                    Function 0041B59F Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041B6B5,00000000,00000000,?), ref: 0041B5DE
                                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,0040A009,?,00000000,00000000), ref: 0041B5FB
                                                    • WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040A009,?,00000000,00000000), ref: 0041B60F
                                                    • CloseHandle.KERNEL32(00000000,?,0040A009,?,00000000,00000000), ref: 0041B61C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: File$CloseCreateHandlePointerWrite
                                                    • String ID:
                                                    • API String ID: 3604237281-0
                                                    • Opcode ID: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                                    • Instruction ID: 3b94612a358327762e597db0d4245ee78264fa841ead315e3e24d1cb8b3ec7b7
                                                    • Opcode Fuzzy Hash: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                                    • Instruction Fuzzy Hash: 3F01F5712082147FE6104F28AC89EBB739DEB96379F14063AF952C22C0D765CC8596BE
                                                    Function 00414B9B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 163COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CountEventTick
                                                    • String ID: >G
                                                    • API String ID: 180926312-1296849874
                                                    • Opcode ID: 4dea9cf180482d33175dd0781c2a7a7f11c81ec4a99f4dcef033a069f5296280
                                                    • Instruction ID: 080f125417303e5552765b07387c73e695832f87024c8a27cfac38d5c25ddd71
                                                    • Opcode Fuzzy Hash: 4dea9cf180482d33175dd0781c2a7a7f11c81ec4a99f4dcef033a069f5296280
                                                    • Instruction Fuzzy Hash: 7E5191315042409AC224FB71D8A2AEF73E5AFD1314F40853FF94A671E2EF389949C69E
                                                    Function 0040BED7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040D9AA,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0040BEE6
                                                    • GetLastError.KERNEL32 ref: 0040BEF1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateErrorLastMutex
                                                    • String ID: Rmc-Y2VJ1N
                                                    • API String ID: 1925916568-930817632
                                                    • Opcode ID: defc0333e3605ddb085507e8cb5f1de2847b42d11ba618549d06c615cf8541f0
                                                    • Instruction ID: f970ec9d0541ab61c93bafde2a4f59c5c821b48a7874ab2150ad5935bc14b509
                                                    • Opcode Fuzzy Hash: defc0333e3605ddb085507e8cb5f1de2847b42d11ba618549d06c615cf8541f0
                                                    • Instruction Fuzzy Hash: 75D012707083009BD7181774BC8A77D3555E784703F00417AB90FD55E1CB6888409919
                                                    Function 00412513 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                    • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                    • RegCloseKey.KERNEL32(?), ref: 0041255F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseOpenQueryValue
                                                    • String ID:
                                                    • API String ID: 3677997916-0
                                                    • Opcode ID: 1a25bcfb25f4c61a33ed6ceb80866840e5ee7adcdacacd2e2e41860cf5e9bac8
                                                    • Instruction ID: 155fce86b91483c744b9f02885d56de91ccd1cdd8f33956e2d71fd22bd1c87ae
                                                    • Opcode Fuzzy Hash: 1a25bcfb25f4c61a33ed6ceb80866840e5ee7adcdacacd2e2e41860cf5e9bac8
                                                    • Instruction Fuzzy Hash: F0F08176900118BBCB209BA1ED48DEF7FBDEB44751F004066BA06E2150D6749E55DBA8
                                                    Function 0041265D Relevance: 4.5, APIs: 3, Instructions: 41registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                                    • RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                    • RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseOpenQueryValue
                                                    • String ID:
                                                    • API String ID: 3677997916-0
                                                    • Opcode ID: f35e7c15da94557ef338f13a10ac7e5db7717a73998ec4005cb99cacd37e3820
                                                    • Instruction ID: c18416eb0b1572374c3e2b3be0649ca89fc6f9e16ed4320a44d925c8ae57db2a
                                                    • Opcode Fuzzy Hash: f35e7c15da94557ef338f13a10ac7e5db7717a73998ec4005cb99cacd37e3820
                                                    • Instruction Fuzzy Hash: BD018131404229FBDF216FA1DC45DDF7F78EF11754F004065BA04A21A1D7758AB5DBA8
                                                    Function 004124B7 Relevance: 4.5, APIs: 3, Instructions: 38registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                                    • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                                                    • RegCloseKey.KERNEL32(?), ref: 00412500
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseOpenQueryValue
                                                    • String ID:
                                                    • API String ID: 3677997916-0
                                                    • Opcode ID: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                                                    • Instruction ID: 3c8b5742b91bab9b7a0bfd6479237677f271592d1db5ef4b45a1d16c6b8d7bbd
                                                    • Opcode Fuzzy Hash: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                                                    • Instruction Fuzzy Hash: C0F03A76900208BFDF119FA0AC45FDF7BB9EB04B55F1040A1FA05F6291D670DA54EB98
                                                    Function 0041246E Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?,00000000,?,?,0040B996,004660E0), ref: 00412485
                                                    • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0040B996,004660E0), ref: 00412499
                                                    • RegCloseKey.KERNEL32(?,?,?,0040B996,004660E0), ref: 004124A4
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseOpenQueryValue
                                                    • String ID:
                                                    • API String ID: 3677997916-0
                                                    • Opcode ID: e297991b72ec1606279c96c89a25a7ac8737aea41b7b6b8683e2e1c686c69e22
                                                    • Instruction ID: 2a31b93e49ffe9e6f23ef690bd11c8afd6de107f9352384350bf23698ee7218d
                                                    • Opcode Fuzzy Hash: e297991b72ec1606279c96c89a25a7ac8737aea41b7b6b8683e2e1c686c69e22
                                                    • Instruction Fuzzy Hash: 46E06531405234BBDF314BA2AD0DDDB7FACEF16BA17004061BC09A2251D2658E50E6E8
                                                    Function 00409517 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _wcslen
                                                    • String ID: xAG
                                                    • API String ID: 176396367-2759412365
                                                    • Opcode ID: 5b2808d6a420319a8e352f948dca3b51851caf84ac7e067c3f15d365214f07ca
                                                    • Instruction ID: 06a27fc39790a6443aa461e0e984232ee7603be4cd8470566e0b89af9a4a2a71
                                                    • Opcode Fuzzy Hash: 5b2808d6a420319a8e352f948dca3b51851caf84ac7e067c3f15d365214f07ca
                                                    • Instruction Fuzzy Hash: FE1163329002059FCB15FF66D8969EF77A4EF64314B10453FF842622E2EF38A955CB98
                                                    Function 0041A955 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GlobalMemoryStatusEx.KERNEL32(?), ref: 0041A969
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: GlobalMemoryStatus
                                                    • String ID: @
                                                    • API String ID: 1890195054-2766056989
                                                    • Opcode ID: 6a5e85952f382d12afcc854e62baf2dc0b8e461fb7fe04101b075e185c2318ef
                                                    • Instruction ID: dd145fffdacd7bda74fa2c6e5abe56fe406d4b7e613986be5c07feff288e4f4e
                                                    • Opcode Fuzzy Hash: 6a5e85952f382d12afcc854e62baf2dc0b8e461fb7fe04101b075e185c2318ef
                                                    • Instruction Fuzzy Hash: EFD067B99013189FCB20DFA8E945A8DBBF8FB48214F004529E946E3344E774E945CB95
                                                    Function 0044B9CE Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • _free.LIBCMT ref: 0044B9EF
                                                      • Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,00434413,?,?,00437237,?,?,?,?,?,0040CC87,00434413,?,?,?,?), ref: 00446B41
                                                    • RtlReAllocateHeap.NTDLL(00000000,00475D50,?,00000004,00000000,?,0044E91A,00475D50,00000004,?,00475D50,?,?,00443135,00475D50,?), ref: 0044BA2B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AllocateHeap$_free
                                                    • String ID:
                                                    • API String ID: 1482568997-0
                                                    • Opcode ID: 5cfe77718a578226d9c79b09a3ca5d66c4b9dac56741ea3d957ce73d3817e4be
                                                    • Instruction ID: 4ec374b27fdcb4e51bf886fe72aa52163d481902fd3bbe85b5f84076fdb7f7cd
                                                    • Opcode Fuzzy Hash: 5cfe77718a578226d9c79b09a3ca5d66c4b9dac56741ea3d957ce73d3817e4be
                                                    • Instruction Fuzzy Hash: 0FF0C23260051166FB216E679C05F6B2B68DF827B0F15412BFD04B6291DF6CC80191ED
                                                    Function 004041F1 Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • socket.WS2_32(?,00000001,00000006), ref: 00404212
                                                      • Part of subcall function 00404262: WSAStartup.WS2_32(00000202,00000000), ref: 00404277
                                                    • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404252
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateEventStartupsocket
                                                    • String ID:
                                                    • API String ID: 1953588214-0
                                                    • Opcode ID: 854d00471859da485f7a9b00171063840124e4cdae7de36f8ad07afc2a8c10ec
                                                    • Instruction ID: 6d5c4ce7eefecebe47fda3b025552a79fd8a61a73b62065855ea20d17e135052
                                                    • Opcode Fuzzy Hash: 854d00471859da485f7a9b00171063840124e4cdae7de36f8ad07afc2a8c10ec
                                                    • Instruction Fuzzy Hash: A20171B05087809ED7358F38B8456977FE0AB15314F044DAEF1D697BA1C3B5A481CB18
                                                    Function 0041AC62 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetForegroundWindow.USER32 ref: 0041AC84
                                                    • GetWindowTextW.USER32(00000000,?,00000100), ref: 0041AC97
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Window$ForegroundText
                                                    • String ID:
                                                    • API String ID: 29597999-0
                                                    • Opcode ID: 1796dd390df28a7f4dbf89d7f01fc1bba1536ee62ee2177b21e7863b89c7f1ab
                                                    • Instruction ID: cc2156d331005380bc7f387210694eb4be3f76427b44d354f8bc4e4bef854abe
                                                    • Opcode Fuzzy Hash: 1796dd390df28a7f4dbf89d7f01fc1bba1536ee62ee2177b21e7863b89c7f1ab
                                                    • Instruction Fuzzy Hash: CFE04875A0031867FB24A765AD4EFD6766C9704715F0000B9BA19E21C3E9B4EA04C7E4
                                                    Function 00413F9A Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • getaddrinfo.WS2_32(00000000,00000000,00000000,00471B28,00474358,00000000,00414240,00000000,00000001), ref: 00413FBC
                                                    • WSASetLastError.WS2_32(00000000), ref: 00413FC1
                                                      • Part of subcall function 00413E37: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413E86
                                                      • Part of subcall function 00413E37: LoadLibraryA.KERNEL32(?), ref: 00413EC8
                                                      • Part of subcall function 00413E37: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413EE8
                                                      • Part of subcall function 00413E37: FreeLibrary.KERNEL32(00000000), ref: 00413EEF
                                                      • Part of subcall function 00413E37: LoadLibraryA.KERNEL32(?), ref: 00413F27
                                                      • Part of subcall function 00413E37: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413F39
                                                      • Part of subcall function 00413E37: FreeLibrary.KERNEL32(00000000), ref: 00413F40
                                                      • Part of subcall function 00413E37: GetProcAddress.KERNEL32(00000000,?), ref: 00413F4F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
                                                    • String ID:
                                                    • API String ID: 1170566393-0
                                                    • Opcode ID: fe532004205893b42ca3e78fe98bfc0c037fcd8dad322742003ca3565627297f
                                                    • Instruction ID: 6b8e1b3bf706901e9cebb32ced8ad4f2671330a9e567d97b4cc2d1cd49d6d23a
                                                    • Opcode Fuzzy Hash: fe532004205893b42ca3e78fe98bfc0c037fcd8dad322742003ca3565627297f
                                                    • Instruction Fuzzy Hash: CED05B326406216FA310575D6D01FFBB5DCDFA67717110077F408D7110D6946D8283ED
                                                    Function 00446B0F Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • RtlAllocateHeap.NTDLL(00000000,00434413,?,?,00437237,?,?,?,?,?,0040CC87,00434413,?,?,?,?), ref: 00446B41
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AllocateHeap
                                                    • String ID:
                                                    • API String ID: 1279760036-0
                                                    • Opcode ID: 382123f4ff15faebfb065adfee4593ee0e25617df91b7722ec70fd9da05ca189
                                                    • Instruction ID: 9aef8a7b80d5ef8cde78cc1a95e43686bba12cbd10c6cd592e8946dff14ce016
                                                    • Opcode Fuzzy Hash: 382123f4ff15faebfb065adfee4593ee0e25617df91b7722ec70fd9da05ca189
                                                    • Instruction Fuzzy Hash: 54E0E5312012B5A7FB202A6A9C05F5B7688DB437A4F060033AC45D66D0CB58EC4181AF
                                                    Function 00404262 Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • WSAStartup.WS2_32(00000202,00000000), ref: 00404277
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Startup
                                                    • String ID:
                                                    • API String ID: 724789610-0
                                                    • Opcode ID: 95a2dab67d29c7ac03eac8c0eb79289a66407e1e5cc97b6f0f8b459783d59ee5
                                                    • Instruction ID: eac2355bac846bce9fd0ddf676e945afe2a4b646382637a0be3cadb4b1fbcda1
                                                    • Opcode Fuzzy Hash: 95a2dab67d29c7ac03eac8c0eb79289a66407e1e5cc97b6f0f8b459783d59ee5
                                                    • Instruction Fuzzy Hash: E1D012325596084ED610AAB8AC0F8A47B5CD317611F0003BA6CB5826E3E640661CC6AB
                                                    Function 0042611E Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: send
                                                    • String ID:
                                                    • API String ID: 2809346765-0
                                                    • Opcode ID: 95a0fd16484bf767f6aff194c57c23075fd16a0a1a5a2095ebc589c6d407ffe4
                                                    • Instruction ID: f30177ef1ac25d972003a71432bbdafa3536f6886768dd9ca1b11e7f0a6bf502
                                                    • Opcode Fuzzy Hash: 95a0fd16484bf767f6aff194c57c23075fd16a0a1a5a2095ebc589c6d407ffe4
                                                    • Instruction Fuzzy Hash: 4FB09279118302BFCA051B60DC0887A7EBAABC9381B108C2CB146512B0CA37C490EB36

                                                    Non-executed Functions

                                                    Function 00406F06 Relevance: 48.1, APIs: 10, Strings: 17, Instructions: 849filesleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetEvent.KERNEL32(?,?), ref: 00406F28
                                                    • GetFileAttributesW.KERNEL32(00000000,00000000,00000000), ref: 00406FF8
                                                    • DeleteFileW.KERNEL32(00000000), ref: 00407018
                                                      • Part of subcall function 0041B43F: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B499
                                                      • Part of subcall function 0041B43F: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B4CB
                                                      • Part of subcall function 0041B43F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B51C
                                                      • Part of subcall function 0041B43F: FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B571
                                                      • Part of subcall function 0041B43F: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B578
                                                      • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                      • Part of subcall function 00406BE9: CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                                      • Part of subcall function 00406BE9: WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                                      • Part of subcall function 00406BE9: CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                                      • Part of subcall function 00406BE9: MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                                      • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                      • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(00000328,00000000,LAL,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000), ref: 0040450E
                                                      • Part of subcall function 00404468: SetEvent.KERNEL32(00000328,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000,?,?,?,?,?,00414CE9), ref: 0040453C
                                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407416
                                                    • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004074F5
                                                    • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 0040773A
                                                    • DeleteFileA.KERNEL32(?), ref: 004078CC
                                                      • Part of subcall function 00407A8C: __EH_prolog.LIBCMT ref: 00407A91
                                                      • Part of subcall function 00407A8C: FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                                      • Part of subcall function 00407A8C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                                    • Sleep.KERNEL32(000007D0), ref: 00407976
                                                    • StrToIntA.SHLWAPI(00000000,00000000), ref: 004079BA
                                                      • Part of subcall function 0041BB87: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC7C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: File$Find$AttributesCloseDeleteDirectoryEventFirstNextRemove$CreateDriveExecuteH_prologHandleInfoLocalLogicalMoveObjectParametersShellSingleSleepStringsSystemTimeWaitWritesend
                                                    • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $H@G$TTF$Unable to delete: $Unable to rename file!$V>G$open$x@G$x@G$x@G$x@G$>G
                                                    • API String ID: 2918587301-184849705
                                                    • Opcode ID: d91289d3051c322bdd857101a0a8adc0020f2fb1390e52d7e39c11ee2c34041e
                                                    • Instruction ID: 1bc88c7e1bb4371a25effcd92402389f4e4e7f2dfcf0a55fa2f5aa785e242239
                                                    • Opcode Fuzzy Hash: d91289d3051c322bdd857101a0a8adc0020f2fb1390e52d7e39c11ee2c34041e
                                                    • Instruction Fuzzy Hash: CC42A372A043005BC604F776C8979AF76A59F90718F40493FF946771E2EE3CAA09C69B
                                                    Function 00405042 Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 280pipesleepfileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __Init_thread_footer.LIBCMT ref: 0040508E
                                                      • Part of subcall function 004334DF: EnterCriticalSection.KERNEL32(00470D18,00475D4C,?,0040AEAC,00475D4C,00456DA7,?,00000000,00000000), ref: 004334E9
                                                      • Part of subcall function 004334DF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D4C,00456DA7,?,00000000,00000000), ref: 0043351C
                                                      • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                    • __Init_thread_footer.LIBCMT ref: 004050CB
                                                    • CreatePipe.KERNEL32(00475D0C,00475CF4,00475C18,00000000,0046556C,00000000), ref: 0040515E
                                                    • CreatePipe.KERNEL32(00475CF8,00475D14,00475C18,00000000), ref: 00405174
                                                    • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00475C28,00475CFC), ref: 004051E7
                                                      • Part of subcall function 00433529: EnterCriticalSection.KERNEL32(00470D18,?,00475D4C,?,0040AE8B,00475D4C,?,00000000,00000000), ref: 00433534
                                                      • Part of subcall function 00433529: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D4C,?,00000000,00000000), ref: 00433571
                                                    • Sleep.KERNEL32(0000012C,00000093,?), ref: 0040523F
                                                    • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00405264
                                                    • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 00405291
                                                      • Part of subcall function 004338B5: __onexit.LIBCMT ref: 004338BB
                                                    • WriteFile.KERNEL32(00000000,00000000,?,00000000,00473F98,00465570,00000062,00465554), ref: 0040538E
                                                    • Sleep.KERNEL32(00000064,00000062,00465554), ref: 004053A8
                                                    • TerminateProcess.KERNEL32(00000000), ref: 004053C1
                                                    • CloseHandle.KERNEL32 ref: 004053CD
                                                    • CloseHandle.KERNEL32 ref: 004053D5
                                                    • CloseHandle.KERNEL32 ref: 004053E7
                                                    • CloseHandle.KERNEL32 ref: 004053EF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseCriticalHandleSection$CreatePipe$EnterFileInit_thread_footerLeaveProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                    • String ID: (\G$SystemDrive$cmd.exe$p\G$p\G$p\G$p\G$p\G
                                                    • API String ID: 3815868655-1274243119
                                                    • Opcode ID: da3a2e210fc7224a1c97f8069aa9ce89caac790e2d52e43450189485ebccb244
                                                    • Instruction ID: e174317c0cfdf92f2f57875e471bcaa01af682fbbee25a17085fe39bc952a1f7
                                                    • Opcode Fuzzy Hash: da3a2e210fc7224a1c97f8069aa9ce89caac790e2d52e43450189485ebccb244
                                                    • Instruction Fuzzy Hash: 97910971504705AFD701BB25EC45A2F37A8EB84344F50443FF94ABA2E2DABC9D448B6E
                                                    Function 00410F36 Relevance: 35.2, APIs: 7, Strings: 13, Instructions: 238threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCurrentProcessId.KERNEL32 ref: 00410F45
                                                      • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                      • Part of subcall function 004127D5: RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                      • Part of subcall function 004127D5: RegCloseKey.KERNEL32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                    • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00410F81
                                                    • CreateThread.KERNEL32(00000000,00000000,00411637,00000000,00000000,00000000), ref: 00410FE6
                                                      • Part of subcall function 004124B7: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                                      • Part of subcall function 004124B7: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                                                      • Part of subcall function 004124B7: RegCloseKey.KERNEL32(?), ref: 00412500
                                                    • CloseHandle.KERNEL32(00000000), ref: 00410F90
                                                      • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                    • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041125A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseOpen$CreateProcessValue$CurrentHandleLocalMutexQueryThreadTime
                                                    • String ID: 0DG$Remcos restarted by watchdog!$TTF$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe$BG
                                                    • API String ID: 65172268-329858390
                                                    • Opcode ID: 8a2a67840985eedd0dbda374961972b5c6f523c752149b0273765c4031c1f616
                                                    • Instruction ID: cd90af3caa6d69ca3e9ea8718b5663318d6259183dea3b669bddfb6979e5fbe1
                                                    • Opcode Fuzzy Hash: 8a2a67840985eedd0dbda374961972b5c6f523c752149b0273765c4031c1f616
                                                    • Instruction Fuzzy Hash: 9F718E316042415BC614FB32D8579AE77A4AED4718F40053FF582A21F2EF7CAA49C69F
                                                    Function 0040B335 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 145fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B3B4
                                                    • FindClose.KERNEL32(00000000), ref: 0040B3CE
                                                    • FindNextFileA.KERNEL32(00000000,?), ref: 0040B4F1
                                                    • FindClose.KERNEL32(00000000), ref: 0040B517
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Find$CloseFile$FirstNext
                                                    • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                    • API String ID: 1164774033-3681987949
                                                    • Opcode ID: 16969a060028ea01768b3e7f8d1dd51863cff663cb6b33d182e29f9985d51af6
                                                    • Instruction ID: 6ff196721abdd8e0f3db8d3f3c96df629808f1f9148939b99990ee587e15bfec
                                                    • Opcode Fuzzy Hash: 16969a060028ea01768b3e7f8d1dd51863cff663cb6b33d182e29f9985d51af6
                                                    • Instruction Fuzzy Hash: 31512C319042195ADB14FBA1EC96AEE7768EF50318F50007FF805B31E2EF389A45CA9D
                                                    Function 0040B53A Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 130fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B5B2
                                                    • FindClose.KERNEL32(00000000), ref: 0040B5CC
                                                    • FindNextFileA.KERNEL32(00000000,?), ref: 0040B68C
                                                    • FindClose.KERNEL32(00000000), ref: 0040B6B2
                                                    • FindClose.KERNEL32(00000000), ref: 0040B6D1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Find$Close$File$FirstNext
                                                    • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                    • API String ID: 3527384056-432212279
                                                    • Opcode ID: a9a1d2a1cd8360742623f5947b655a78589cbc9ba895ac191cc005815f72155e
                                                    • Instruction ID: 007be0ece90fca0e9f39ea1f272cf2b8da877aadfcc1370f70eac597690c30d9
                                                    • Opcode Fuzzy Hash: a9a1d2a1cd8360742623f5947b655a78589cbc9ba895ac191cc005815f72155e
                                                    • Instruction Fuzzy Hash: A7414B319042196ACB14F7A1EC569EE7768EF21318F50017FF801B31E2EF399A45CA9E
                                                    Function 0040E219 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 212processCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,?,?,00474358), ref: 0040E233
                                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00474358), ref: 0040E25E
                                                    • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040E27A
                                                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E2FD
                                                    • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E30C
                                                      • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                      • Part of subcall function 004127D5: RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                      • Part of subcall function 004127D5: RegCloseKey.KERNEL32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                    • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E371
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Close$CreateHandleProcess32$FileFirstModuleNameNextSnapshotToolhelp32Value
                                                    • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$BG
                                                    • API String ID: 726551946-3025026198
                                                    • Opcode ID: dc1ad798a35d7444bbbbf078d0d444fc3737f63c90b642ee01f5359e624c1f46
                                                    • Instruction ID: ff5f769c9d2eb9d60ee5c92f3007ac3329fe223f24fa54890becbfeace6a8f7f
                                                    • Opcode Fuzzy Hash: dc1ad798a35d7444bbbbf078d0d444fc3737f63c90b642ee01f5359e624c1f46
                                                    • Instruction Fuzzy Hash: 647182311083019BC714FB61D8519EF77A5BF91358F400D3EF986631E2EF38A919CA9A
                                                    Function 004159C6 Relevance: 18.1, APIs: 12, Instructions: 80clipboardmemoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • OpenClipboard.USER32 ref: 004159C7
                                                    • EmptyClipboard.USER32 ref: 004159D5
                                                    • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004159F5
                                                    • GlobalLock.KERNEL32(00000000), ref: 004159FE
                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00415A34
                                                    • SetClipboardData.USER32(0000000D,00000000), ref: 00415A3D
                                                    • CloseClipboard.USER32 ref: 00415A5A
                                                    • OpenClipboard.USER32 ref: 00415A61
                                                    • GetClipboardData.USER32(0000000D), ref: 00415A71
                                                    • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                                    • CloseClipboard.USER32 ref: 00415A89
                                                      • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                    • String ID:
                                                    • API String ID: 3520204547-0
                                                    • Opcode ID: 115af58ca25ac982801086cc968099495571ae34f6290ed4f1dd44d177635a22
                                                    • Instruction ID: 65deba99f03779ab530566add8b8501f772d12743f07501a5a0e0bdfe921cf26
                                                    • Opcode Fuzzy Hash: 115af58ca25ac982801086cc968099495571ae34f6290ed4f1dd44d177635a22
                                                    • Instruction Fuzzy Hash: 232183712043009BC714BBB1EC5AAAE76A9AF80752F00453EFD06961E2EF38C845D66A
                                                    Function 00418764 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 197COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 0$1$2$3$4$5$6$7
                                                    • API String ID: 0-3177665633
                                                    • Opcode ID: 749f6a55d273af1ff276c8e2e6441e457c328e07a3b13567bd2426039e935f4e
                                                    • Instruction ID: 8a7243103da74f60d5bbefacb9012cb64624b509857c51ebf6f1776beea37390
                                                    • Opcode Fuzzy Hash: 749f6a55d273af1ff276c8e2e6441e457c328e07a3b13567bd2426039e935f4e
                                                    • Instruction Fuzzy Hash: EE61B470508301AEDB00EF21C862FEE77E4AF95754F40485EF591672E2DB78AA48C797
                                                    Function 00409B10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 108keyboardthreadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetForegroundWindow.USER32(?,?,004740F8), ref: 00409B3F
                                                    • GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                                    • GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                                    • GetKeyState.USER32(00000010), ref: 00409B5C
                                                    • GetKeyboardState.USER32(?,?,004740F8), ref: 00409B67
                                                    • ToUnicodeEx.USER32(0047414C,00000000,?,?,00000010,00000000,00000000), ref: 00409B8A
                                                    • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                                    • ToUnicodeEx.USER32(0047414C,?,?,?,00000010,00000000,00000000), ref: 00409C1C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                                    • String ID: X[G
                                                    • API String ID: 1888522110-739899062
                                                    • Opcode ID: 6b40a38aeadb85bfb73805397b44a8e398a18fbf7f02f723f5f91e0a6223020d
                                                    • Instruction ID: b3d75429b008435a5e1dd269aa2dc422b6d7dab2ccd5499d38c457950c038251
                                                    • Opcode Fuzzy Hash: 6b40a38aeadb85bfb73805397b44a8e398a18fbf7f02f723f5f91e0a6223020d
                                                    • Instruction Fuzzy Hash: 7C318F72544308AFE700DF90EC45FDBBBECEB48715F00083ABA45961A1D7B5E948DBA6
                                                    Function 00406764 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 55COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _wcslen.LIBCMT ref: 00406788
                                                    • CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Object_wcslen
                                                    • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                    • API String ID: 240030777-3166923314
                                                    • Opcode ID: fb4b37c01a82ea3e6f4d6ea97501aa73dd573a9fa8d004a292a27325ecfbba87
                                                    • Instruction ID: 8131e8b3f96e11b5c9c7103c6ecb9350ac77814929071503a065d606a7b617cc
                                                    • Opcode Fuzzy Hash: fb4b37c01a82ea3e6f4d6ea97501aa73dd573a9fa8d004a292a27325ecfbba87
                                                    • Instruction Fuzzy Hash: A11170B2901118AEDB10FAA58849A9EB7BCDB48714F55007BE905F3281E77C9A148A7D
                                                    Function 004198D2 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,00474918), ref: 004198E8
                                                    • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00419937
                                                    • GetLastError.KERNEL32 ref: 00419945
                                                    • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041997D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                    • String ID:
                                                    • API String ID: 3587775597-0
                                                    • Opcode ID: 2caf08f77d8ca62ad109a048474f40c1da1eaf17a15a7df77165c474071c4c53
                                                    • Instruction ID: 19b9a1677c56063b65225fc9a0f34bb07ffc83518ef4baa2b379b487d5559ddd
                                                    • Opcode Fuzzy Hash: 2caf08f77d8ca62ad109a048474f40c1da1eaf17a15a7df77165c474071c4c53
                                                    • Instruction Fuzzy Hash: 84813F711083049BC714FB21DC959AFB7A8BF94718F50493EF582521E2EF78EA05CB9A
                                                    Function 0041B43F Relevance: 13.6, APIs: 9, Instructions: 105fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B499
                                                    • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B4CB
                                                    • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B539
                                                    • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B546
                                                      • Part of subcall function 0041B43F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B51C
                                                    • FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B571
                                                    • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B578
                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,004742E0,004742F8), ref: 0041B580
                                                    • FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B593
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                    • String ID:
                                                    • API String ID: 2341273852-0
                                                    • Opcode ID: 0297631c5ee8ecb1d1a4c9aeac50dc6e63fd93f3a2d20230b54752594d88c721
                                                    • Instruction ID: 0b65015344b940e71c8db0708908b2546b6e9c6134e65c3d42cb3d4753665141
                                                    • Opcode Fuzzy Hash: 0297631c5ee8ecb1d1a4c9aeac50dc6e63fd93f3a2d20230b54752594d88c721
                                                    • Instruction Fuzzy Hash: 4D31937180921C6ACB20D771AC49FDA77BCAF08304F4405EBF505D3182EB799AC4CA69
                                                    Function 00412F45 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 391registrylibraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 0041301A
                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 00413026
                                                      • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                    • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004131ED
                                                    • GetProcAddress.KERNEL32(00000000), ref: 004131F4
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AddressCloseCreateLibraryLoadProcsend
                                                    • String ID: SHDeleteKeyW$Shlwapi.dll
                                                    • API String ID: 2127411465-314212984
                                                    • Opcode ID: 18a39fcbd2619a0ad7b15b3ace1fa1aaa8af28e14aabfdf4cb9dcfc1e5c535ab
                                                    • Instruction ID: 77d0e0f665ec2cae06f71cdba8331079b705a8b2343c1238c9795aa136ea70b2
                                                    • Opcode Fuzzy Hash: 18a39fcbd2619a0ad7b15b3ace1fa1aaa8af28e14aabfdf4cb9dcfc1e5c535ab
                                                    • Instruction Fuzzy Hash: 0AB1B571A043006BC614BA75CC979BE76989F94718F40063FF946B31E2EF7C9A4486DB
                                                    Function 0040B21B Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040B257
                                                    • GetLastError.KERNEL32 ref: 0040B261
                                                    Strings
                                                    • [Chrome StoredLogins not found], xrefs: 0040B27B
                                                    • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040B222
                                                    • UserProfile, xrefs: 0040B227
                                                    • [Chrome StoredLogins found, cleared!], xrefs: 0040B287
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: DeleteErrorFileLast
                                                    • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                    • API String ID: 2018770650-1062637481
                                                    • Opcode ID: 6231a6ec8c0bf8e98c8684e8dd9bafedce4a0939dadfa85d19fb30db5e755b14
                                                    • Instruction ID: b4925b9b145212f78872d6bf605c5cdf000d45b1535ad2fa459343da0bf9ff5a
                                                    • Opcode Fuzzy Hash: 6231a6ec8c0bf8e98c8684e8dd9bafedce4a0939dadfa85d19fb30db5e755b14
                                                    • Instruction Fuzzy Hash: 8C01623168410597CA0577B5ED6F8AE3624E921718F50017FF802731E6FF7A9A0586DE
                                                    Function 00416AB7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 32COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                                    • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                                    • GetLastError.KERNEL32 ref: 00416B02
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                    • String ID: SeShutdownPrivilege
                                                    • API String ID: 3534403312-3733053543
                                                    • Opcode ID: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                                    • Instruction ID: c28276ca820f5d67da4083ad645d4fedab17ddc29f560671af9b7c8b6b4fa774
                                                    • Opcode Fuzzy Hash: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                                    • Instruction Fuzzy Hash: 25F0D4B5805229BBDB10ABA1EC4DEEF7EBCEF05656F100061B805E2192D6748A44CAB5
                                                    Function 00452F10 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: __floor_pentium4
                                                    • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                    • API String ID: 4168288129-2761157908
                                                    • Opcode ID: c9c150e801306c30e3e6fd676bf91ab99d53cd06d8b99a70f0bcb8a83e562639
                                                    • Instruction ID: e307a384b629b95ff6fef94050d5be06a037bb5012f5a6d22b447047531b26ff
                                                    • Opcode Fuzzy Hash: c9c150e801306c30e3e6fd676bf91ab99d53cd06d8b99a70f0bcb8a83e562639
                                                    • Instruction Fuzzy Hash: 1FC27071E046288FDB25CE28CD447EAB3B5EB44346F1441EBD84DE7242E778AE898F45
                                                    Function 004089A9 Relevance: 9.3, APIs: 6, Instructions: 288fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __EH_prolog.LIBCMT ref: 004089AE
                                                      • Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212
                                                      • Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5
                                                    • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00408A8D
                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 00408AE0
                                                    • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00408AF7
                                                      • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(00000328,00000000,LAL,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000), ref: 0040450E
                                                      • Part of subcall function 00404468: SetEvent.KERNEL32(00000328,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000,?,?,?,?,?,00414CE9), ref: 0040453C
                                                      • Part of subcall function 004047EB: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 004047FD
                                                      • Part of subcall function 004047EB: SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404808
                                                      • Part of subcall function 004047EB: CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404811
                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00408DA1
                                                      • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Find$CloseEventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsendsocket
                                                    • String ID:
                                                    • API String ID: 4043647387-0
                                                    • Opcode ID: b6d780576700f4933a9aaca3c1beff4f868690156509575001d11b963eafbbf9
                                                    • Instruction ID: 093ddd6807f9b365337d5cb0cb3505b04edbc5c9b0fee964739ae84c01535933
                                                    • Opcode Fuzzy Hash: b6d780576700f4933a9aaca3c1beff4f868690156509575001d11b963eafbbf9
                                                    • Instruction Fuzzy Hash: 50A15C729001089ACB14EBA1DD92AEDB778AF54318F10427FF506B71D2EF385E498B98
                                                    Function 00419BD4 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,?,?,0041982A,00000000,00000000), ref: 00419BDD
                                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,0041982A,00000000,00000000), ref: 00419BF2
                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,0041982A,00000000,00000000), ref: 00419BFF
                                                    • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,0041982A,00000000,00000000), ref: 00419C0A
                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,0041982A,00000000,00000000), ref: 00419C1C
                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,0041982A,00000000,00000000), ref: 00419C1F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Service$CloseHandle$Open$ManagerStart
                                                    • String ID:
                                                    • API String ID: 276877138-0
                                                    • Opcode ID: 6d0f589b7f4ed5c193fffaa70fef351a53496163331b96a9b3d3840ad54bf661
                                                    • Instruction ID: 029754fb73528063a62336f1848e5bb122dc48601db67947cc2268dfcf3d9ab0
                                                    • Opcode Fuzzy Hash: 6d0f589b7f4ed5c193fffaa70fef351a53496163331b96a9b3d3840ad54bf661
                                                    • Instruction Fuzzy Hash: 2EF089755053146FD2115B31FC88DBF2AECEF85BA6B00043AF54193191DB68CD4595F5
                                                    Function 00418C79 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 245fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindFirstFileW.KERNEL32(00000000,?), ref: 00418ECF
                                                    • FindNextFileW.KERNEL32(00000000,?,?), ref: 00418F9B
                                                      • Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B643
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: File$Find$CreateFirstNext
                                                    • String ID: @CG$XCG$>G
                                                    • API String ID: 341183262-3030817687
                                                    • Opcode ID: bdf19f3600ef3cc3e8fbade951765131cd50cae54f5c0b8e5a05de1674f7c19c
                                                    • Instruction ID: 4fcfe6ad4d4b9cbb37a9178feb6c4e4542e518df657a804f5f9e1d603b628f73
                                                    • Opcode Fuzzy Hash: bdf19f3600ef3cc3e8fbade951765131cd50cae54f5c0b8e5a05de1674f7c19c
                                                    • Instruction Fuzzy Hash: 408153315042405BC314FB61C892EEF73A9AFD1718F50493FF946671E2EF389A49C69A
                                                    Function 004158B9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00416AB7: GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                                      • Part of subcall function 00416AB7: OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                                      • Part of subcall function 00416AB7: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                                      • Part of subcall function 00416AB7: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                                      • Part of subcall function 00416AB7: GetLastError.KERNEL32 ref: 00416B02
                                                    • ExitWindowsEx.USER32(00000000,00000001), ref: 0041595B
                                                    • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00415970
                                                    • GetProcAddress.KERNEL32(00000000), ref: 00415977
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                    • String ID: PowrProf.dll$SetSuspendState
                                                    • API String ID: 1589313981-1420736420
                                                    • Opcode ID: 9a2ea4b760d1687da6394f818f94bf6b74c7e65cca45165fb093390337838f86
                                                    • Instruction ID: a9af72b6b9eaf8561cd509fc4cf8b1c610007ddf0d7e7dc7bbe2947ee761077a
                                                    • Opcode Fuzzy Hash: 9a2ea4b760d1687da6394f818f94bf6b74c7e65cca45165fb093390337838f86
                                                    • Instruction Fuzzy Hash: B22161B0604741E6CA14F7B19856AFF225A9F80748F40883FB402A71D2EF7CDC89865F
                                                    Function 004511F3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,00451512,?,00000000), ref: 0045128C
                                                    • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,00451512,?,00000000), ref: 004512B5
                                                    • GetACP.KERNEL32(?,?,00451512,?,00000000), ref: 004512CA
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: InfoLocale
                                                    • String ID: ACP$OCP
                                                    • API String ID: 2299586839-711371036
                                                    • Opcode ID: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                                    • Instruction ID: c7787d6075dc192170befbe1ddc6ff7be643600d5f5c624e054d22ce072cfab5
                                                    • Opcode Fuzzy Hash: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                                    • Instruction Fuzzy Hash: 9621C432A00100A7DB348F55C900B9773A6AF54B66F5685E6FC09F7232E73ADD49C399
                                                    Function 0041A64F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041A660
                                                    • LoadResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A674
                                                    • LockResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A67B
                                                    • SizeofResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A68A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Resource$FindLoadLockSizeof
                                                    • String ID: SETTINGS
                                                    • API String ID: 3473537107-594951305
                                                    • Opcode ID: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                                    • Instruction ID: 54a99f42213d160abf76577abca5e20a835261b5cb21c96a6540e7550e34f59b
                                                    • Opcode Fuzzy Hash: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                                    • Instruction Fuzzy Hash: F3E09A7A604710ABCB211BA5BC8CD477E39E786763714403AF90592331DA359850DA59
                                                    Function 004513C7 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,00000000,?,0043B965,00000000,00000000), ref: 00446ED3
                                                      • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                                      • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F47
                                                      • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                                      • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F2E
                                                      • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F3B
                                                    • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 004514D3
                                                    • IsValidCodePage.KERNEL32(00000000), ref: 0045152E
                                                    • IsValidLocale.KERNEL32(?,00000001), ref: 0045153D
                                                    • GetLocaleInfoW.KERNEL32(?,00001001,00443CFC,00000040,?,00443E1C,00000055,00000000,?,?,00000055,00000000), ref: 00451585
                                                    • GetLocaleInfoW.KERNEL32(?,00001002,00443D7C,00000040), ref: 004515A4
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                    • String ID:
                                                    • API String ID: 745075371-0
                                                    • Opcode ID: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                                    • Instruction ID: 411f265c59fe6ea8e7a4a7f389aa671ff947d679512e0c94986e3a05ae8bdf1c
                                                    • Opcode Fuzzy Hash: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                                    • Instruction Fuzzy Hash: 4951B331900205ABDB20EFA5CC41BBF73B8AF05306F14456BFD11DB262D7789948CB69
                                                    Function 00407A8C Relevance: 7.7, APIs: 5, Instructions: 183fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __EH_prolog.LIBCMT ref: 00407A91
                                                    • FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                                    • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                                    • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407C76
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Find$File$CloseFirstH_prologNext
                                                    • String ID:
                                                    • API String ID: 1157919129-0
                                                    • Opcode ID: e8fc1aae19a95acc5e5ba4988fa9a3d6b6627a504d1d70c366dbdaaaee21e51e
                                                    • Instruction ID: 8d2d5af9b240bd76912c5a42ed9d01478aca41623b4ca31e05b92188a1ecdcc3
                                                    • Opcode Fuzzy Hash: e8fc1aae19a95acc5e5ba4988fa9a3d6b6627a504d1d70c366dbdaaaee21e51e
                                                    • Instruction Fuzzy Hash: EE5172329041089ACB14FBA5DD969ED7778AF50318F50017EB806B31D2EF3CAB498B99
                                                    Function 0044801F Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448089
                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 00448101
                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044812E
                                                    • _free.LIBCMT ref: 00448077
                                                      • Part of subcall function 00446AD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA60,0000000A,00000000,0000000A,00000000,?,0044FD04,0000000A,00000007,0000000A,?,00450215,0000000A), ref: 00446AEB
                                                      • Part of subcall function 00446AD5: GetLastError.KERNEL32(0000000A,?,0044FA60,0000000A,00000000,0000000A,00000000,?,0044FD04,0000000A,00000007,0000000A,?,00450215,0000000A,0000000A), ref: 00446AFD
                                                    • _free.LIBCMT ref: 00448243
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                    • String ID:
                                                    • API String ID: 1286116820-0
                                                    • Opcode ID: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
                                                    • Instruction ID: 9f73030e0ab81e705d7e97d576e5185c64763d3f00745452c155363557a16cba
                                                    • Opcode Fuzzy Hash: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
                                                    • Instruction Fuzzy Hash: 97512A718002099BE714EF69CC829BF77BCEF44364F11026FE454A32A1EB389E46CB58
                                                    Function 00406128 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406234
                                                    • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 00406318
                                                    Strings
                                                    • open, xrefs: 0040622E
                                                    • C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe, xrefs: 0040627F, 004063A7
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: DownloadExecuteFileShell
                                                    • String ID: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe$open
                                                    • API String ID: 2825088817-3918251324
                                                    • Opcode ID: b67075259e0bd929e0ab264c94f4d1ca59ca1de50cdaeebcdd70e2622b8f7750
                                                    • Instruction ID: ed092bbb38966d98691ab8c1252c2e533cce500cde7a5ae80e96292b959be8c1
                                                    • Opcode Fuzzy Hash: b67075259e0bd929e0ab264c94f4d1ca59ca1de50cdaeebcdd70e2622b8f7750
                                                    • Instruction Fuzzy Hash: AC61A231604340A7CA14FA76C8569BE77A69F81718F00493FBC46772E6EF3C9A05C69B
                                                    Function 00406AC2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406ADD
                                                    • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406BA5
                                                      • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FileFind$FirstNextsend
                                                    • String ID: x@G$x@G
                                                    • API String ID: 4113138495-3390264752
                                                    • Opcode ID: 21733312e49eae253e2bcb47d9c134556802c5ae893f427082e78e5a185c5d5d
                                                    • Instruction ID: 69ed09b71aae528489a15fdfe73527b1f784865601dfee234b785914c9021214
                                                    • Opcode Fuzzy Hash: 21733312e49eae253e2bcb47d9c134556802c5ae893f427082e78e5a185c5d5d
                                                    • Instruction Fuzzy Hash: 4D2147725043015BC714FB61D8959AF77A8AFD1358F40093EF996A31D1EF38AA088A9B
                                                    Function 0041BB87 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC7C
                                                      • Part of subcall function 004126D2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004126E1
                                                      • Part of subcall function 004126D2: RegSetValueExA.KERNEL32(?,HgF,00000000,?,00000000,00000000,004742F8,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412709
                                                      • Part of subcall function 004126D2: RegCloseKey.KERNEL32(?,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412714
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseCreateInfoParametersSystemValue
                                                    • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                    • API String ID: 4127273184-3576401099
                                                    • Opcode ID: 3d360fdf2e78990b0619b3c2804760803c56fcbcebbcac8b827f4f8c51bc1c9b
                                                    • Instruction ID: f939710b15fdea32ddc266fac7b70a3034aa980cea7cdc9a443a85228e3c1b8e
                                                    • Opcode Fuzzy Hash: 3d360fdf2e78990b0619b3c2804760803c56fcbcebbcac8b827f4f8c51bc1c9b
                                                    • Instruction Fuzzy Hash: 69113332B8060433D514343A4E6FBAE1806D756B60FA4015FF6026A7DAFB9E4AE103DF
                                                    Function 00450A8F Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,00000000,?,0043B965,00000000,00000000), ref: 00446ED3
                                                      • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                                      • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F47
                                                      • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                                    • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00443D03,?,?,?,?,?,?,00000004), ref: 00450B71
                                                    • _wcschr.LIBVCRUNTIME ref: 00450C01
                                                    • _wcschr.LIBVCRUNTIME ref: 00450C0F
                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00443D03,00000000,00443E23), ref: 00450CB2
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                    • String ID:
                                                    • API String ID: 4212172061-0
                                                    • Opcode ID: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
                                                    • Instruction ID: 5c43a781d12153ba09aec0d98fe41cbdfc67d130b552f984b55d9713d4fa54bc
                                                    • Opcode Fuzzy Hash: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
                                                    • Instruction Fuzzy Hash: 8C613C39600306AAD729AB35CC42AAB7398EF05316F14052FFD05D7283E778ED49C769
                                                    Function 00408DA7 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __EH_prolog.LIBCMT ref: 00408DAC
                                                    • FindFirstFileW.KERNEL32(00000000,?), ref: 00408E24
                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 00408E4D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FileFind$FirstH_prologNext
                                                    • String ID:
                                                    • API String ID: 301083792-0
                                                    • Opcode ID: ba71cde6abd387c0af899193430974a98498f8e11ae542d92e598f3d86220441
                                                    • Instruction ID: f05055f275ce1a6697326a6dce2c5e98ec7bccfbf1b509f624b4afbba7a31620
                                                    • Opcode Fuzzy Hash: ba71cde6abd387c0af899193430974a98498f8e11ae542d92e598f3d86220441
                                                    • Instruction Fuzzy Hash: 08714F728001199BCB15EBA1DC919EE7778AF54318F10427FE846B71E2EF386E45CB98
                                                    Function 00450E7A Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,00000000,?,0043B965,00000000,00000000), ref: 00446ED3
                                                      • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                                      • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F47
                                                      • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                                      • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F2E
                                                      • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F3B
                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450ECE
                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450F1F
                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450FDF
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorInfoLastLocale$_free$_abort
                                                    • String ID:
                                                    • API String ID: 2829624132-0
                                                    • Opcode ID: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
                                                    • Instruction ID: f4db154689a757c669ee29d9ad80dc5f2d25de97e2fa36f56d0a3b4566e2e889
                                                    • Opcode Fuzzy Hash: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
                                                    • Instruction Fuzzy Hash: 5261B3359002079BEB289F24CC82B7A77A8EF04706F1041BBED05C6696E77CD989DB58
                                                    Function 0043A66D Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,0000000A), ref: 0043A765
                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0000000A), ref: 0043A76F
                                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,0000000A), ref: 0043A77C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                    • String ID:
                                                    • API String ID: 3906539128-0
                                                    • Opcode ID: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                                    • Instruction ID: 91e5dab5071ea2c3d468f992cf6309450941867bc48944ec1b7f80ed58ec6f75
                                                    • Opcode Fuzzy Hash: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                                    • Instruction Fuzzy Hash: 4A31D27494132CABCB21DF24D98979DBBB8AF08310F5051EAE80CA7261E7349F81CF49
                                                    Function 00442564 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCurrentProcess.KERNEL32(?,?,0044253A,?,0046DAE0,0000000C,00442691,?,00000002,00000000), ref: 00442585
                                                    • TerminateProcess.KERNEL32(00000000,?,0044253A,?,0046DAE0,0000000C,00442691,?,00000002,00000000), ref: 0044258C
                                                    • ExitProcess.KERNEL32 ref: 0044259E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Process$CurrentExitTerminate
                                                    • String ID:
                                                    • API String ID: 1703294689-0
                                                    • Opcode ID: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                                    • Instruction ID: c44577b837509f0b32c3b0b508549cfe19acceb0599f6adc3fd698849a85d96e
                                                    • Opcode Fuzzy Hash: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                                    • Instruction Fuzzy Hash: 68E08C31004208BFEF016F10EE19A8D3F29EF14382F448475F8098A232CB79DD82CB88
                                                    Function 0041ACD1 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,004150C3,00000000), ref: 0041ACDC
                                                    • NtSuspendProcess.NTDLL(00000000), ref: 0041ACE9
                                                    • CloseHandle.KERNEL32(00000000,?,?,004150C3,00000000), ref: 0041ACF2
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Process$CloseHandleOpenSuspend
                                                    • String ID:
                                                    • API String ID: 1999457699-0
                                                    • Opcode ID: 25604720b1c4003eaa4d94084830c6d0564ffd887a8d5c6f711170065f3891c4
                                                    • Instruction ID: 2f9544719979d624048292b5ab27ab43be47c8216fe5e38c5e6db7c07fdef43b
                                                    • Opcode Fuzzy Hash: 25604720b1c4003eaa4d94084830c6d0564ffd887a8d5c6f711170065f3891c4
                                                    • Instruction Fuzzy Hash: 36D0A733505132638221176A7C0CC87EE6CDFC1EB37024136F805C3220DE30C88186F4
                                                    Function 0041ACFD Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,004150E8,00000000), ref: 0041AD08
                                                    • NtResumeProcess.NTDLL(00000000), ref: 0041AD15
                                                    • CloseHandle.KERNEL32(00000000,?,?,004150E8,00000000), ref: 0041AD1E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Process$CloseHandleOpenResume
                                                    • String ID:
                                                    • API String ID: 3614150671-0
                                                    • Opcode ID: ac01971c7a5820b8bc970b7b2339e0980474906f6b9316b65cb607f099f400ad
                                                    • Instruction ID: 37c2ac379339410306f7c92c5038f8fbeac8a1766455cc2515cdfea107740f35
                                                    • Opcode Fuzzy Hash: ac01971c7a5820b8bc970b7b2339e0980474906f6b9316b65cb607f099f400ad
                                                    • Instruction Fuzzy Hash: 3AD05E32504121638220176A7C0C887EEA9DBC5AB37024236F804C26219A24C841C6A4
                                                    Function 0044D5F9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: .
                                                    • API String ID: 0-248832578
                                                    • Opcode ID: 97cc3c3166f0870dddbca3780dbfd7dbd2d9d0e9e098b336076252ce6a3ce59f
                                                    • Instruction ID: 7b9f70a4ed7410ef06f95e01b7d5f23a490d2b0eff2bca8ad8bf22ff3bb6f1ff
                                                    • Opcode Fuzzy Hash: 97cc3c3166f0870dddbca3780dbfd7dbd2d9d0e9e098b336076252ce6a3ce59f
                                                    • Instruction Fuzzy Hash: 65310371C00209AFEB249E79CC84EEB7BBDDB86318F1501AEF91997351E6389E418B54
                                                    Function 004475A7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004475FA
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: InfoLocale
                                                    • String ID: GetLocaleInfoEx
                                                    • API String ID: 2299586839-2904428671
                                                    • Opcode ID: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                                                    • Instruction ID: 2e67eb2aa2785e7236de0a8104ca96919387e7076f6eaa21777fcb5c897bf932
                                                    • Opcode Fuzzy Hash: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                                                    • Instruction Fuzzy Hash: F8F0F031A44308BBDB11AF61DC06F6E7B25EF04722F10016AFC042A292CF399E11969E
                                                    Function 00440E30 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5fe4b2cb4502993dbea9aed901accaaf97bf6201a09a40e91719f5fde44f0d4f
                                                    • Instruction ID: 147a43d4a8953c0e587c79f7e81ca7cf09075d603a4ca368f499ea5921ccbf25
                                                    • Opcode Fuzzy Hash: 5fe4b2cb4502993dbea9aed901accaaf97bf6201a09a40e91719f5fde44f0d4f
                                                    • Instruction Fuzzy Hash: DB026D71E002199FEF14CFA9C8806AEBBF1FF88314F25826AD919E7354D774A941CB84
                                                    Function 004520E2 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,004520DD,?,?,00000008,?,?,00455422,00000000), ref: 0045230F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ExceptionRaise
                                                    • String ID:
                                                    • API String ID: 3997070919-0
                                                    • Opcode ID: 10c23660bdf4a559c67b3dd21211c83afc8534fe451efaff8b0d30b37073b707
                                                    • Instruction ID: 977e517564c3c3d0049d1222f3e9a6889a5c410b4df8a0f985261284c0187219
                                                    • Opcode Fuzzy Hash: 10c23660bdf4a559c67b3dd21211c83afc8534fe451efaff8b0d30b37073b707
                                                    • Instruction Fuzzy Hash: D2B18E311106088FD715CF28C586B567BE0FF06325F25869AEC99CF2A2C379E986CB44
                                                    Function 00432A59 Relevance: 1.8, Strings: 1, Instructions: 500COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 0
                                                    • API String ID: 0-4108050209
                                                    • Opcode ID: d7e2f1edd223cd44d70c9618c0c5ab444609e4c73f269a0cd31c5ec718f0b721
                                                    • Instruction ID: 7b48c7cdb8adeeef677579d9f9868b7c31ff68b1fdc55a4cfb84755b90803176
                                                    • Opcode Fuzzy Hash: d7e2f1edd223cd44d70c9618c0c5ab444609e4c73f269a0cd31c5ec718f0b721
                                                    • Instruction Fuzzy Hash: 7F02B3727083014BD714DF29D95272EF3E2BFCC718F19592EF4859B381DA78A9058B86
                                                    Function 004510CA Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,00000000,?,0043B965,00000000,00000000), ref: 00446ED3
                                                      • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                                      • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F47
                                                      • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                                      • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F2E
                                                      • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F3B
                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0045111E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorLast$_free$InfoLocale_abort
                                                    • String ID:
                                                    • API String ID: 1663032902-0
                                                    • Opcode ID: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                                    • Instruction ID: ffb89f5268d48ef7d96d62573a9e7ee2f0935f0833e1875b56c64ac51f5bdf94
                                                    • Opcode Fuzzy Hash: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                                    • Instruction Fuzzy Hash: BB21B332500606ABEB249E25DC42B7B73A8EF49316F1041BBFE01D6252EB7C9D49C759
                                                    Function 00450D52 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,00000000,?,0043B965,00000000,00000000), ref: 00446ED3
                                                      • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                                      • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F47
                                                      • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                                    • EnumSystemLocalesW.KERNEL32(00450E7A,00000001,00000000,?,00443CFC,?,004514A7,00000000,?,?,?), ref: 00450DC4
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                    • String ID:
                                                    • API String ID: 1084509184-0
                                                    • Opcode ID: d99188ff6ee540699b39099ab73947b80cac50bc1a66931b919ed4136ee52686
                                                    • Instruction ID: a560303710cbb7e2025c6fde9de160b8e713eede11b464f6c41b4ad7cf2026db
                                                    • Opcode Fuzzy Hash: d99188ff6ee540699b39099ab73947b80cac50bc1a66931b919ed4136ee52686
                                                    • Instruction Fuzzy Hash: 0311063A2003055FDB189F79C8916BAB7A2FF8035AB14442DE94647741D375B846C744
                                                    Function 004512FA Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,00000000,?,0043B965,00000000,00000000), ref: 00446ED3
                                                      • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                                      • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F47
                                                      • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                                    • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00451098,00000000,00000000,?), ref: 00451326
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorLast$InfoLocale_abort_free
                                                    • String ID:
                                                    • API String ID: 2692324296-0
                                                    • Opcode ID: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
                                                    • Instruction ID: 4a7b2d8eee9e9bf1806ba2ca5426cfe5ee0bfa5d6ba01d855eb6d5500f899482
                                                    • Opcode Fuzzy Hash: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
                                                    • Instruction Fuzzy Hash: F8F07D32900211BBEF245B25CC16BFB7758EF40316F14046BEC05A3651EA78FD45C6D8
                                                    Function 00450DED Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,00000000,?,0043B965,00000000,00000000), ref: 00446ED3
                                                      • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                                      • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F47
                                                      • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                                    • EnumSystemLocalesW.KERNEL32(004510CA,00000001,?,?,00443CFC,?,0045146B,00443CFC,?,?,?,?,?,00443CFC,?,?), ref: 00450E39
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                    • String ID:
                                                    • API String ID: 1084509184-0
                                                    • Opcode ID: abe90ec02cc7fcff172fc53912aae85a85386d507e0dedff0ae7f670b1f5ef6c
                                                    • Instruction ID: d200f6f198282f27697ffa375fc43d462b62b5ac62e6196a1a4f0d3fe89d4a8d
                                                    • Opcode Fuzzy Hash: abe90ec02cc7fcff172fc53912aae85a85386d507e0dedff0ae7f670b1f5ef6c
                                                    • Instruction Fuzzy Hash: 6FF0223A2003055FDB145F3ADC92A7B7BD1EF81329B25883EFD458B681D2759C428604
                                                    Function 004470BE Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00444ADC: EnterCriticalSection.KERNEL32(-00471558,?,0044226B,00000000,0046DAC0,0000000C,00442226,0000000A,?,?,00448749,0000000A,?,00446F84,00000001,00000364), ref: 00444AEB
                                                    • EnumSystemLocalesW.KERNEL32(00447078,00000001,0046DC48,0000000C), ref: 004470F6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CriticalEnterEnumLocalesSectionSystem
                                                    • String ID:
                                                    • API String ID: 1272433827-0
                                                    • Opcode ID: d6288f75061eb918828b1d19c4fc55d59e88b5aa2809351af96f283ddca40410
                                                    • Instruction ID: 950dafe7846e52006e44ffeb80a247b0be4aa16561b4e62d8165e672452c2196
                                                    • Opcode Fuzzy Hash: d6288f75061eb918828b1d19c4fc55d59e88b5aa2809351af96f283ddca40410
                                                    • Instruction Fuzzy Hash: 86F04932A50200DFE714EF68EC06B5D37B0EB44729F10856AF414DB2A1CBB88941CB49
                                                    Function 00450D07 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,00000000,?,0043B965,00000000,00000000), ref: 00446ED3
                                                      • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                                      • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F47
                                                      • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                                    • EnumSystemLocalesW.KERNEL32(00450C5E,00000001,?,?,?,004514C9,00443CFC,?,?,?,?,?,00443CFC,?,?,?), ref: 00450D3E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                    • String ID:
                                                    • API String ID: 1084509184-0
                                                    • Opcode ID: 7c1b61f81489e07a7731e6ad51784a2f83adb3e1c219b5a3241bb94100a853af
                                                    • Instruction ID: 864766c87332746f2956c71e591744750bfae77d4df159f99123e8476a767ca9
                                                    • Opcode Fuzzy Hash: 7c1b61f81489e07a7731e6ad51784a2f83adb3e1c219b5a3241bb94100a853af
                                                    • Instruction Fuzzy Hash: 94F05C3D30020557CB159F75D8057667F90EFC2711B164059FE098B242C675D846C754
                                                    Function 00433CE7 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetUnhandledExceptionFilter.KERNEL32(Function_00033CF3,004339C1), ref: 00433CEC
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ExceptionFilterUnhandled
                                                    • String ID:
                                                    • API String ID: 3192549508-0
                                                    • Opcode ID: 551eff1786ed7eea90e54ff57207cf7fab7a3a56cebbc38fe8a2595e13bdd047
                                                    • Instruction ID: 7ebf6c7408a73aa63663f0c3c7f2b2a2f8c8f4297a3c6ea18d4629481275dad6
                                                    • Opcode Fuzzy Hash: 551eff1786ed7eea90e54ff57207cf7fab7a3a56cebbc38fe8a2595e13bdd047
                                                    • Instruction Fuzzy Hash:
                                                    Function 0043CE4B Relevance: 1.5, Strings: 1, Instructions: 237COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: BG3i@
                                                    • API String ID: 0-2407888476
                                                    • Opcode ID: da6bc0b681a35a8a8cd82b5b62752965acc1f5aabf11132faead2372da36057a
                                                    • Instruction ID: 1d57165ebf75e2395586178747a5147ed71ba924114eacc5dbe4d8b8235841a2
                                                    • Opcode Fuzzy Hash: da6bc0b681a35a8a8cd82b5b62752965acc1f5aabf11132faead2372da36057a
                                                    • Instruction Fuzzy Hash: CF615771600605AADB386A2898D6BBF63A6EB4D718F10391BE543FB3C1D71DDD42831E
                                                    Function 0043CC1C Relevance: 1.5, Strings: 1, Instructions: 214COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 0
                                                    • API String ID: 0-4108050209
                                                    • Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                                    • Instruction ID: b96fbfb60640764a27c773ebaff073e85ef5750e910638ac9767c22e4461be8a
                                                    • Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                                    • Instruction Fuzzy Hash: 485168716006045BDB34466885DA7BF6B959B0E704F18352FE48AFB382C61EEE02975E
                                                    Function 00426E83 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: @
                                                    • API String ID: 0-2766056989
                                                    • Opcode ID: 277f5b14ebfb31d9acdfcb19b599133ffeee57438103c682c3dacb2c81b16d7f
                                                    • Instruction ID: 2dad8dda13a96ac29719e0110185aa8107b7b917685da963ee6e6edef41cb95d
                                                    • Opcode Fuzzy Hash: 277f5b14ebfb31d9acdfcb19b599133ffeee57438103c682c3dacb2c81b16d7f
                                                    • Instruction Fuzzy Hash: C3416576A183158FC314CF29D18061BFBE1FBC8314F568A2EF99693350D679E980CB86
                                                    Function 00437160 Relevance: 1.3, Strings: 1, Instructions: 76COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: >G
                                                    • API String ID: 0-1296849874
                                                    • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                    • Instruction ID: aab5066b8351c21b9abf1b6184216a89ccb323a2d5e30b0bcb97f0d730efd77d
                                                    • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                    • Instruction Fuzzy Hash: 08112BF724808243DE74863DC8B46B7A795EBCD321F2C637BD0C14BB58D32A99459908
                                                    Function 0044E93E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: HeapProcess
                                                    • String ID:
                                                    • API String ID: 54951025-0
                                                    • Opcode ID: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
                                                    • Instruction ID: 9504a653bcf427532d5064532c05f1d04939bb5561e35e6535c2a7eba45b7a60
                                                    • Opcode Fuzzy Hash: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
                                                    • Instruction Fuzzy Hash: 84A00270506201CB57404F756F0525937D9654559170580755409C5571D62585905615
                                                    Function 0044C749 Relevance: .6, Instructions: 637COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b5ca945c73f96586680b794a2cfc8b55e8f7bc2f58380cec5295694457d85c5e
                                                    • Instruction ID: ab2fb9cf530b2f7fc05e48a1b2542d0b548931935014995ce621e12a70c45bd8
                                                    • Opcode Fuzzy Hash: b5ca945c73f96586680b794a2cfc8b55e8f7bc2f58380cec5295694457d85c5e
                                                    • Instruction Fuzzy Hash: D6324621D29F414DE7639634C862336A649AFB73C5F18D737E81AB5AAAEF2CC4C34105
                                                    Function 0041E5EF Relevance: .6, Instructions: 606COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 56ea352148e3c774f87dcc4cf0de5d49bee8f4798448973f894b3d9cfc24b1ba
                                                    • Instruction ID: 00ae404e09403cbabe28ca0a0a4d3aceb2ea5bd9e999d2a250848967357f0a7a
                                                    • Opcode Fuzzy Hash: 56ea352148e3c774f87dcc4cf0de5d49bee8f4798448973f894b3d9cfc24b1ba
                                                    • Instruction Fuzzy Hash: E532E3796083469BD714CF2AC4807ABB7E1BF84304F444A2EFC958B381D778DD858B8A
                                                    Function 004267DB Relevance: .4, Instructions: 437COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 63c6752c91fa09a59911cbec739b695d928ea4d41f79e3f210d04f564ca51bf4
                                                    • Instruction ID: 9583adf114605d02d5e2e19679ce9bf42d3b47f395d82ba1fcfe18c7509b5e77
                                                    • Opcode Fuzzy Hash: 63c6752c91fa09a59911cbec739b695d928ea4d41f79e3f210d04f564ca51bf4
                                                    • Instruction Fuzzy Hash: 59028E717046518FD318CF2EE880536B7E1AF8E301B46867EE586C7391EB34E922CB95
                                                    Function 00426264 Relevance: .4, Instructions: 377COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5fde6092dbaeb595df6386206e95cc36bec498aab372ae6033ef90cb0bf67f56
                                                    • Instruction ID: 08c65c0034c77f162a5e2f762c8ff88aaa906a6fc17fd64b80a7c511c0c0ca56
                                                    • Opcode Fuzzy Hash: 5fde6092dbaeb595df6386206e95cc36bec498aab372ae6033ef90cb0bf67f56
                                                    • Instruction Fuzzy Hash: A3F14B716142548FC314DF1DE89187B73E0BB8A301B460A2EF5C2D7392DB78EA1ADB56
                                                    Function 00431387 Relevance: .4, Instructions: 371COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 60a407b7035b458234a1b4ae8876206eb8531d1806f2b32c6b298a9738e91288
                                                    • Instruction ID: 6072d2ab819a24c58290f472cacd0ace346509952e007a1e49c4d5c76d6a9cd3
                                                    • Opcode Fuzzy Hash: 60a407b7035b458234a1b4ae8876206eb8531d1806f2b32c6b298a9738e91288
                                                    • Instruction Fuzzy Hash: 90D1BF71A083558BC724DE29C88096FB7E4FF88354F442A2EF89597320EB38DD05CB86
                                                    Function 0041D081 Relevance: .3, Instructions: 276COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e7326b31f45d4e50c8c50174bee11f9882207dfed74e31d12f4697374e1987de
                                                    • Instruction ID: b3ed2c0ab3c8a1cf02cd55a458d72155988f8fbc7d55d27d708debdf014431d3
                                                    • Opcode Fuzzy Hash: e7326b31f45d4e50c8c50174bee11f9882207dfed74e31d12f4697374e1987de
                                                    • Instruction Fuzzy Hash: AEB1A17951429A8ACB01EF68C4913F63BA1EF6A300F4850B9EC9CCF757D3398506EB24
                                                    Function 0043D0A8 Relevance: .2, Instructions: 237COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: dcaaf3a538fb6447e3283ddd15f45a67438a23807e0f4513107e056d33e47a72
                                                    • Instruction ID: 9b9e3495b2600b5bb57a0f881f66ff577775c96cdfa749367535f2d08535ee8a
                                                    • Opcode Fuzzy Hash: dcaaf3a538fb6447e3283ddd15f45a67438a23807e0f4513107e056d33e47a72
                                                    • Instruction Fuzzy Hash: A3615871E0060867DE386928BC56BBF63A9EB4D304F14395BE883DB381C65DDD42835E
                                                    Function 0043C9ED Relevance: .2, Instructions: 214COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                                    • Instruction ID: 1ecc17c6f396bdcf1bd7e257d91ac660bf1aa2674e3e23ad4d3769e79eae6022
                                                    • Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                                    • Instruction Fuzzy Hash: 9751647160460D4BDB34EA6895E77BFA3899B0E344F18350BE582F7782C61DAD02939E
                                                    Function 00426FBD Relevance: .2, Instructions: 186COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: aab2813c665c480545fef87c0c14cb93031e59ded8cfa1b4e39f94410d0708d9
                                                    • Instruction ID: 630ecb88457be3648657eb57e3c78cf78304789516621443522bf01dd35d6fbf
                                                    • Opcode Fuzzy Hash: aab2813c665c480545fef87c0c14cb93031e59ded8cfa1b4e39f94410d0708d9
                                                    • Instruction Fuzzy Hash: 81616F32A083159FC308DF75E581A5BB7E5BFCC718F450E1EF489DA151E634EA088B86
                                                    Function 00417FAF Relevance: 52.8, APIs: 29, Strings: 1, Instructions: 324windowmemoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00417FC9
                                                    • CreateCompatibleDC.GDI32(00000000), ref: 00417FD4
                                                      • Part of subcall function 00418462: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00418492
                                                    • CreateCompatibleBitmap.GDI32(?,00000000), ref: 00418055
                                                    • DeleteDC.GDI32(?), ref: 0041806D
                                                    • DeleteDC.GDI32(00000000), ref: 00418070
                                                    • SelectObject.GDI32(00000000,00000000), ref: 0041807B
                                                    • StretchBlt.GDI32(00000000,00000000,00000000,00000000,?,?,?,?,00000000,?,00CC0020), ref: 004180A3
                                                    • GetCursorInfo.USER32(?), ref: 004180C5
                                                    • GetIconInfo.USER32(?,?), ref: 004180DB
                                                    • DeleteObject.GDI32(?), ref: 0041810A
                                                    • DeleteObject.GDI32(?), ref: 00418117
                                                    • DrawIcon.USER32(00000000,?,?,?), ref: 00418124
                                                    • BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00660046), ref: 00418154
                                                    • GetObjectA.GDI32(?,00000018,?), ref: 00418183
                                                    • LocalAlloc.KERNEL32(00000040,00000028), ref: 004181CC
                                                    • LocalAlloc.KERNEL32(00000040,00000001), ref: 004181EF
                                                    • GlobalAlloc.KERNEL32(00000000,?), ref: 00418258
                                                    • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041827B
                                                    • DeleteDC.GDI32(?), ref: 0041828F
                                                    • DeleteDC.GDI32(00000000), ref: 00418292
                                                    • DeleteObject.GDI32(00000000), ref: 00418295
                                                    • GlobalFree.KERNEL32(00CC0020), ref: 004182A0
                                                    • DeleteObject.GDI32(00000000), ref: 00418354
                                                    • GlobalFree.KERNEL32(?), ref: 0041835B
                                                    • DeleteDC.GDI32(?), ref: 0041836B
                                                    • DeleteDC.GDI32(00000000), ref: 00418376
                                                    • DeleteDC.GDI32(?), ref: 004183A8
                                                    • DeleteDC.GDI32(00000000), ref: 004183AB
                                                    • DeleteObject.GDI32(?), ref: 004183B1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Delete$Object$AllocCreateGlobal$CompatibleFreeIconInfoLocal$BitmapBitsCursorDisplayDrawEnumSelectSettingsStretch
                                                    • String ID: DISPLAY
                                                    • API String ID: 1352755160-865373369
                                                    • Opcode ID: 4332875b330b260fe317f73885a67b787bcc9eef3312130aa5211c7270dddff5
                                                    • Instruction ID: 6b2ada92df8522405a2cca839f58df11a8e30ba3d3d74bda048dad66fb1953bf
                                                    • Opcode Fuzzy Hash: 4332875b330b260fe317f73885a67b787bcc9eef3312130aa5211c7270dddff5
                                                    • Instruction Fuzzy Hash: 39C17C71508344AFD3209F25DC44BABBBE9FF88751F04092EF989932A1DB34E945CB5A
                                                    Function 00417245 Relevance: 49.3, APIs: 22, Strings: 6, Instructions: 290libraryloaderthreadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 0041728C
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041728F
                                                    • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 004172A0
                                                    • GetProcAddress.KERNEL32(00000000), ref: 004172A3
                                                    • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 004172B4
                                                    • GetProcAddress.KERNEL32(00000000), ref: 004172B7
                                                    • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004172C8
                                                    • GetProcAddress.KERNEL32(00000000), ref: 004172CB
                                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 0041736C
                                                    • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 00417384
                                                    • GetThreadContext.KERNEL32(?,00000000), ref: 0041739A
                                                    • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004173C0
                                                    • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00417440
                                                    • TerminateProcess.KERNEL32(?,00000000), ref: 00417454
                                                    • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041748B
                                                    • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00417558
                                                    • SetThreadContext.KERNEL32(?,00000000), ref: 00417575
                                                    • ResumeThread.KERNEL32(?), ref: 00417582
                                                    • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041759A
                                                    • GetCurrentProcess.KERNEL32(?), ref: 004175A5
                                                    • TerminateProcess.KERNEL32(?,00000000), ref: 004175BF
                                                    • GetLastError.KERNEL32 ref: 004175C7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                                    • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$`#v$ntdll
                                                    • API String ID: 4188446516-108836778
                                                    • Opcode ID: 0508007fc5a19f335f37bc9d6881170284180ec94406780ecb3836aa2a2a6048
                                                    • Instruction ID: 2a1bc7bdc729258c18c32f0bb95ec7660c06bfb5025054df3919bc75ccc59624
                                                    • Opcode Fuzzy Hash: 0508007fc5a19f335f37bc9d6881170284180ec94406780ecb3836aa2a2a6048
                                                    • Instruction Fuzzy Hash: DFA17CB1508304AFD7209F65DC45B6B7BF9FF48345F00082AF689C2661E779E984CB6A
                                                    Function 004112B5 Relevance: 43.9, APIs: 17, Strings: 8, Instructions: 189synchronizationsleepfileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateMutexA.KERNEL32(00000000,00000001,00000000,004742F8,?,00000000), ref: 004112D4
                                                    • ExitProcess.KERNEL32 ref: 0041151D
                                                      • Part of subcall function 0041265D: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                                      • Part of subcall function 0041265D: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                      • Part of subcall function 0041265D: RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                                      • Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B643
                                                    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000), ref: 0041135B
                                                    • OpenProcess.KERNEL32(00100000,00000000,T@,?,?,?,?,00000000), ref: 0041136A
                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 00411375
                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 0041137C
                                                    • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 00411382
                                                      • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                      • Part of subcall function 004127D5: RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                      • Part of subcall function 004127D5: RegCloseKey.KERNEL32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                    • PathFileExistsW.SHLWAPI(?,?,?,?,?,00000000), ref: 004113B3
                                                    • GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000000), ref: 0041140F
                                                    • GetTempFileNameW.KERNEL32(?,temp_,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00411429
                                                    • lstrcatW.KERNEL32(?,.exe,?,?,?,?,?,?,?,00000000), ref: 0041143B
                                                      • Part of subcall function 0041B59F: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,0040A009,?,00000000,00000000), ref: 0041B5FB
                                                      • Part of subcall function 0041B59F: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040A009,?,00000000,00000000), ref: 0041B60F
                                                      • Part of subcall function 0041B59F: CloseHandle.KERNEL32(00000000,?,0040A009,?,00000000,00000000), ref: 0041B61C
                                                    • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00411483
                                                    • Sleep.KERNEL32(000001F4,?,?,?,?,00000000), ref: 004114C4
                                                    • OpenProcess.KERNEL32(00100000,00000000,?,?,?,?,?,00000000), ref: 004114D9
                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 004114E4
                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 004114EB
                                                    • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 004114F1
                                                      • Part of subcall function 0041B59F: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041B6B5,00000000,00000000,?), ref: 0041B5DE
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: File$CloseCreateProcess$HandleOpen$CurrentObjectPathSingleTempValueWait$ExecuteExistsExitMutexNamePointerQueryShellSleepWritelstrcat
                                                    • String ID: .exe$0DG$@CG$T@$WDH$exepath$open$temp_
                                                    • API String ID: 4250697656-2665858469
                                                    • Opcode ID: 5dbcded7602185ea070b480d70fb33acaad7b421ae312c9c840d883bd3e5244d
                                                    • Instruction ID: e3cce03e36166c77d6950284f165d3805ee2b23d785f43ba83868d4dcf2b0e5d
                                                    • Opcode Fuzzy Hash: 5dbcded7602185ea070b480d70fb33acaad7b421ae312c9c840d883bd3e5244d
                                                    • Instruction Fuzzy Hash: 1651B671A043156BDB00A7A0AC49EFE736D9B44715F1041BBF905A72D2EF7C8E828A9D
                                                    Function 0040C28E Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 282registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                                      • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040C38B
                                                    • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C39E
                                                    • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040C3B7
                                                    • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040C3E7
                                                      • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(Function_000099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                                                      • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                                      • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(Function_00009993,00000000,?,pth_unenc), ref: 0040AFE3
                                                      • Part of subcall function 0041B59F: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041B6B5,00000000,00000000,?), ref: 0041B5DE
                                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C632
                                                    • ExitProcess.KERNEL32 ref: 0040C63E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                    • String ID: """, 0$")$@CG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                                    • API String ID: 1861856835-3168347843
                                                    • Opcode ID: 81cba6c041354eceecb35cbe1aab922463b30a6c1d9d93050eacf49432977c0c
                                                    • Instruction ID: 0897204671ac35a997fd8cee39da091aa0ef4b51e820d3179f4d1f6ac17f39c2
                                                    • Opcode Fuzzy Hash: 81cba6c041354eceecb35cbe1aab922463b30a6c1d9d93050eacf49432977c0c
                                                    • Instruction Fuzzy Hash: CD9184316042005AC314FB25D852ABF7799AF91318F10453FF98AA31E2EF7CAD49C69E
                                                    Function 0041A1CB Relevance: 42.2, APIs: 12, Strings: 12, Instructions: 180synchronizationCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041A2C2
                                                    • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041A2D6
                                                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00465554), ref: 0041A2FE
                                                    • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00473EE8,00000000), ref: 0041A30F
                                                    • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041A350
                                                    • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041A368
                                                    • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041A37D
                                                    • SetEvent.KERNEL32 ref: 0041A39A
                                                    • WaitForSingleObject.KERNEL32(000001F4), ref: 0041A3AB
                                                    • CloseHandle.KERNEL32 ref: 0041A3BB
                                                    • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041A3DD
                                                    • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041A3E7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                    • String ID: alias audio$" type $TUF$close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$>G
                                                    • API String ID: 738084811-2745919808
                                                    • Opcode ID: 366dc257e76a7d89ff517ca85c94e996c3be762cdb00e461543f6a6bce535d75
                                                    • Instruction ID: 916def08b3adcafa46b043c64cdff30cc67d21214e861a912cda69be872b019d
                                                    • Opcode Fuzzy Hash: 366dc257e76a7d89ff517ca85c94e996c3be762cdb00e461543f6a6bce535d75
                                                    • Instruction Fuzzy Hash: B951C1712442056AD214BB31DC86EBF3B9CDB91758F10043FF456A21E2EF389D9986AF
                                                    Function 0040BF04 Relevance: 40.5, APIs: 6, Strings: 17, Instructions: 260registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                                      • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C013
                                                    • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C026
                                                    • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C056
                                                    • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C065
                                                      • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(Function_000099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                                                      • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                                      • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(Function_00009993,00000000,?,pth_unenc), ref: 0040AFE3
                                                      • Part of subcall function 0041AB48: GetCurrentProcessId.KERNEL32(00000000,76233530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB6F
                                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C280
                                                    • ExitProcess.KERNEL32 ref: 0040C287
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                    • String ID: ")$.vbs$@CG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
                                                    • API String ID: 3797177996-1998216422
                                                    • Opcode ID: 172039706f693072dc9d04bdfcccb933a902077c78e676d0b750a38b29d640e1
                                                    • Instruction ID: f1dcdd4a9e546d4cb200c8239a9b7392f8c22d31b5939825df829b517cfed74e
                                                    • Opcode Fuzzy Hash: 172039706f693072dc9d04bdfcccb933a902077c78e676d0b750a38b29d640e1
                                                    • Instruction Fuzzy Hash: 088190316042005BC315FB21D852ABF77A9ABD1308F10453FF986A71E2EF7CAD49869E
                                                    Function 00401BE8 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                                    • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401C7E
                                                    • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401C8E
                                                    • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401C9E
                                                    • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401CAE
                                                    • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401CBE
                                                    • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401CCF
                                                    • WriteFile.KERNEL32(00000000,00471B02,00000002,00000000,00000000), ref: 00401CE0
                                                    • WriteFile.KERNEL32(00000000,00471B04,00000004,00000000,00000000), ref: 00401CF0
                                                    • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401D00
                                                    • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401D11
                                                    • WriteFile.KERNEL32(00000000,00471B0E,00000002,00000000,00000000), ref: 00401D22
                                                    • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401D32
                                                    • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401D42
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: File$Write$Create
                                                    • String ID: RIFF$WAVE$data$fmt
                                                    • API String ID: 1602526932-4212202414
                                                    • Opcode ID: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                                    • Instruction ID: 129ba3454a43ec42bedb537cb07bfa8f9eb5569c2d2d4c431363fc199bcfbd5c
                                                    • Opcode Fuzzy Hash: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                                    • Instruction Fuzzy Hash: 66416F726443187AE210DB51DD86FBB7EECEB85F54F40081AFA44D6090E7A4E909DBB3
                                                    Function 004064E0 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe,00000001,004068B2,C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe,00000003,004068DA,004742E0,00406933), ref: 004064F4
                                                    • GetProcAddress.KERNEL32(00000000), ref: 004064FD
                                                    • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 0040650E
                                                    • GetProcAddress.KERNEL32(00000000), ref: 00406511
                                                    • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 00406522
                                                    • GetProcAddress.KERNEL32(00000000), ref: 00406525
                                                    • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00406536
                                                    • GetProcAddress.KERNEL32(00000000), ref: 00406539
                                                    • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 0040654A
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0040654D
                                                    • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040655E
                                                    • GetProcAddress.KERNEL32(00000000), ref: 00406561
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AddressHandleModuleProc
                                                    • String ID: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                                    • API String ID: 1646373207-2541556464
                                                    • Opcode ID: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                                    • Instruction ID: b313d74494c875c8407327c43f2905d2eb3972c2d2e01a1e2b33da4df8ba43a1
                                                    • Opcode Fuzzy Hash: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                                    • Instruction Fuzzy Hash: 1F011EA4E40B1675DB21677A7C54D176EAC9E502917190433B40AF22B1FEBCD410CD7D
                                                    Function 0040BC67 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 203fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _wcslen.LIBCMT ref: 0040BC75
                                                    • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040BC8E
                                                    • CopyFileW.KERNEL32(C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe,00000000,00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040BD3E
                                                    • _wcslen.LIBCMT ref: 0040BD54
                                                    • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040BDDC
                                                    • CopyFileW.KERNEL32(C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe,00000000,00000000), ref: 0040BDF2
                                                    • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE31
                                                    • _wcslen.LIBCMT ref: 0040BE34
                                                    • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE4B
                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00474358,0000000E), ref: 0040BE9B
                                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000001), ref: 0040BEB9
                                                    • ExitProcess.KERNEL32 ref: 0040BED0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                                    • String ID: 6$C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe$del$open$BG$BG
                                                    • API String ID: 1579085052-207115969
                                                    • Opcode ID: 4d244095d4847cbae713d45db5f80276bba3783f73a4fe09937fc6169b27dde8
                                                    • Instruction ID: 2f106158a8217a69bc194f5c9bf89c81f007fa4859a00edafeef48886470f02c
                                                    • Opcode Fuzzy Hash: 4d244095d4847cbae713d45db5f80276bba3783f73a4fe09937fc6169b27dde8
                                                    • Instruction Fuzzy Hash: DC51B1212082006BD609B722EC52E7F77999F81719F10443FF985A66E2DF3CAD4582EE
                                                    Function 0041B1CB Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrlenW.KERNEL32(?), ref: 0041B1E6
                                                    • _memcmp.LIBVCRUNTIME ref: 0041B1FE
                                                    • lstrlenW.KERNEL32(?), ref: 0041B217
                                                    • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041B252
                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041B265
                                                    • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041B2A9
                                                    • lstrcmpW.KERNEL32(?,?), ref: 0041B2C4
                                                    • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041B2DC
                                                    • _wcslen.LIBCMT ref: 0041B2EB
                                                    • FindVolumeClose.KERNEL32(?), ref: 0041B30B
                                                    • GetLastError.KERNEL32 ref: 0041B323
                                                    • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041B350
                                                    • lstrcatW.KERNEL32(?,?), ref: 0041B369
                                                    • lstrcpyW.KERNEL32(?,?), ref: 0041B378
                                                    • GetLastError.KERNEL32 ref: 0041B380
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                    • String ID: ?
                                                    • API String ID: 3941738427-1684325040
                                                    • Opcode ID: 253fbf654c2f5cfaca5092a796830cee54c98e46980e450b9e065df1a1912948
                                                    • Instruction ID: cf02e0f6f7b7a0e02f5bf76754478950043962dc0518326da89db1c5b002f683
                                                    • Opcode Fuzzy Hash: 253fbf654c2f5cfaca5092a796830cee54c98e46980e450b9e065df1a1912948
                                                    • Instruction Fuzzy Hash: CC4163715087099BD7209FA0EC889EBB7E8EF44755F00093BF951C2261E778C998C7D6
                                                    Function 0044E21E Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _free$EnvironmentVariable$_wcschr
                                                    • String ID:
                                                    • API String ID: 3899193279-0
                                                    • Opcode ID: 6267e3def292f84dd9e33adbac7387806370fb3e846e7c9bec72720c454fd2de
                                                    • Instruction ID: 310171947c9992e3776b826429fe42b14e002c37e8c837d056816c81c4ebeb3e
                                                    • Opcode Fuzzy Hash: 6267e3def292f84dd9e33adbac7387806370fb3e846e7c9bec72720c454fd2de
                                                    • Instruction Fuzzy Hash: A7D13A71900310AFFB35AF7B888266E77A4BF06328F05416FF905A7381E6799D418B99
                                                    Function 00411C81 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 479sleepfileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00411C9A
                                                      • Part of subcall function 0041AB48: GetCurrentProcessId.KERNEL32(00000000,76233530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB6F
                                                      • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                                      • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                                                    • Sleep.KERNEL32(0000000A,00465324), ref: 00411DEC
                                                    • Sleep.KERNEL32(0000000A,00465324,00465324), ref: 00411E8E
                                                    • Sleep.KERNEL32(0000000A,00465324,00465324,00465324), ref: 00411F30
                                                    • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411F91
                                                    • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411FC8
                                                    • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00412004
                                                    • Sleep.KERNEL32(000001F4,00465324,00465324,00465324), ref: 0041201E
                                                    • Sleep.KERNEL32(00000064), ref: 00412060
                                                      • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                    • String ID: /stext "$HDG$HDG$>G$>G
                                                    • API String ID: 1223786279-3931108886
                                                    • Opcode ID: dd84fb7e7cdabf2e47e208a23127d8f86efb5b2e25be2ef0fbb16d0b89917122
                                                    • Instruction ID: 0ab8a3329a483972d05e881652f5f37e7f84d863b53285be69f93207c3ffadf7
                                                    • Opcode Fuzzy Hash: dd84fb7e7cdabf2e47e208a23127d8f86efb5b2e25be2ef0fbb16d0b89917122
                                                    • Instruction Fuzzy Hash: 890243311083414AC325FB61D891AEFB7D5AFD4308F50493FF98A931E2EF785A49C69A
                                                    Function 0041CAAE Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 73windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041CAF9
                                                    • GetCursorPos.USER32(?), ref: 0041CB08
                                                    • SetForegroundWindow.USER32(?), ref: 0041CB11
                                                    • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041CB2B
                                                    • Shell_NotifyIconA.SHELL32(00000002,00473B50), ref: 0041CB7C
                                                    • ExitProcess.KERNEL32 ref: 0041CB84
                                                    • CreatePopupMenu.USER32 ref: 0041CB8A
                                                    • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041CB9F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                    • String ID: Close
                                                    • API String ID: 1657328048-3535843008
                                                    • Opcode ID: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                                    • Instruction ID: 3771bb7a8ff115e6e52fbd1847cd0ce42a02f589590b945df095e749b0e49bf2
                                                    • Opcode Fuzzy Hash: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                                    • Instruction Fuzzy Hash: FF212A31148205FFDB064F64FD4EEAA3F25EB04712F004035B906E41B2D7B9EAA1EB18
                                                    Function 00444F4D Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _free$Info
                                                    • String ID:
                                                    • API String ID: 2509303402-0
                                                    • Opcode ID: 92603ff5876a01059927d2e021ea2dcfde124e6bc6800bb968541682ce1897e5
                                                    • Instruction ID: 94cb3ffe265cc5bcc4c1ad3ae65ec97d3e38ea61109583f3198c5827e9e35c68
                                                    • Opcode Fuzzy Hash: 92603ff5876a01059927d2e021ea2dcfde124e6bc6800bb968541682ce1897e5
                                                    • Instruction Fuzzy Hash: 22B19D71900A05AFEF11DFA9C881BEEBBB5FF09304F14416EE855B7342DA799C418B64
                                                    Function 00407DEF Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 325fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00407F4C
                                                    • GetFileSizeEx.KERNEL32(00000000,00000000), ref: 00407FC2
                                                    • __aulldiv.LIBCMT ref: 00407FE9
                                                    • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 0040810D
                                                    • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408128
                                                    • CloseHandle.KERNEL32(00000000), ref: 00408200
                                                    • CloseHandle.KERNEL32(00000000,00000052,00000000,?), ref: 0040821A
                                                    • CloseHandle.KERNEL32(00000000), ref: 00408256
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: File$CloseHandle$CreatePointerReadSize__aulldiv
                                                    • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $>G
                                                    • API String ID: 1884690901-3066803209
                                                    • Opcode ID: b4bf83234e7876ad0386de0079e022938b9164f4f2de2980decd81bcee1f3e40
                                                    • Instruction ID: 4837f293f8898be8956b4197083d1ab2d903a2927be0ecc228378ed3697c5d3b
                                                    • Opcode Fuzzy Hash: b4bf83234e7876ad0386de0079e022938b9164f4f2de2980decd81bcee1f3e40
                                                    • Instruction Fuzzy Hash: 01B191715083409BC214FB25C892BAFB7E5ABD4314F40493EF889632D2EF789945CB9B
                                                    Function 00413E37 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 109libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413E86
                                                    • LoadLibraryA.KERNEL32(?), ref: 00413EC8
                                                    • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413EE8
                                                    • FreeLibrary.KERNEL32(00000000), ref: 00413EEF
                                                    • LoadLibraryA.KERNEL32(?), ref: 00413F27
                                                    • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413F39
                                                    • FreeLibrary.KERNEL32(00000000), ref: 00413F40
                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 00413F4F
                                                    • FreeLibrary.KERNEL32(00000000), ref: 00413F66
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                    • String ID: \ws2_32$\wship6$getaddrinfo
                                                    • API String ID: 2490988753-3078833738
                                                    • Opcode ID: 7f25833e8af2b845701e4bccc7340468b757da4176a2c43d0743638068d0b7b5
                                                    • Instruction ID: f97e29e5006070a0e8b03c0efb597ee3aef86c3529fe4be05370ae17daaf5a45
                                                    • Opcode Fuzzy Hash: 7f25833e8af2b845701e4bccc7340468b757da4176a2c43d0743638068d0b7b5
                                                    • Instruction Fuzzy Hash: C331C4B1906315ABD320AF65DC44ACBB7ECEF44745F400A2AF844D7201D778DA858AEE
                                                    Function 0045007D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • ___free_lconv_mon.LIBCMT ref: 004500C1
                                                      • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F310
                                                      • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F322
                                                      • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F334
                                                      • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F346
                                                      • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F358
                                                      • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F36A
                                                      • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F37C
                                                      • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F38E
                                                      • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3A0
                                                      • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3B2
                                                      • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3C4
                                                      • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3D6
                                                      • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3E8
                                                    • _free.LIBCMT ref: 004500B6
                                                      • Part of subcall function 00446AD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA60,0000000A,00000000,0000000A,00000000,?,0044FD04,0000000A,00000007,0000000A,?,00450215,0000000A), ref: 00446AEB
                                                      • Part of subcall function 00446AD5: GetLastError.KERNEL32(0000000A,?,0044FA60,0000000A,00000000,0000000A,00000000,?,0044FD04,0000000A,00000007,0000000A,?,00450215,0000000A,0000000A), ref: 00446AFD
                                                    • _free.LIBCMT ref: 004500D8
                                                    • _free.LIBCMT ref: 004500ED
                                                    • _free.LIBCMT ref: 004500F8
                                                    • _free.LIBCMT ref: 0045011A
                                                    • _free.LIBCMT ref: 0045012D
                                                    • _free.LIBCMT ref: 0045013B
                                                    • _free.LIBCMT ref: 00450146
                                                    • _free.LIBCMT ref: 0045017E
                                                    • _free.LIBCMT ref: 00450185
                                                    • _free.LIBCMT ref: 004501A2
                                                    • _free.LIBCMT ref: 004501BA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                    • String ID:
                                                    • API String ID: 161543041-0
                                                    • Opcode ID: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                                    • Instruction ID: 71386be3831ae4e36ed8ba8c0666741f952bc44bbd11cc85bbb3aa2ad55dcdb0
                                                    • Opcode Fuzzy Hash: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                                    • Instruction Fuzzy Hash: D5318135600B009FEB30AA39D845B5773E9EF02325F11842FE849E7692DF79AD88C719
                                                    Function 00419138 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 174sleeptimeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __EH_prolog.LIBCMT ref: 0041913D
                                                    • GdiplusStartup.GDIPLUS(00473AF0,?,00000000), ref: 0041916F
                                                    • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 004191FB
                                                    • Sleep.KERNEL32(000003E8), ref: 0041927D
                                                    • GetLocalTime.KERNEL32(?), ref: 0041928C
                                                    • Sleep.KERNEL32(00000000,00000018,00000000), ref: 00419375
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                                    • String ID: XCG$XCG$XCG$time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                                    • API String ID: 489098229-65789007
                                                    • Opcode ID: 9197c4a2a1c1e5ce950a89398449fe3ef2bf9bb46c4814cba73f7eb8f52c582d
                                                    • Instruction ID: 451d4021779863bb8065bd5e36f4a774b326d3833db1a6038cb7dac0f018a91b
                                                    • Opcode Fuzzy Hash: 9197c4a2a1c1e5ce950a89398449fe3ef2bf9bb46c4814cba73f7eb8f52c582d
                                                    • Instruction Fuzzy Hash: 56519071A002449ACB14BBB5D866AFE7BA9AB45304F00407FF849B71D2EF3C5D85C799
                                                    Function 0040C66D Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 147COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                                      • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                                      • Part of subcall function 0041265D: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                                      • Part of subcall function 0041265D: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                      • Part of subcall function 0041265D: RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C6C7
                                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C826
                                                    • ExitProcess.KERNEL32 ref: 0040C832
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                    • String ID: """, 0$.vbs$@CG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                                    • API String ID: 1913171305-390638927
                                                    • Opcode ID: 9d9593f7d2fff8419b7a4165c874335f1e1c4ca55b8004b043af397299dbfd4c
                                                    • Instruction ID: 3122975e65398275e0c1a8e950e5c558235310b29c64ef4ed93c25b66c9664dc
                                                    • Opcode Fuzzy Hash: 9d9593f7d2fff8419b7a4165c874335f1e1c4ca55b8004b043af397299dbfd4c
                                                    • Instruction Fuzzy Hash: A6414C329001185ACB14F761DC56DFE7779AF50718F50417FF906B30E2EE386A8ACA99
                                                    Function 0044F3F1 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _free
                                                    • String ID:
                                                    • API String ID: 269201875-0
                                                    • Opcode ID: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
                                                    • Instruction ID: d73775b2238990a9214358b8270f61d1b8324a28925b392a315ea9bfa7ac6158
                                                    • Opcode Fuzzy Hash: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
                                                    • Instruction Fuzzy Hash: 89C16672D40204AFEB20DBA8CC82FEF77F8AB05714F15446AFA44FB282D6749D458768
                                                    Function 004047EB Relevance: 18.1, APIs: 12, Instructions: 66synchronizationCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 004047FD
                                                    • SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404808
                                                    • CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404811
                                                    • closesocket.WS2_32(000000FF), ref: 0040481F
                                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404856
                                                    • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404867
                                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040486E
                                                    • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404880
                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404885
                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040488A
                                                    • SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404895
                                                    • CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 0040489A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                    • String ID:
                                                    • API String ID: 3658366068-0
                                                    • Opcode ID: 8839b1e3ce5f0ca92630ed3addc8668ddbef0a342dde1beb3290f4e349eef524
                                                    • Instruction ID: 6857b948c75ecf5e4d11b49f17ebd09eceef1c2fbc6fc14a1e153603fddcf20a
                                                    • Opcode Fuzzy Hash: 8839b1e3ce5f0ca92630ed3addc8668ddbef0a342dde1beb3290f4e349eef524
                                                    • Instruction Fuzzy Hash: 7A212C71144B149FDB216B26EC45A27BBE1EF40325F104A7EF2E212AF1CB76E851DB48
                                                    Function 00454992 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00454660: CreateFileW.KERNEL32(00000000,?,?,;JE,?,?,00000000,?,00454A3B,00000000,0000000C), ref: 0045467D
                                                    • GetLastError.KERNEL32 ref: 00454AA6
                                                    • __dosmaperr.LIBCMT ref: 00454AAD
                                                    • GetFileType.KERNEL32(00000000), ref: 00454AB9
                                                    • GetLastError.KERNEL32 ref: 00454AC3
                                                    • __dosmaperr.LIBCMT ref: 00454ACC
                                                    • CloseHandle.KERNEL32(00000000), ref: 00454AEC
                                                    • CloseHandle.KERNEL32(?), ref: 00454C36
                                                    • GetLastError.KERNEL32 ref: 00454C68
                                                    • __dosmaperr.LIBCMT ref: 00454C6F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                    • String ID: H
                                                    • API String ID: 4237864984-2852464175
                                                    • Opcode ID: 43154248a50fd66e96ac6d70bada307b7577a7ac671062952f04f408382b00d8
                                                    • Instruction ID: 2939135f81ce6efcdbf1290aa78a9ad6619f21b9340f77aa2193fadd435c2af6
                                                    • Opcode Fuzzy Hash: 43154248a50fd66e96ac6d70bada307b7577a7ac671062952f04f408382b00d8
                                                    • Instruction Fuzzy Hash: 9FA13732A041448FDF19DF68D8527AE7BA0EB46329F14015EFC019F392DB399C96C75A
                                                    Function 00413C67 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 155COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 65535$udp
                                                    • API String ID: 0-1267037602
                                                    • Opcode ID: ed3283d9ee94cadc099f5c83048f767ee72ed986ddea0764ae1f3250d10f5e6e
                                                    • Instruction ID: 18155c1335c00501c0bec8b6c43ed7e13bdec9a75575f631fadbade58ebc7fa9
                                                    • Opcode Fuzzy Hash: ed3283d9ee94cadc099f5c83048f767ee72ed986ddea0764ae1f3250d10f5e6e
                                                    • Instruction Fuzzy Hash: 5C411971604301ABD7209F29E9057AB77D8EF85706F04082FF84597391D76DCEC1866E
                                                    Function 00416E27 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 107filesynchronizationCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00465554), ref: 00416F24
                                                    • CloseHandle.KERNEL32(00000000), ref: 00416F2D
                                                    • DeleteFileA.KERNEL32(00000000), ref: 00416F3C
                                                    • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00416EF0
                                                      • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
                                                    • String ID: <$@$@FG$@FG$TUF$Temp
                                                    • API String ID: 1107811701-4124992407
                                                    • Opcode ID: 2ef96a9cb1d95fb64f0202d71f3a89862d1029e439683586224ce07dc8cb56e9
                                                    • Instruction ID: 31b483d39f6b5d6935d3c54cd29663daa4ef68f058b88688fc76c4b473729b01
                                                    • Opcode Fuzzy Hash: 2ef96a9cb1d95fb64f0202d71f3a89862d1029e439683586224ce07dc8cb56e9
                                                    • Instruction Fuzzy Hash: 3C318B319002099BCB04FBA1DC56AFE7775AF50308F00417EF906760E2EF785A8ACB99
                                                    Function 00406616 Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 98COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCurrentProcess.KERNEL32(00474A48,00000000,BG3i@,00003000,00000004,00000000,00000001), ref: 00406647
                                                    • GetCurrentProcess.KERNEL32(00474A48,00000000,00008000,?,00000000,00000001,00000000,004068BB,C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe), ref: 00406705
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CurrentProcess
                                                    • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$pUF$windir$BG3i@
                                                    • API String ID: 2050909247-1144799832
                                                    • Opcode ID: df9848ee821d52fd5067d4fed09af5d5a7b0c3927120527d7347017cd794abcf
                                                    • Instruction ID: 85e9bb49d37c82d50cc0a876bfe2e9cbcca00efa80d213bdcfc81b1d75d5651e
                                                    • Opcode Fuzzy Hash: df9848ee821d52fd5067d4fed09af5d5a7b0c3927120527d7347017cd794abcf
                                                    • Instruction Fuzzy Hash: FF31CA75240300AFC310AB6DEC49F6A7768EB44705F11443EF50AA76E1EB7998508B6D
                                                    Function 00439371 Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393C9
                                                    • GetLastError.KERNEL32(?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393D6
                                                    • __dosmaperr.LIBCMT ref: 004393DD
                                                    • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439409
                                                    • GetLastError.KERNEL32(?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439413
                                                    • __dosmaperr.LIBCMT ref: 0043941A
                                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401AD8,?), ref: 0043945D
                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439467
                                                    • __dosmaperr.LIBCMT ref: 0043946E
                                                    • _free.LIBCMT ref: 0043947A
                                                    • _free.LIBCMT ref: 00439481
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                    • String ID:
                                                    • API String ID: 2441525078-0
                                                    • Opcode ID: 684e6fef7141b114c3b5ff973dde56bcea396d28ee1fdac90182f4155713f89e
                                                    • Instruction ID: 6a201652548b5938c51769f65cd316b483991bd1e06270b2389e89ad89b884a4
                                                    • Opcode Fuzzy Hash: 684e6fef7141b114c3b5ff973dde56bcea396d28ee1fdac90182f4155713f89e
                                                    • Instruction Fuzzy Hash: AA31007280860ABFDF11AFA5DC45CAF3B78EF09364F10416AF81096291DB79CC11DBA9
                                                    Function 00404E52 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetEvent.KERNEL32(?,?), ref: 00404E71
                                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00404F21
                                                    • TranslateMessage.USER32(?), ref: 00404F30
                                                    • DispatchMessageA.USER32(?), ref: 00404F3B
                                                    • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00473F80), ref: 00404FF3
                                                    • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 0040502B
                                                      • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                    • String ID: CloseChat$DisplayMessage$GetMessage
                                                    • API String ID: 2956720200-749203953
                                                    • Opcode ID: ed276ae60632ddb1123add7be1ccbfba2608c39a5df5d2a815a288664d31e13e
                                                    • Instruction ID: 321c3fbec734f1f8b9fff4e8d6f05c27936dabaea61c0bf38d797d3438e015d2
                                                    • Opcode Fuzzy Hash: ed276ae60632ddb1123add7be1ccbfba2608c39a5df5d2a815a288664d31e13e
                                                    • Instruction Fuzzy Hash: F641BEB16043016BC614FB75D85A8AE77A8ABC1714F00093EF906A31E6EF38DA04C79A
                                                    Function 00419C95 Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CA4
                                                    • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CBB
                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CC8
                                                    • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CD7
                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CE8
                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CEB
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Service$CloseHandle$Open$ControlManager
                                                    • String ID:
                                                    • API String ID: 221034970-0
                                                    • Opcode ID: 83979f30ba13052199b290374f4e897ff0c223aa30bace9cb26b013bf86a6d8f
                                                    • Instruction ID: 64b7f8b9d702139b787b45b2ac21df1fde646642379ff803e7b0347eb9faadae
                                                    • Opcode Fuzzy Hash: 83979f30ba13052199b290374f4e897ff0c223aa30bace9cb26b013bf86a6d8f
                                                    • Instruction Fuzzy Hash: 8711C631901218AFD7116B64EC85DFF3BECDB46BA1B000036F942921D1DB64CD46AAF5
                                                    Function 00446DDB Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _free.LIBCMT ref: 00446DEF
                                                      • Part of subcall function 00446AD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA60,0000000A,00000000,0000000A,00000000,?,0044FD04,0000000A,00000007,0000000A,?,00450215,0000000A), ref: 00446AEB
                                                      • Part of subcall function 00446AD5: GetLastError.KERNEL32(0000000A,?,0044FA60,0000000A,00000000,0000000A,00000000,?,0044FD04,0000000A,00000007,0000000A,?,00450215,0000000A,0000000A), ref: 00446AFD
                                                    • _free.LIBCMT ref: 00446DFB
                                                    • _free.LIBCMT ref: 00446E06
                                                    • _free.LIBCMT ref: 00446E11
                                                    • _free.LIBCMT ref: 00446E1C
                                                    • _free.LIBCMT ref: 00446E27
                                                    • _free.LIBCMT ref: 00446E32
                                                    • _free.LIBCMT ref: 00446E3D
                                                    • _free.LIBCMT ref: 00446E48
                                                    • _free.LIBCMT ref: 00446E56
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _free$ErrorFreeHeapLast
                                                    • String ID:
                                                    • API String ID: 776569668-0
                                                    • Opcode ID: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                                    • Instruction ID: 4059f081e6094245f9dcb18e84e070fbb06f55adf0c09f86c969ccb3ae0415ae
                                                    • Opcode Fuzzy Hash: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                                    • Instruction Fuzzy Hash: 0E11CB7550051CBFDB05EF55C842CDD3B76EF06364B42C0AAF9086F222DA75DE509B85
                                                    Function 0041B834 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 214registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041B856
                                                    • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041B89A
                                                    • RegCloseKey.ADVAPI32(?), ref: 0041BB64
                                                    Strings
                                                    • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0041B84C
                                                    • DisplayName, xrefs: 0041B8E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseEnumOpen
                                                    • String ID: DisplayName$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                    • API String ID: 1332880857-3614651759
                                                    • Opcode ID: 076c50df7618aadf373f3c01ed9bd4609fd971215d56056228721ff8a86bdb77
                                                    • Instruction ID: efd277ba010ae8e34e1206f32af9d70b7e49420e91acd4d446967662cfc0484b
                                                    • Opcode Fuzzy Hash: 076c50df7618aadf373f3c01ed9bd4609fd971215d56056228721ff8a86bdb77
                                                    • Instruction Fuzzy Hash: 67813E311082449BD324EB21DC51AEFB7E9FFD4314F10493FB586921E1EF34AA49CA9A
                                                    Function 00410314 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 192COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Eventinet_ntoa
                                                    • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$>G
                                                    • API String ID: 3578746661-4192532303
                                                    • Opcode ID: 8131232ea4e110a78cbbe142682e0b221beec53302878eaae0296b789d50c990
                                                    • Instruction ID: 5385bfc655a789aeb426c9546597e5e9554731b695d1c34d5ebe0a8eef4996cc
                                                    • Opcode Fuzzy Hash: 8131232ea4e110a78cbbe142682e0b221beec53302878eaae0296b789d50c990
                                                    • Instruction Fuzzy Hash: AA517371A042009BC714F779D85AAAE36A59B80318F40453FF849972E2DF7CADC5CB9E
                                                    Function 004165FC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 103sleepfileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 0041665C
                                                      • Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B643
                                                    • Sleep.KERNEL32(00000064), ref: 00416688
                                                    • DeleteFileW.KERNEL32(00000000), ref: 004166BC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: File$CreateDeleteExecuteShellSleep
                                                    • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                    • API String ID: 1462127192-2001430897
                                                    • Opcode ID: b9a5cb25ade68b6fe2589745dbe0be08f51fb2d4aea0f2061956a18dd9341e5a
                                                    • Instruction ID: c19d1c6df4eaf99de932d1d3e2b79d277c3c3ae54bcdefde962c91a872100eda
                                                    • Opcode Fuzzy Hash: b9a5cb25ade68b6fe2589745dbe0be08f51fb2d4aea0f2061956a18dd9341e5a
                                                    • Instruction Fuzzy Hash: 5B313E719001085ADB14FBA1DC96EEE7764AF50708F00017FF906730E2EF786A8ACA9D
                                                    Function 00401A8E Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _strftime.LIBCMT ref: 00401AD3
                                                      • Part of subcall function 00401BE8: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                                    • waveInUnprepareHeader.WINMM(00471AC0,00000020,00000000,?), ref: 00401B85
                                                    • waveInPrepareHeader.WINMM(00471AC0,00000020), ref: 00401BC3
                                                    • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401BD2
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                    • String ID: %Y-%m-%d %H.%M$.wav$`=G$x=G
                                                    • API String ID: 3809562944-3643129801
                                                    • Opcode ID: f816f63c6ac9835ee23b06cccc8d3180f7f4d1f3f2885b8dfbf4a592b63f2106
                                                    • Instruction ID: 71dc54c49c3278552d12686eedaa48b86947864de512bb92fe626abde6f710f1
                                                    • Opcode Fuzzy Hash: f816f63c6ac9835ee23b06cccc8d3180f7f4d1f3f2885b8dfbf4a592b63f2106
                                                    • Instruction Fuzzy Hash: 98317E315053009BC314EF25DC56A9E77E8BB94314F40883EF559A21F1EF78AA49CB9A
                                                    Function 0040196B Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040197B
                                                    • waveInOpen.WINMM(00471AF8,000000FF,00471B00,Function_00001A8E,00000000,00000000,00000024), ref: 00401A11
                                                    • waveInPrepareHeader.WINMM(00471AC0,00000020,00000000), ref: 00401A66
                                                    • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401A75
                                                    • waveInStart.WINMM ref: 00401A81
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                    • String ID: XCG$`=G$x=G
                                                    • API String ID: 1356121797-903574159
                                                    • Opcode ID: 2fa2782d5286cb6b946f29ce45bec9f2347d723f1f3b5a78e95a6039d4b8a833
                                                    • Instruction ID: eaefd7a1fab34284b98bc4f49641b1dd71ce781583fbb4b877c049bb372049a4
                                                    • Opcode Fuzzy Hash: 2fa2782d5286cb6b946f29ce45bec9f2347d723f1f3b5a78e95a6039d4b8a833
                                                    • Instruction Fuzzy Hash: 1A215C316012409BC704DF7EFD1696A7BA9FB85742B00843AF50DE76B0EBB89880CB4C
                                                    Function 0041C97F Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47windowstringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041C998
                                                      • Part of subcall function 0041CA2F: RegisterClassExA.USER32(00000030), ref: 0041CA7C
                                                      • Part of subcall function 0041CA2F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA97
                                                      • Part of subcall function 0041CA2F: GetLastError.KERNEL32 ref: 0041CAA1
                                                    • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041C9CF
                                                    • lstrcpynA.KERNEL32(00473B68,Remcos,00000080), ref: 0041C9E9
                                                    • Shell_NotifyIconA.SHELL32(00000000,00473B50), ref: 0041C9FF
                                                    • TranslateMessage.USER32(?), ref: 0041CA0B
                                                    • DispatchMessageA.USER32(?), ref: 0041CA15
                                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041CA22
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                    • String ID: Remcos
                                                    • API String ID: 1970332568-165870891
                                                    • Opcode ID: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                                    • Instruction ID: a3c1d7bf95fc3ae1ab8e5dc1b7104b29b221ef3087a45b83961503d05de66f2d
                                                    • Opcode Fuzzy Hash: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                                    • Instruction Fuzzy Hash: 620121B1944348ABD7109FA5FC4CEDA7BBCAB45B16F004035F605E2162D7B8A285DB2D
                                                    Function 0044B460 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b03e61c4093a21660133e67fc3f0c2c165a648bd703d9864a2b1dbb5c11dd296
                                                    • Instruction ID: eb32e44420a9d0dd2d5c4453ebfd120c933f738a1b2f21936dd04ad6d98d905f
                                                    • Opcode Fuzzy Hash: b03e61c4093a21660133e67fc3f0c2c165a648bd703d9864a2b1dbb5c11dd296
                                                    • Instruction Fuzzy Hash: 6FC1E670D042499FEF11DFADD8417AEBBB4EF4A304F08405AE814A7392C778D941CBA9
                                                    Function 00452B3A Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,00452E13,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00452BE6
                                                    • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,00452E13,00000000,00000000,?,00000001,?,?,?,?), ref: 00452C69
                                                    • __alloca_probe_16.LIBCMT ref: 00452CA1
                                                    • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,00452E13,?,00452E13,00000000,00000000,?,00000001,?,?,?,?), ref: 00452CFC
                                                    • __alloca_probe_16.LIBCMT ref: 00452D4B
                                                    • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00452E13,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D13
                                                      • Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,00434413,?,?,00437237,?,?,?,?,?,0040CC87,00434413,?,?,?,?), ref: 00446B41
                                                    • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00452E13,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D8F
                                                    • __freea.LIBCMT ref: 00452DBA
                                                    • __freea.LIBCMT ref: 00452DC6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                                    • String ID:
                                                    • API String ID: 201697637-0
                                                    • Opcode ID: 33853d2748869a5bbf0e5c11ad0ba2693683b8c54e761c696d343b85774101d6
                                                    • Instruction ID: 924e7ddfc51c8ace49a4e982202af340d06b3b5a9b96f94d8290dca04e209d32
                                                    • Opcode Fuzzy Hash: 33853d2748869a5bbf0e5c11ad0ba2693683b8c54e761c696d343b85774101d6
                                                    • Instruction Fuzzy Hash: E691C572E002169BDF218E64CA41AEF7BB5AF0A311F14456BEC01E7243D7ADDC49C7A8
                                                    Function 00444409 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,00000000,?,0043B965,00000000,00000000), ref: 00446ED3
                                                      • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                                      • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F47
                                                      • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                                    • _memcmp.LIBVCRUNTIME ref: 004446B3
                                                    • _free.LIBCMT ref: 00444724
                                                    • _free.LIBCMT ref: 0044473D
                                                    • _free.LIBCMT ref: 0044476F
                                                    • _free.LIBCMT ref: 00444778
                                                    • _free.LIBCMT ref: 00444784
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _free$ErrorLast$_abort_memcmp
                                                    • String ID: C
                                                    • API String ID: 1679612858-1037565863
                                                    • Opcode ID: 78a772055084dd11d4ef40813aeefa18dab1270aefb2628fdec0a9e84f74d69a
                                                    • Instruction ID: 096df170494440478aae843429242aea5750b14c08813bebb9acd843c79e49b1
                                                    • Opcode Fuzzy Hash: 78a772055084dd11d4ef40813aeefa18dab1270aefb2628fdec0a9e84f74d69a
                                                    • Instruction Fuzzy Hash: E8B14A75A012199FEB24DF18C884BAEB7B4FF49314F1085AEE909A7351D739AE90CF44
                                                    Function 004139C7 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 228COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: tcp$udp
                                                    • API String ID: 0-3725065008
                                                    • Opcode ID: 3317bb7e427a09276a98136aacea04ff7717d48f4dd4b8ff28f9b5a2aba46388
                                                    • Instruction ID: e5bb8fef491b59a621f975c33c92e719a9e773eef76f1c958f584ffae729cd60
                                                    • Opcode Fuzzy Hash: 3317bb7e427a09276a98136aacea04ff7717d48f4dd4b8ff28f9b5a2aba46388
                                                    • Instruction Fuzzy Hash: 9171AB716083028FDB24CE5584847ABB6E4AF84746F10043FF885A7352E778DE85CB9A
                                                    Function 00412C88 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 135registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00412CC1
                                                      • Part of subcall function 004129AA: RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                                      • Part of subcall function 004129AA: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                                                      • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                    • RegCloseKey.ADVAPI32(TUFTUF,00465554,00465554,00465900,00465900,00000071), ref: 00412E31
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseEnumInfoOpenQuerysend
                                                    • String ID: TUF$TUFTUF$>G$DG$DG
                                                    • API String ID: 3114080316-72097156
                                                    • Opcode ID: 08034cecb19fcd7980957ebfa6e18f25f8bbd9987c681b47e78dc83fc42bb37e
                                                    • Instruction ID: 977689a643a5ec5a4c60f988ad8168500f8ba0dfdc14b2429fd77a11b5167535
                                                    • Opcode Fuzzy Hash: 08034cecb19fcd7980957ebfa6e18f25f8bbd9987c681b47e78dc83fc42bb37e
                                                    • Instruction Fuzzy Hash: 9041A2316042009BC224F635D8A2AEF7394AFD0708F50843FF94A671E2EF7C5D4986AE
                                                    Function 00406BE9 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                                    • WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                                      • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                    • CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                                    • MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                                    • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D08
                                                    • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D18
                                                      • Part of subcall function 0040455B: WaitForSingleObject.KERNEL32(?,000000FF,?,?,0040460E,00000000,?,?), ref: 0040456A
                                                      • Part of subcall function 0040455B: SetEvent.KERNEL32(?,?,?,0040460E,00000000,?,?), ref: 00404588
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                    • String ID: .part
                                                    • API String ID: 1303771098-3499674018
                                                    • Opcode ID: 124c633532e8600691c4108089ff1e2e84c33ce980c006a8ee94900b53e6ed61
                                                    • Instruction ID: 92ff4720e6a7c249f3c3ae71a82c25b1888123647972eaae8327678ea1ca1cb3
                                                    • Opcode Fuzzy Hash: 124c633532e8600691c4108089ff1e2e84c33ce980c006a8ee94900b53e6ed61
                                                    • Instruction Fuzzy Hash: 2131C4715083009FD210EF21DD459AFB7A8FB84315F40093FF9C6A21A1DB38AA48CB9A
                                                    Function 0041A82D Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 90COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00412584: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 004125A6
                                                      • Part of subcall function 00412584: RegQueryValueExW.ADVAPI32(?,0040E0BA,00000000,00000000,?,00000400), ref: 004125C5
                                                      • Part of subcall function 00412584: RegCloseKey.ADVAPI32(?), ref: 004125CE
                                                      • Part of subcall function 0041B16B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B17C
                                                      • Part of subcall function 0041B16B: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B183
                                                    • _wcslen.LIBCMT ref: 0041A906
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
                                                    • String ID: .exe$:@$XCG$http\shell\open\command$program files (x86)\$program files\
                                                    • API String ID: 3286818993-703403762
                                                    • Opcode ID: f6ea33bfe9aeb7d2f24a1418d8181db5ac7c03ccdcffe2a82dcde258621e9c28
                                                    • Instruction ID: 668df6a2f2e8443cbe55da1b88d556a36153785c12b7582e9a7b6ce06fc50c8b
                                                    • Opcode Fuzzy Hash: f6ea33bfe9aeb7d2f24a1418d8181db5ac7c03ccdcffe2a82dcde258621e9c28
                                                    • Instruction Fuzzy Hash: 4C217472B001046BDB04BAB58C96DEE366D9B85358F14093FF412B72D3EE3C9D9942A9
                                                    Function 0040B6EA Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 85COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00412513: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                      • Part of subcall function 00412513: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                      • Part of subcall function 00412513: RegCloseKey.KERNEL32(?), ref: 0041255F
                                                    • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040B76C
                                                    • PathFileExistsA.SHLWAPI(?), ref: 0040B779
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                    • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders$TUF
                                                    • API String ID: 1133728706-1738023494
                                                    • Opcode ID: bb986ea289b59e8881aae87098969c6da156300248b9d043587579c05a1b425d
                                                    • Instruction ID: c183ecd3189b8021203cc80da109e2de7a31ac9d6a13988019f9cddb43f3bc3e
                                                    • Opcode Fuzzy Hash: bb986ea289b59e8881aae87098969c6da156300248b9d043587579c05a1b425d
                                                    • Instruction Fuzzy Hash: 84216D71900219A6CB04F7B2DCA69EE7764AE95318F40013FA902771D2EB7C9A49C6DE
                                                    Function 0041BEC0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • AllocConsole.KERNEL32(00474358), ref: 0041BEC9
                                                    • GetConsoleWindow.KERNEL32 ref: 0041BECF
                                                    • ShowWindow.USER32(00000000,00000000), ref: 0041BEE2
                                                    • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041BF07
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Console$Window$AllocOutputShow
                                                    • String ID: Remcos v$5.3.0 Pro$CONOUT$
                                                    • API String ID: 4067487056-2527699604
                                                    • Opcode ID: 0969bb2dc50103f751eab8b76b07649baec71243ec5d0269df0f19859633e99b
                                                    • Instruction ID: 29466b5f89b818b32aee09a22b3208d506810ef61d6e100b210d0f7536d9046d
                                                    • Opcode Fuzzy Hash: 0969bb2dc50103f751eab8b76b07649baec71243ec5d0269df0f19859633e99b
                                                    • Instruction Fuzzy Hash: 3F0121B1980304BAD600FBF29D4BFDD37AC9B14705F5004277648EB193E6BCA554466D
                                                    Function 00449960 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0043D574,0043D574,?,?,?,00449BB1,00000001,00000001,1AE85006), ref: 004499BA
                                                    • __alloca_probe_16.LIBCMT ref: 004499F2
                                                    • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00449BB1,00000001,00000001,1AE85006,?,?,?), ref: 00449A40
                                                    • __alloca_probe_16.LIBCMT ref: 00449AD7
                                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,1AE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00449B3A
                                                    • __freea.LIBCMT ref: 00449B47
                                                      • Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,00434413,?,?,00437237,?,?,?,?,?,0040CC87,00434413,?,?,?,?), ref: 00446B41
                                                    • __freea.LIBCMT ref: 00449B50
                                                    • __freea.LIBCMT ref: 00449B75
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                    • String ID:
                                                    • API String ID: 3864826663-0
                                                    • Opcode ID: 352025556551dac2c37919268567461b7de28f4f732b96d5dc4c3903fd0b0184
                                                    • Instruction ID: 2fc013a73a1c4821613f4f7d6933c77eebbc764427e3f4eacb424f728eff0283
                                                    • Opcode Fuzzy Hash: 352025556551dac2c37919268567461b7de28f4f732b96d5dc4c3903fd0b0184
                                                    • Instruction Fuzzy Hash: 0951F772610256AFFB259F61DC42EBBB7A9EB44714F14462EFD04D7240EB38EC40E668
                                                    Function 00418ACE Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendInput.USER32 ref: 00418B18
                                                    • SendInput.USER32(00000001,?,0000001C), ref: 00418B40
                                                    • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B67
                                                    • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B85
                                                    • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BA5
                                                    • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BCA
                                                    • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BEC
                                                    • SendInput.USER32(00000001,?,0000001C), ref: 00418C0F
                                                      • Part of subcall function 00418AC1: MapVirtualKeyA.USER32(00000000,00000000), ref: 00418AC7
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: InputSend$Virtual
                                                    • String ID:
                                                    • API String ID: 1167301434-0
                                                    • Opcode ID: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                                    • Instruction ID: 9e9d03405de643faf883966fb0167173931b0bf8c68e8067c58721a0feba7ae1
                                                    • Opcode Fuzzy Hash: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                                    • Instruction Fuzzy Hash: 10318071248349AAE210DF65D841FDBFBECAFD9B44F04080FB98457191DBA4998C876B
                                                    Function 00415A45 Relevance: 12.0, APIs: 8, Instructions: 46clipboardCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • OpenClipboard.USER32 ref: 00415A46
                                                    • EmptyClipboard.USER32 ref: 00415A54
                                                    • CloseClipboard.USER32 ref: 00415A5A
                                                    • OpenClipboard.USER32 ref: 00415A61
                                                    • GetClipboardData.USER32(0000000D), ref: 00415A71
                                                    • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                                    • CloseClipboard.USER32 ref: 00415A89
                                                      • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                    • String ID:
                                                    • API String ID: 2172192267-0
                                                    • Opcode ID: d9c410470e1138b8a4c9be85fd81145319fac6db587be0b527b00daa86c960c7
                                                    • Instruction ID: 21d753e14671b68e74bb0dc0c2a05280281c3050cfaacb3e005a94eaf945824a
                                                    • Opcode Fuzzy Hash: d9c410470e1138b8a4c9be85fd81145319fac6db587be0b527b00daa86c960c7
                                                    • Instruction Fuzzy Hash: 1D0152312083009FC314BB75EC5AAEE77A5AFC0752F41457EFD06861A2DF38C845D65A
                                                    Function 00446169 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: __freea$__alloca_probe_16
                                                    • String ID: a/p$am/pm$fD
                                                    • API String ID: 3509577899-1143445303
                                                    • Opcode ID: d47145a3bc1b7d9653af932916ed6ede224238620767b4a39004040ccf91a16a
                                                    • Instruction ID: b3ac1812908cceb8a5e393dcdb4c984f4f77018dd86d4d200126c6f407000a93
                                                    • Opcode Fuzzy Hash: d47145a3bc1b7d9653af932916ed6ede224238620767b4a39004040ccf91a16a
                                                    • Instruction Fuzzy Hash: 45D10171900205EAFB289F68D9456BBB7B0FF06700F26415BE9019B349D37D9D81CB6B
                                                    Function 00447E4A Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • _free.LIBCMT ref: 00447ECC
                                                    • _free.LIBCMT ref: 00447EF0
                                                    • _free.LIBCMT ref: 00448077
                                                    • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448089
                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 00448101
                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044812E
                                                    • _free.LIBCMT ref: 00448243
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                    • String ID:
                                                    • API String ID: 314583886-0
                                                    • Opcode ID: 987cd6ff04374740ad638309c533d0c602dfd377e295f885280b4824386cdb1c
                                                    • Instruction ID: 19e3b7565c7c288d74bc5d2e619305edf95ef22548e2b541e8d8082bcdfeb5ac
                                                    • Opcode Fuzzy Hash: 987cd6ff04374740ad638309c533d0c602dfd377e295f885280b4824386cdb1c
                                                    • Instruction Fuzzy Hash: 27C10671904205ABFB24DF698C41AAE7BB9EF45314F2441AFE484A7251EB388E47C758
                                                    Function 0044F816 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _free
                                                    • String ID:
                                                    • API String ID: 269201875-0
                                                    • Opcode ID: 154a0d9c569a12efbd1fb523a4d55ce0e4318de2d30962be95ff360cd9ef53d7
                                                    • Instruction ID: 4bbe003d1bf73c874d2a573eb0f11032bb863b1283a960f175a06077317d427c
                                                    • Opcode Fuzzy Hash: 154a0d9c569a12efbd1fb523a4d55ce0e4318de2d30962be95ff360cd9ef53d7
                                                    • Instruction Fuzzy Hash: 9D61CE71D00205AFEB20DF69C842BAABBF5EB45320F14407BE844EB281E7759D45CB59
                                                    Function 00443F8B Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,00434413,?,?,00437237,?,?,?,?,?,0040CC87,00434413,?,?,?,?), ref: 00446B41
                                                    • _free.LIBCMT ref: 00444096
                                                    • _free.LIBCMT ref: 004440AD
                                                    • _free.LIBCMT ref: 004440CC
                                                    • _free.LIBCMT ref: 004440E7
                                                    • _free.LIBCMT ref: 004440FE
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _free$AllocateHeap
                                                    • String ID: Z7D
                                                    • API String ID: 3033488037-2145146825
                                                    • Opcode ID: 7bd75c35ecc30b271b00b77e92f4063212cf76abbfff81b413b55d476d69b5fb
                                                    • Instruction ID: 35b293ba1399b13e66314f32d3a1361244e269274da5e60bce22b88c1773d583
                                                    • Opcode Fuzzy Hash: 7bd75c35ecc30b271b00b77e92f4063212cf76abbfff81b413b55d476d69b5fb
                                                    • Instruction Fuzzy Hash: 1451D131A00604AFEB20DF66C841B6A77F4EF99724B14456EE909D7251E739EE118B88
                                                    Function 0044A0D3 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0044A848,?,00000000,00000000,00000000,00000000,0000000C), ref: 0044A115
                                                    • __fassign.LIBCMT ref: 0044A190
                                                    • __fassign.LIBCMT ref: 0044A1AB
                                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0044A1D1
                                                    • WriteFile.KERNEL32(?,00000000,00000000,0044A848,00000000,?,?,?,?,?,?,?,?,?,0044A848,?), ref: 0044A1F0
                                                    • WriteFile.KERNEL32(?,?,00000001,0044A848,00000000,?,?,?,?,?,?,?,?,?,0044A848,?), ref: 0044A229
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                    • String ID:
                                                    • API String ID: 1324828854-0
                                                    • Opcode ID: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                                    • Instruction ID: e447b7b613fb78ded26f6ec2e5332222395caf0b7731ddcd5a4cfd0c244b89ef
                                                    • Opcode Fuzzy Hash: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                                    • Instruction Fuzzy Hash: FB51C270E002499FEB10CFA8D881AEEBBF8FF09310F14416BE955E7351D6749A51CB6A
                                                    Function 00401768 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 142threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ExitThread.KERNEL32 ref: 004017F4
                                                      • Part of subcall function 00433529: EnterCriticalSection.KERNEL32(00470D18,?,00475D4C,?,0040AE8B,00475D4C,?,00000000,00000000), ref: 00433534
                                                      • Part of subcall function 00433529: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D4C,?,00000000,00000000), ref: 00433571
                                                    • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00473EE8,00000000), ref: 00401902
                                                      • Part of subcall function 004338B5: __onexit.LIBCMT ref: 004338BB
                                                    • __Init_thread_footer.LIBCMT ref: 004017BC
                                                      • Part of subcall function 004334DF: EnterCriticalSection.KERNEL32(00470D18,00475D4C,?,0040AEAC,00475D4C,00456DA7,?,00000000,00000000), ref: 004334E9
                                                      • Part of subcall function 004334DF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D4C,00456DA7,?,00000000,00000000), ref: 0043351C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CriticalSection$EnterLeave$ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                                    • String ID: T=G$>G$>G
                                                    • API String ID: 1596592924-1617985637
                                                    • Opcode ID: 7fea690cd5114764ac3b3016db8b19bc4d1365cb468e8419b76e50a1049d06b2
                                                    • Instruction ID: 0943ace0b6a80c7a2dd7ea0048a529cdefdd5a29547fab9333b46e46416e0a54
                                                    • Opcode Fuzzy Hash: 7fea690cd5114764ac3b3016db8b19bc4d1365cb468e8419b76e50a1049d06b2
                                                    • Instruction Fuzzy Hash: D941F0716042008BC325FB75DDA6AAE73A4EB90318F00453FF50AAB1F2DF789985C65E
                                                    Function 0040E6A3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132processCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0041B16B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B17C
                                                      • Part of subcall function 0041B16B: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B183
                                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E6C1
                                                    • Process32FirstW.KERNEL32(00000000,?), ref: 0040E6E5
                                                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E6F4
                                                    • CloseHandle.KERNEL32(00000000), ref: 0040E8AB
                                                      • Part of subcall function 0041B197: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040E4D0,00000000,?,?,00474358), ref: 0041B1AC
                                                      • Part of subcall function 0041B197: IsWow64Process.KERNEL32(00000000,?,?,?,00474358), ref: 0041B1B7
                                                      • Part of subcall function 0041B38D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B3A5
                                                      • Part of subcall function 0041B38D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3B8
                                                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E89C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                    • String ID: PgF
                                                    • API String ID: 2180151492-654241383
                                                    • Opcode ID: d45e152db1594e52a28c92c812a6bfc09764fa0d060a7e5a38ae0a426294ee6f
                                                    • Instruction ID: d2ffcfca6af8ede7debefd7e7f3e1a30d02436113b149e9281f59cd47d6ae75e
                                                    • Opcode Fuzzy Hash: d45e152db1594e52a28c92c812a6bfc09764fa0d060a7e5a38ae0a426294ee6f
                                                    • Instruction Fuzzy Hash: FE41E0311083415BC325F761D8A1AEFB7E9AFA4305F50453EF449931E1EF389949C65A
                                                    Function 00437A90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _ValidateLocalCookies.LIBCMT ref: 00437ABB
                                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 00437AC3
                                                    • _ValidateLocalCookies.LIBCMT ref: 00437B51
                                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 00437B7C
                                                    • _ValidateLocalCookies.LIBCMT ref: 00437BD1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                    • String ID: csm
                                                    • API String ID: 1170836740-1018135373
                                                    • Opcode ID: a717e1e029c36c18052b78818950a58a3847fd0af0d72a643a188b4f53f37093
                                                    • Instruction ID: 71a827b8039fc8fef17eb0172cb9efd804432aff4b2936af944e1c8a38ed202f
                                                    • Opcode Fuzzy Hash: a717e1e029c36c18052b78818950a58a3847fd0af0d72a643a188b4f53f37093
                                                    • Instruction Fuzzy Hash: 07410870A04209DBCF20EF29C884A9FBBB4AF08328F149156E8556B352D739EE01CF95
                                                    Function 00455913 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ac8429af2de8aec4c7be5426e4bb47fdde12a831901fd5511e93482c0d59407e
                                                    • Instruction ID: c456bd3af877b6cafd4b53f13a87e342c7fa5de46f767ee01c057a6e18c8cad8
                                                    • Opcode Fuzzy Hash: ac8429af2de8aec4c7be5426e4bb47fdde12a831901fd5511e93482c0d59407e
                                                    • Instruction Fuzzy Hash: 401102B1508615FBDB206F729C4593B7BACEF82772B20016FFC05C6242DA3CC801D669
                                                    Function 0040FBEF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0040FBFC
                                                    • int.LIBCPMT ref: 0040FC0F
                                                      • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                                      • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                                    • std::_Facet_Register.LIBCPMT ref: 0040FC4B
                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FC71
                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FC8D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                    • String ID: p[G
                                                    • API String ID: 2536120697-440918510
                                                    • Opcode ID: 90cee4c0c16813870b1da6ceaa83cd64951b4a88db33a7eee00d1c8ab7d48ea7
                                                    • Instruction ID: 57388c14a05e53b5f50c1e79e3c37d993a50775a9f2b0ccff9e8b1bf96635e0f
                                                    • Opcode Fuzzy Hash: 90cee4c0c16813870b1da6ceaa83cd64951b4a88db33a7eee00d1c8ab7d48ea7
                                                    • Instruction Fuzzy Hash: BD110232904519A7CB10FBA5D8469EEB7289E84358F20007BF805B72C1EB7CAF45C78D
                                                    Function 0044FCEB Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0044FA32: _free.LIBCMT ref: 0044FA5B
                                                    • _free.LIBCMT ref: 0044FD39
                                                      • Part of subcall function 00446AD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA60,0000000A,00000000,0000000A,00000000,?,0044FD04,0000000A,00000007,0000000A,?,00450215,0000000A), ref: 00446AEB
                                                      • Part of subcall function 00446AD5: GetLastError.KERNEL32(0000000A,?,0044FA60,0000000A,00000000,0000000A,00000000,?,0044FD04,0000000A,00000007,0000000A,?,00450215,0000000A,0000000A), ref: 00446AFD
                                                    • _free.LIBCMT ref: 0044FD44
                                                    • _free.LIBCMT ref: 0044FD4F
                                                    • _free.LIBCMT ref: 0044FDA3
                                                    • _free.LIBCMT ref: 0044FDAE
                                                    • _free.LIBCMT ref: 0044FDB9
                                                    • _free.LIBCMT ref: 0044FDC4
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _free$ErrorFreeHeapLast
                                                    • String ID:
                                                    • API String ID: 776569668-0
                                                    • Opcode ID: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                    • Instruction ID: b610107d28af63220697d29f7fc6270dd0ec529a0d2d9973413717ad3690abbb
                                                    • Opcode Fuzzy Hash: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                    • Instruction Fuzzy Hash: B5116071581B44ABE520F7B2CC07FCB77DDDF02708F404C2EB29E76052EA68B90A4655
                                                    Function 00406815 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe), ref: 00406835
                                                      • Part of subcall function 00406764: _wcslen.LIBCMT ref: 00406788
                                                      • Part of subcall function 00406764: CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                                    • CoUninitialize.OLE32 ref: 0040688E
                                                    Strings
                                                    • C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe, xrefs: 00406815, 00406818, 0040686A
                                                    • [+] ucmCMLuaUtilShellExecMethod, xrefs: 0040681A
                                                    • [+] before ShellExec, xrefs: 00406856
                                                    • [+] ShellExec success, xrefs: 00406873
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: InitializeObjectUninitialize_wcslen
                                                    • String ID: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                                    • API String ID: 3851391207-3674465075
                                                    • Opcode ID: 37e49e74ace5e8c7de8c35aba96b6244217e4573d21f95b04fe8e6107b657e82
                                                    • Instruction ID: 622c6236034ee416db36617ed9a374104512909f75adacabffe0517dc70a223e
                                                    • Opcode Fuzzy Hash: 37e49e74ace5e8c7de8c35aba96b6244217e4573d21f95b04fe8e6107b657e82
                                                    • Instruction Fuzzy Hash: A501C0722013106FE2287B11DC0EF3B2658DB4176AF22413FF946A71C1EAA9AC104669
                                                    Function 0040FED2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0040FEDF
                                                    • int.LIBCPMT ref: 0040FEF2
                                                      • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                                      • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                                    • std::_Facet_Register.LIBCPMT ref: 0040FF2E
                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FF54
                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FF70
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                    • String ID: h]G
                                                    • API String ID: 2536120697-1579725984
                                                    • Opcode ID: d8f58f918af87aba8139413509f4a2dec583dfadb59aca9c2e42155b8cc16817
                                                    • Instruction ID: faa6495482ffb760010bfa20be6f485864068761b5f97391b19e5f0bde606c56
                                                    • Opcode Fuzzy Hash: d8f58f918af87aba8139413509f4a2dec583dfadb59aca9c2e42155b8cc16817
                                                    • Instruction Fuzzy Hash: 10119D3190041AABCB24FBA5C8468DDB7699E85718B20057FF505B72C1EB78AE09C789
                                                    Function 0040B2A8 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040B2E4
                                                    • GetLastError.KERNEL32 ref: 0040B2EE
                                                    Strings
                                                    • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040B2AF
                                                    • [Chrome Cookies not found], xrefs: 0040B308
                                                    • UserProfile, xrefs: 0040B2B4
                                                    • [Chrome Cookies found, cleared!], xrefs: 0040B314
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: DeleteErrorFileLast
                                                    • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                    • API String ID: 2018770650-304995407
                                                    • Opcode ID: 30e5fcbe14093218a38d76bda61cf748b30cc159a0567d7ee95bef924cd16ffd
                                                    • Instruction ID: 57831ae66bbe87b328e3caf482cfdb9a18bfb77b2c204d956758bc207329a0f7
                                                    • Opcode Fuzzy Hash: 30e5fcbe14093218a38d76bda61cf748b30cc159a0567d7ee95bef924cd16ffd
                                                    • Instruction Fuzzy Hash: ED01A23164410557CB0477B5DD6B8AF3624ED50708F60013FF802B22E2FE3A9A0586CE
                                                    Function 004064D0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • BG, xrefs: 00406909
                                                    • C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe, xrefs: 00406927
                                                    • Rmc-Y2VJ1N, xrefs: 0040693F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe$Rmc-Y2VJ1N$BG
                                                    • API String ID: 0-1831586224
                                                    • Opcode ID: d50a95e135f0bfdaf236d1bb78b8391e43d4b57b805b0d92c2bf5032378cfc05
                                                    • Instruction ID: a0817f974ad937f6cb5b9dd001e5131ae01746641b95ac10126ddf8aadfa6e31
                                                    • Opcode Fuzzy Hash: d50a95e135f0bfdaf236d1bb78b8391e43d4b57b805b0d92c2bf5032378cfc05
                                                    • Instruction Fuzzy Hash: 05F096B17022109BDB103774BC1967A3645A780356F01847BF94BFA6E5DB3C8851869C
                                                    Function 004432F7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _free.LIBCMT ref: 00443315
                                                      • Part of subcall function 00446AD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA60,0000000A,00000000,0000000A,00000000,?,0044FD04,0000000A,00000007,0000000A,?,00450215,0000000A), ref: 00446AEB
                                                      • Part of subcall function 00446AD5: GetLastError.KERNEL32(0000000A,?,0044FA60,0000000A,00000000,0000000A,00000000,?,0044FD04,0000000A,00000007,0000000A,?,00450215,0000000A,0000000A), ref: 00446AFD
                                                    • _free.LIBCMT ref: 00443327
                                                    • _free.LIBCMT ref: 0044333A
                                                    • _free.LIBCMT ref: 0044334B
                                                    • _free.LIBCMT ref: 0044335C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _free$ErrorFreeHeapLast
                                                    • String ID: 0O}
                                                    • API String ID: 776569668-2189386441
                                                    • Opcode ID: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                                                    • Instruction ID: ba617ab3bec5ed021708e8d9793ec2f19a393bb4d037fa002b455214101d6763
                                                    • Opcode Fuzzy Hash: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                                                    • Instruction Fuzzy Hash: E1F03AB08075208FA712AF6DBD014493BA1F706764342513BF41AB2A71EB780D81DA8E
                                                    Function 00419F42 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30sleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                    • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00419F74
                                                    • PlaySoundW.WINMM(00000000,00000000), ref: 00419F82
                                                    • Sleep.KERNEL32(00002710), ref: 00419F89
                                                    • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00419F92
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: PlaySound$HandleLocalModuleSleepTime
                                                    • String ID: Alarm triggered$`#v
                                                    • API String ID: 614609389-3049340936
                                                    • Opcode ID: 639ba6f34a921cef31bf8efcaa9c44f722cdb1a3cf49c6cc12d230aeec66adff
                                                    • Instruction ID: 9f384250976fc0018356f16acd63f039c2840ecbd7916ddbe948a6dbceb933d3
                                                    • Opcode Fuzzy Hash: 639ba6f34a921cef31bf8efcaa9c44f722cdb1a3cf49c6cc12d230aeec66adff
                                                    • Instruction Fuzzy Hash: 0AE09A22A0422037862033BA7C0FC2F3E28DAC6B71B4000BFF905A61A2AE540810C6FB
                                                    Function 0043960C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __allrem.LIBCMT ref: 00439799
                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397B5
                                                    • __allrem.LIBCMT ref: 004397CC
                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397EA
                                                    • __allrem.LIBCMT ref: 00439801
                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043981F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                    • String ID:
                                                    • API String ID: 1992179935-0
                                                    • Opcode ID: 088a2e1066119da7e611ebb0c50ba568729b81e5e50e163a33f94ab824c18df8
                                                    • Instruction ID: 580a0d75dc01f3f4b0c8d364acae3af6b21ca74026922d198920ae34195595c3
                                                    • Opcode Fuzzy Hash: 088a2e1066119da7e611ebb0c50ba568729b81e5e50e163a33f94ab824c18df8
                                                    • Instruction Fuzzy Hash: 8581FC71A01B069BE724AE69CC82B5F73A8AF89368F24512FF411D7381E7B8DD018758
                                                    Function 00444B4D Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: __cftoe
                                                    • String ID:
                                                    • API String ID: 4189289331-0
                                                    • Opcode ID: 69df1f9648de409375186bf4c737c9597d71512c260aa95240f454dab3e526b7
                                                    • Instruction ID: 51d3defa9bee42a6449c1cbae1767e96f335fc55d8793b788aa7c8c1dec457a3
                                                    • Opcode Fuzzy Hash: 69df1f9648de409375186bf4c737c9597d71512c260aa95240f454dab3e526b7
                                                    • Instruction Fuzzy Hash: DE510A72900205ABFB249F598C81FAF77A9EFC9324F25421FF814A6291DB3DDD01866D
                                                    Function 00403DE7 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 135sleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Sleep.KERNEL32(00000000), ref: 00403E8A
                                                      • Part of subcall function 00403FCD: __EH_prolog.LIBCMT ref: 00403FD2
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: H_prologSleep
                                                    • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera$P>G
                                                    • API String ID: 3469354165-462540288
                                                    • Opcode ID: a5279992c9b5f01cab381193b3706a68732ec19cee183b4c459e27e130619d80
                                                    • Instruction ID: a615deab89d52a04eef9df102bd8b4982dd8b49b1eab8c4ad016fc0191aaad38
                                                    • Opcode Fuzzy Hash: a5279992c9b5f01cab381193b3706a68732ec19cee183b4c459e27e130619d80
                                                    • Instruction Fuzzy Hash: E941A330A0420196CA14FB79C816AAD3A655B45704F00413FF809A73E2EF7C9A85C7CF
                                                    Function 00419DFC Relevance: 9.1, APIs: 6, Instructions: 66serviceCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E0C
                                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E20
                                                    • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E2D
                                                    • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00419517), ref: 00419E62
                                                    • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E74
                                                    • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E77
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                    • String ID:
                                                    • API String ID: 493672254-0
                                                    • Opcode ID: 8d0c32570e89dd068500cd90fe1776a703b3a192111dc2e8c1051611ff5d3692
                                                    • Instruction ID: 40159264159f5a90cd52f9b689d0e8cb5e0ea154c732c405bcbf7063391161e0
                                                    • Opcode Fuzzy Hash: 8d0c32570e89dd068500cd90fe1776a703b3a192111dc2e8c1051611ff5d3692
                                                    • Instruction Fuzzy Hash: 09016D311083107AE3118B34EC1EFBF3B5CDB41B70F00023BF626922D1DA68CE8581A9
                                                    Function 00437E16 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLastError.KERNEL32(?,?,00437E0D,004377C1), ref: 00437E24
                                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00437E32
                                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00437E4B
                                                    • SetLastError.KERNEL32(00000000,?,00437E0D,004377C1), ref: 00437E9D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorLastValue___vcrt_
                                                    • String ID:
                                                    • API String ID: 3852720340-0
                                                    • Opcode ID: 621d246bd99772174e6328e27007d7fc44d2e9bedb07ae0db1c9b20682e519a8
                                                    • Instruction ID: 127a8aaeb23cc4eddae083ca6fcd73be4c6f1963697d6e79a1959115bdf772ac
                                                    • Opcode Fuzzy Hash: 621d246bd99772174e6328e27007d7fc44d2e9bedb07ae0db1c9b20682e519a8
                                                    • Instruction Fuzzy Hash: 6701B57211D3159EE63427757C87A272B99EB0A779F20127FF228851E2EF2D4C41914C
                                                    Function 00446ECF Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLastError.KERNEL32(?,?,0043932C,?,00000000,?,0043B965,00000000,00000000), ref: 00446ED3
                                                    • _free.LIBCMT ref: 00446F06
                                                    • _free.LIBCMT ref: 00446F2E
                                                    • SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F3B
                                                    • SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F47
                                                    • _abort.LIBCMT ref: 00446F4D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorLast$_free$_abort
                                                    • String ID:
                                                    • API String ID: 3160817290-0
                                                    • Opcode ID: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                                                    • Instruction ID: 1b4467ed9408e6c3233579f8e1b56ac98d0768551ab8ff32c5b7efb0424b8365
                                                    • Opcode Fuzzy Hash: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                                                    • Instruction Fuzzy Hash: B1F0F93560870027F61273797D46A6F15669BC37B6B26013FF909A2292EE2D8C06411F
                                                    Function 00419C30 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C3F
                                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C53
                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C60
                                                    • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C6F
                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C81
                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C84
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Service$CloseHandle$Open$ControlManager
                                                    • String ID:
                                                    • API String ID: 221034970-0
                                                    • Opcode ID: e0442b8656df40b354effc29a53afdc585f42babe91f9aeac9dec78915b16ffb
                                                    • Instruction ID: 508c6a04514e5737773cd2f196b8466aacbf0489f3ca208dfe1df169d6e4b917
                                                    • Opcode Fuzzy Hash: e0442b8656df40b354effc29a53afdc585f42babe91f9aeac9dec78915b16ffb
                                                    • Instruction Fuzzy Hash: 93F0F6325403147BD3116B25EC89EFF3BACDB85BA1F000036F941921D2DB68CD4685F5
                                                    Function 00419D32 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D41
                                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D55
                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D62
                                                    • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D71
                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D83
                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D86
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Service$CloseHandle$Open$ControlManager
                                                    • String ID:
                                                    • API String ID: 221034970-0
                                                    • Opcode ID: 197637b26bbdd00f03ff7db36be43807083bab4a770c68d4e23c4aa016e90e1f
                                                    • Instruction ID: e3947c2d1caeee04707242a29777fdfa1156a9fa4bc9e6dc5536219c00a7af20
                                                    • Opcode Fuzzy Hash: 197637b26bbdd00f03ff7db36be43807083bab4a770c68d4e23c4aa016e90e1f
                                                    • Instruction Fuzzy Hash: 88F0C2325002146BD2116B25FC49EBF3AACDB85BA1B00003AFA06A21D2DB38CD4685F9
                                                    Function 00419D97 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DA6
                                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DBA
                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DC7
                                                    • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DD6
                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DE8
                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DEB
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Service$CloseHandle$Open$ControlManager
                                                    • String ID:
                                                    • API String ID: 221034970-0
                                                    • Opcode ID: e355818817006b765bc9d302ee5cf97eebc986756fff16413e45bff3808d062c
                                                    • Instruction ID: 9f0c2abda8e07195e4bf0f321f31a82c7612ecaf5c8047990b3e76cea93c5393
                                                    • Opcode Fuzzy Hash: e355818817006b765bc9d302ee5cf97eebc986756fff16413e45bff3808d062c
                                                    • Instruction Fuzzy Hash: FAF0C2325002146BD2116B24FC89EFF3AACDB85BA1B00003AFA05A21D2DB28CE4685F8
                                                    Function 004129AA Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 173registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                                                    • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,?,00002710,?,?,?,00000000,?,?,?,?), ref: 00412AED
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Enum$InfoQueryValue
                                                    • String ID: [regsplt]$DG
                                                    • API String ID: 3554306468-1089238109
                                                    • Opcode ID: bdfd4bea99a2a56e0bf69a035c0c9d08caa5f3d1df37628ba4533c7e0d6d2cae
                                                    • Instruction ID: a28855c8467dc88eaaa14c2ad720c73ed52e1c745f0e0c0b8cf84a63aeea62c1
                                                    • Opcode Fuzzy Hash: bdfd4bea99a2a56e0bf69a035c0c9d08caa5f3d1df37628ba4533c7e0d6d2cae
                                                    • Instruction Fuzzy Hash: 99512E72108345AFD310EF61D995DEBB7ECEF84744F00493EB585D2191EB74EA088B6A
                                                    Function 004426E4 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 116COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe,00000104), ref: 00442724
                                                    • _free.LIBCMT ref: 004427EF
                                                    • _free.LIBCMT ref: 004427F9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _free$FileModuleName
                                                    • String ID: @)|$C:\Users\user\Desktop\1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe
                                                    • API String ID: 2506810119-2184243837
                                                    • Opcode ID: 517ef8501d39ed80bd5d3989cd54e6cd38b7eb486680de81052e85c6479d25b4
                                                    • Instruction ID: a09326ba0634f9fc59332e3a0850bb80beab61cea56b0999b5ec2e0ea5ed553b
                                                    • Opcode Fuzzy Hash: 517ef8501d39ed80bd5d3989cd54e6cd38b7eb486680de81052e85c6479d25b4
                                                    • Instruction Fuzzy Hash: 04318075A00218AFEB21DF999D8199EBBFCEB85354B50406BF80497311D6B88E81CB59
                                                    Function 0040AE58 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 87COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00433529: EnterCriticalSection.KERNEL32(00470D18,?,00475D4C,?,0040AE8B,00475D4C,?,00000000,00000000), ref: 00433534
                                                      • Part of subcall function 00433529: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D4C,?,00000000,00000000), ref: 00433571
                                                      • Part of subcall function 004338B5: __onexit.LIBCMT ref: 004338BB
                                                    • __Init_thread_footer.LIBCMT ref: 0040AEA7
                                                      • Part of subcall function 004334DF: EnterCriticalSection.KERNEL32(00470D18,00475D4C,?,0040AEAC,00475D4C,00456DA7,?,00000000,00000000), ref: 004334E9
                                                      • Part of subcall function 004334DF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D4C,00456DA7,?,00000000,00000000), ref: 0043351C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit
                                                    • String ID: [End of clipboard]$[Text copied to clipboard]$L]G$P]G
                                                    • API String ID: 2974294136-4018440003
                                                    • Opcode ID: b82003dba18b260b6b367d1d56eee30e8a04c9e681fd49378d646ec93357fd77
                                                    • Instruction ID: f936e1d100a0b91fb3cd099947d4fcefdabc4258effb679c9043d151633dcd27
                                                    • Opcode Fuzzy Hash: b82003dba18b260b6b367d1d56eee30e8a04c9e681fd49378d646ec93357fd77
                                                    • Instruction Fuzzy Hash: EF21B131A002158ACB14FB75D8969EE7374AF54318F50403FF902771E2EF386E5A8A8D
                                                    Function 0044AA83 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 61COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • CloseHandle.KERNEL32(00000000,00000000,`@,?,0044A9A1,`@,0046DD28,0000000C), ref: 0044AAD9
                                                    • GetLastError.KERNEL32(?,0044A9A1,`@,0046DD28,0000000C), ref: 0044AAE3
                                                    • __dosmaperr.LIBCMT ref: 0044AB0E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseErrorHandleLast__dosmaperr
                                                    • String ID: ]~$`@
                                                    • API String ID: 2583163307-1948946983
                                                    • Opcode ID: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                                    • Instruction ID: 27d3a2ced18f85a81fd98b99658ced531467de2cab5132fdd739c317d4e1371d
                                                    • Opcode Fuzzy Hash: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                                    • Instruction Fuzzy Hash: 56016F3664452016F7215274694977F774D8B42738F25036FF904972D2DD6D8CC5C19F
                                                    Function 0041CA2F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegisterClassExA.USER32(00000030), ref: 0041CA7C
                                                    • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA97
                                                    • GetLastError.KERNEL32 ref: 0041CAA1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ClassCreateErrorLastRegisterWindow
                                                    • String ID: 0$MsgWindowClass
                                                    • API String ID: 2877667751-2410386613
                                                    • Opcode ID: c0911dd88a02fcfaa539e9866612e91b1c0db8d522a7ddfb79423dd2815842ef
                                                    • Instruction ID: 4bfad48e3247df46523b3088673b608286a28c5fe91561ad906263ccd1e0ab35
                                                    • Opcode Fuzzy Hash: c0911dd88a02fcfaa539e9866612e91b1c0db8d522a7ddfb79423dd2815842ef
                                                    • Instruction Fuzzy Hash: 7501E5B1D1421DAB8B01DFEADCC49EFBBBDBE49295B50452AE415B2200E7708A458BA4
                                                    Function 004069BA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42processCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00406A00
                                                    • CloseHandle.KERNEL32(?), ref: 00406A0F
                                                    • CloseHandle.KERNEL32(?), ref: 00406A14
                                                    Strings
                                                    • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004069F6
                                                    • C:\Windows\System32\cmd.exe, xrefs: 004069FB
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseHandle$CreateProcess
                                                    • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                    • API String ID: 2922976086-4183131282
                                                    • Opcode ID: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                                    • Instruction ID: df89934bb1b0a8a8050eda01f74e4a29103dee5852f25f58c468be6e25eb4aa4
                                                    • Opcode Fuzzy Hash: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                                    • Instruction Fuzzy Hash: 22F090B69402ADBACB30ABD69C0EFCF7F3CEBC5B10F00042AB605A6051D6705144CAB8
                                                    Function 004425E9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044259A,?,?,0044253A,?,0046DAE0,0000000C,00442691,?,00000002), ref: 00442609
                                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044261C
                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,0044259A,?,?,0044253A,?,0046DAE0,0000000C,00442691,?,00000002,00000000), ref: 0044263F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AddressFreeHandleLibraryModuleProc
                                                    • String ID: CorExitProcess$mscoree.dll
                                                    • API String ID: 4061214504-1276376045
                                                    • Opcode ID: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                                    • Instruction ID: e7b95c4573467c94f6f12cd45ce5b447d53bb0dab0bc43500ba4ddd7032d9ec5
                                                    • Opcode Fuzzy Hash: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                                    • Instruction Fuzzy Hash: 99F04430A04209FBDB119F95ED09B9EBFB5EB08756F4140B9F805A2251DF749D41CA9C
                                                    Function 00412774 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegCreateKeyW.ADVAPI32(80000001,00000000,BG), ref: 0041277F
                                                    • RegSetValueExW.ADVAPI32(BG,?,00000000,00000001,00000000,00000000,004742F8,?,0040E5CB,pth_unenc,004742E0), ref: 004127AD
                                                    • RegCloseKey.ADVAPI32(?,?,0040E5CB,pth_unenc,004742E0), ref: 004127B8
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseCreateValue
                                                    • String ID: pth_unenc$BG
                                                    • API String ID: 1818849710-2233081382
                                                    • Opcode ID: 2b0b83c385fe9b11323970af50dff3bb0d924dce91bf1d9d78cbef32cf6cf5ea
                                                    • Instruction ID: fff2d7bcc465bc574364a4979b4b77ba115ffea085319746951fe37a0eeb78e5
                                                    • Opcode Fuzzy Hash: 2b0b83c385fe9b11323970af50dff3bb0d924dce91bf1d9d78cbef32cf6cf5ea
                                                    • Instruction Fuzzy Hash: 9FF0CD31500218BBDF109FA0ED46EEF37ACAB40B50F104539F902A60A1E675DB14DAA4
                                                    Function 00404AB1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,004745A8,00414DB5,00000000,00000000,00000001), ref: 00404AED
                                                    • SetEvent.KERNEL32(00000304), ref: 00404AF9
                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00404B04
                                                    • CloseHandle.KERNEL32(00000000), ref: 00404B0D
                                                      • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                    • String ID: KeepAlive | Disabled
                                                    • API String ID: 2993684571-305739064
                                                    • Opcode ID: 706b613343be8dae912c097df07bb168f2a932249c2424fe80eb320cd199b408
                                                    • Instruction ID: 6d19fc1829a92c7d53a4a1495ceb054f41c43dbe57a1f104861afa743dff4d10
                                                    • Opcode Fuzzy Hash: 706b613343be8dae912c097df07bb168f2a932249c2424fe80eb320cd199b408
                                                    • Instruction Fuzzy Hash: CDF0BBB19043007FDB1137759D0E66B7F58AB46325F00457FF892926F1DA38D890C75A
                                                    Function 0041BE7F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041BF12), ref: 0041BE89
                                                    • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF12), ref: 0041BE96
                                                    • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041BF12), ref: 0041BEA3
                                                    • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF12), ref: 0041BEB6
                                                    Strings
                                                    • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041BEA9
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                    • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                                    • API String ID: 3024135584-2418719853
                                                    • Opcode ID: b49fb2298264b14de8b5a7e9b756d7938e22e1a5816d236ca91e9d4b7b0725d3
                                                    • Instruction ID: 2ebb83c1e7e70c4501562f07591cf8b091918c9767bda4cb27a2f29097fd03e7
                                                    • Opcode Fuzzy Hash: b49fb2298264b14de8b5a7e9b756d7938e22e1a5816d236ca91e9d4b7b0725d3
                                                    • Instruction Fuzzy Hash: C7E04F62104348ABD31437F5BC8ECAB3B7CE784613B100536F612903D3EA7484448A79
                                                    Function 0044017A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5145828a6066f50cf31ff859ee0e23af4d85e603a01b225214a849b1d7000abc
                                                    • Instruction ID: 7508e0c950cfb5c07cf094bbf9e96825b82cecf32722f8b1b9d99ff1c2b3a0ae
                                                    • Opcode Fuzzy Hash: 5145828a6066f50cf31ff859ee0e23af4d85e603a01b225214a849b1d7000abc
                                                    • Instruction Fuzzy Hash: 0171C5319043169BEB21CF55C884ABFBB75FF51360F14426BEE50A7281C7B89C61CBA9
                                                    Function 00410B19 Relevance: 7.7, APIs: 5, Instructions: 198memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 004105B9: SetLastError.KERNEL32(0000000D,00410B38,?,00000000), ref: 004105BF
                                                    • GetNativeSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410BC4
                                                    • GetProcessHeap.KERNEL32(00000008,00000040,?,?,00000000), ref: 00410C2A
                                                    • HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410C31
                                                    • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00410D3F
                                                    • SetLastError.KERNEL32(000000C1,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410D69
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorLast$Heap$AllocInfoNativeProcessSystem
                                                    • String ID:
                                                    • API String ID: 3525466593-0
                                                    • Opcode ID: d29f1b7113f080e4870f36b8e837f1b4da9fc16b6a23fadf89bc0212f3888b6d
                                                    • Instruction ID: 8d6069787765cd8089b920b9a1774e70d04059e2b0db351aafb66b48fc3d0dee
                                                    • Opcode Fuzzy Hash: d29f1b7113f080e4870f36b8e837f1b4da9fc16b6a23fadf89bc0212f3888b6d
                                                    • Instruction Fuzzy Hash: 3161C370200301ABD720DF66C981BA77BA6BF44744F04411AF9058B786EBF8E8C5CB99
                                                    Function 004430A8 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _free
                                                    • String ID:
                                                    • API String ID: 269201875-0
                                                    • Opcode ID: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                                    • Instruction ID: 83c4e6e90d702b2f07d890eb74d666dbf881ebcc09a41958ef300e35f10bd01d
                                                    • Opcode Fuzzy Hash: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                                    • Instruction Fuzzy Hash: 6041F732A002049FEB24DF79C881A5EB7B5EF89718F1585AEE515EB341DB35EE01CB84
                                                    Function 0044FEE3 Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0043E3FD,?,00000000,?,00000001,?,?,00000001,0043E3FD,?), ref: 0044FF30
                                                    • __alloca_probe_16.LIBCMT ref: 0044FF68
                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0044FFB9
                                                    • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,004399CF,?), ref: 0044FFCB
                                                    • __freea.LIBCMT ref: 0044FFD4
                                                      • Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,00434413,?,?,00437237,?,?,?,?,?,0040CC87,00434413,?,?,?,?), ref: 00446B41
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                    • String ID:
                                                    • API String ID: 313313983-0
                                                    • Opcode ID: f170efb2dc1c6de9df76393386ebf7cd534c4364e4366eebd744cf228c8edce4
                                                    • Instruction ID: e1bca46ef404bc628c8ce9314a93e43560c5f9fd50e6ec62d56fad3e85d1de09
                                                    • Opcode Fuzzy Hash: f170efb2dc1c6de9df76393386ebf7cd534c4364e4366eebd744cf228c8edce4
                                                    • Instruction Fuzzy Hash: B731DC32A0020AABEB248F65DC81EAF7BA5EB01314F04417AFC05D7251E739DD59CBA8
                                                    Function 0044E14B Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetEnvironmentStringsW.KERNEL32 ref: 0044E154
                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044E177
                                                      • Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,00434413,?,?,00437237,?,?,?,?,?,0040CC87,00434413,?,?,?,?), ref: 00446B41
                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044E19D
                                                    • _free.LIBCMT ref: 0044E1B0
                                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044E1BF
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                    • String ID:
                                                    • API String ID: 336800556-0
                                                    • Opcode ID: a9616c8c015984253ca72814521cc13fd9597de4e0bdad696dd641cecd3264f2
                                                    • Instruction ID: 6461b62384d036c2086eeacc55d57ac9fa1e09cc40192d7ba399f745acfb761f
                                                    • Opcode Fuzzy Hash: a9616c8c015984253ca72814521cc13fd9597de4e0bdad696dd641cecd3264f2
                                                    • Instruction Fuzzy Hash: 7301D4726417117F33215AB76C8CC7B7A6DEAC6FA5319013AFC04D2241DA788C0291B9
                                                    Function 00446F53 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLastError.KERNEL32(0000000A,0000000B,0000000A,00445369,00440AAB,00000000,?,?,?,?,00440C8E,00000000,0000000A,000000FF,0000000A,00000000), ref: 00446F58
                                                    • _free.LIBCMT ref: 00446F8D
                                                    • _free.LIBCMT ref: 00446FB4
                                                    • SetLastError.KERNEL32(00000000,0000000A,00000000), ref: 00446FC1
                                                    • SetLastError.KERNEL32(00000000,0000000A,00000000), ref: 00446FCA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorLast$_free
                                                    • String ID:
                                                    • API String ID: 3170660625-0
                                                    • Opcode ID: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                                                    • Instruction ID: 63179894ab579f9662c65df04eda1c4e2cfad31ee62bae45dd706db9c2735e37
                                                    • Opcode Fuzzy Hash: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                                                    • Instruction Fuzzy Hash: 4F01D67620C7006BF61227757C85D2B1669EBC3776727013FF859A2292EE6CCC0A415F
                                                    Function 0041B38D Relevance: 7.5, APIs: 5, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B3A5
                                                    • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3B8
                                                    • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0041B3D8
                                                    • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3E3
                                                    • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3EB
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Process$CloseHandleOpen$FileImageName
                                                    • String ID:
                                                    • API String ID: 2951400881-0
                                                    • Opcode ID: db4a41822c85b6549257f18fa46790b7e5e5d5e6a524df97c50e7420b53bdc77
                                                    • Instruction ID: d8943217945b3e3bc9c1dbf33fc4ac7f726da2cd485b5cd5dbfa96192dfeb6c9
                                                    • Opcode Fuzzy Hash: db4a41822c85b6549257f18fa46790b7e5e5d5e6a524df97c50e7420b53bdc77
                                                    • Instruction Fuzzy Hash: 67F04971204209ABD3026794AC4AFEBB26CDF44B96F000037FA11D22A2FF74CCC146A9
                                                    Function 0044F7AD Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • _free.LIBCMT ref: 0044F7C5
                                                      • Part of subcall function 00446AD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA60,0000000A,00000000,0000000A,00000000,?,0044FD04,0000000A,00000007,0000000A,?,00450215,0000000A), ref: 00446AEB
                                                      • Part of subcall function 00446AD5: GetLastError.KERNEL32(0000000A,?,0044FA60,0000000A,00000000,0000000A,00000000,?,0044FD04,0000000A,00000007,0000000A,?,00450215,0000000A,0000000A), ref: 00446AFD
                                                    • _free.LIBCMT ref: 0044F7D7
                                                    • _free.LIBCMT ref: 0044F7E9
                                                    • _free.LIBCMT ref: 0044F7FB
                                                    • _free.LIBCMT ref: 0044F80D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _free$ErrorFreeHeapLast
                                                    • String ID:
                                                    • API String ID: 776569668-0
                                                    • Opcode ID: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                                    • Instruction ID: 070623068f58a673a03bb4c9f7ddd8597c716d05cca38f31fa25b5a97b2bc473
                                                    • Opcode Fuzzy Hash: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                                    • Instruction Fuzzy Hash: CBF01232505610ABA620EB59F9C1C1773EAEA427247A5882BF048F7A41C77DFCC0866C
                                                    Function 00416751 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 182threadwindowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetWindowThreadProcessId.USER32(?,?), ref: 00416768
                                                    • GetWindowTextW.USER32(?,?,0000012C), ref: 0041679A
                                                    • IsWindowVisible.USER32(?), ref: 004167A1
                                                      • Part of subcall function 0041B38D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B3A5
                                                      • Part of subcall function 0041B38D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3B8
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ProcessWindow$Open$TextThreadVisible
                                                    • String ID: (FG
                                                    • API String ID: 3142014140-2273637114
                                                    • Opcode ID: 9c79950384effebaea9bf5315d724d682c4e552b57ef82da1617336c4fbf6aa3
                                                    • Instruction ID: 0f4eca603db080fccf2d1fd4ef2663101a063c6717372172f7cb8e83fece0a9a
                                                    • Opcode Fuzzy Hash: 9c79950384effebaea9bf5315d724d682c4e552b57ef82da1617336c4fbf6aa3
                                                    • Instruction Fuzzy Hash: 4871E5321082454AC325FB61D8A5ADFB3E4AFE4308F50453EF58A530E1EF746A49CB9A
                                                    Function 0044D469 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _strpbrk.LIBCMT ref: 0044D4B8
                                                    • _free.LIBCMT ref: 0044D5D5
                                                      • Part of subcall function 0043A864: IsProcessorFeaturePresent.KERNEL32(00000017,0043A836,00000000,0000000A,0000000A,00000000,0041AD77,00000022,?,?,0043A843,00000000,00000000,00000000,00000000,00000000), ref: 0043A866
                                                      • Part of subcall function 0043A864: GetCurrentProcess.KERNEL32(C0000417,0000000A,00000000), ref: 0043A888
                                                      • Part of subcall function 0043A864: TerminateProcess.KERNEL32(00000000), ref: 0043A88F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                                    • String ID: *?$.
                                                    • API String ID: 2812119850-3972193922
                                                    • Opcode ID: 3ccd6c7c6263025d80bbf4df8e19646480fb990c35b4b1cfbff97afb24dbcef1
                                                    • Instruction ID: 5f997c8b803d418df4da1c9987192ed3b052b04d21a58de33721a68e59565ce0
                                                    • Opcode Fuzzy Hash: 3ccd6c7c6263025d80bbf4df8e19646480fb990c35b4b1cfbff97afb24dbcef1
                                                    • Instruction Fuzzy Hash: AC519571D00209AFEF14DFA9C841AAEB7B5EF58318F24816FE454E7341DA799E01CB54
                                                    Function 004095D6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 158COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetKeyboardLayoutNameA.USER32(?), ref: 00409601
                                                      • Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212
                                                      • Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5
                                                      • Part of subcall function 0041B6BA: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409689,00473EE8,?,00473EE8,00000000,00473EE8,00000000), ref: 0041B6CF
                                                      • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateFileKeyboardLayoutNameconnectsendsocket
                                                    • String ID: XCG$`AG$>G
                                                    • API String ID: 2334542088-2372832151
                                                    • Opcode ID: 00ea031b35fe0dcf3e6aee1b05692aa2f53a6727008682770bd88c291a01c214
                                                    • Instruction ID: 51992e77998e29381c1adf086b38d2340c1e01042c89ae8fe5bc0f900910b53e
                                                    • Opcode Fuzzy Hash: 00ea031b35fe0dcf3e6aee1b05692aa2f53a6727008682770bd88c291a01c214
                                                    • Instruction Fuzzy Hash: 5E5132321042405AC325F775D8A2AEF73E5ABE4308F50493FF94A631E2EE785949C69E
                                                    Function 00404468 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92synchronizationnetworkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                    • WaitForSingleObject.KERNEL32(00000328,00000000,LAL,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000), ref: 0040450E
                                                    • SetEvent.KERNEL32(00000328,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000,?,?,?,?,?,00414CE9), ref: 0040453C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: EventObjectSingleWaitsend
                                                    • String ID: LAL
                                                    • API String ID: 3963590051-3302426157
                                                    • Opcode ID: 889e258d40d688e8ee903db4c56f8f2297e8d08d484f71769d69523f674e6bf6
                                                    • Instruction ID: 8f6f307dcfa5e25975ae7096dc57d747427bb4b25c3784bf73346896dbb4b4c1
                                                    • Opcode Fuzzy Hash: 889e258d40d688e8ee903db4c56f8f2297e8d08d484f71769d69523f674e6bf6
                                                    • Instruction Fuzzy Hash: B82123B29001196BCF04ABA5DC96DEE777CBF54358B00413EF916B21E1EA78AA04D6A4
                                                    Function 00403A10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92sleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00403A2A
                                                      • Part of subcall function 0041AB48: GetCurrentProcessId.KERNEL32(00000000,76233530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB6F
                                                      • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                                      • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                                                      • Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B643
                                                    • Sleep.KERNEL32(000000FA,00465324), ref: 00403AFC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                    • String ID: /sort "Visit Time" /stext "$8>G
                                                    • API String ID: 368326130-2663660666
                                                    • Opcode ID: 247849771554e330f4c56d3a549adbf02a50afc28c9a0bb45716f413473523db
                                                    • Instruction ID: 14a2de6876ab63adfaf4c6869ac5cc0218acab93288f76d9a5f97452818968e4
                                                    • Opcode Fuzzy Hash: 247849771554e330f4c56d3a549adbf02a50afc28c9a0bb45716f413473523db
                                                    • Instruction Fuzzy Hash: 36317331A0021556CB14FBB6DC969EE7775AF90318F40007FF906B71D2EF385A8ACA99
                                                    Function 0044DCD8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 91COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,00000000,?,0043B965,00000000,00000000), ref: 00446ED3
                                                      • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                                      • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F47
                                                      • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                                      • Part of subcall function 0044DDF7: _abort.LIBCMT ref: 0044DE29
                                                      • Part of subcall function 0044DDF7: _free.LIBCMT ref: 0044DE5D
                                                      • Part of subcall function 0044DA6C: GetOEMCP.KERNEL32(00000000,?,?,0044DCF5,?), ref: 0044DA97
                                                    • _free.LIBCMT ref: 0044DD50
                                                    • _free.LIBCMT ref: 0044DD86
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _free$ErrorLast_abort
                                                    • String ID: 0O}$0O}
                                                    • API String ID: 2991157371-2553111897
                                                    • Opcode ID: 9ec75d27e75173005142ff49c1fb8a194fa534556bd27181e1428d408c7a2cd6
                                                    • Instruction ID: 051535c280fde2d090f53052f7cbdc28630d1d1560cc20bf5e789a7dafdcbbef
                                                    • Opcode Fuzzy Hash: 9ec75d27e75173005142ff49c1fb8a194fa534556bd27181e1428d408c7a2cd6
                                                    • Instruction Fuzzy Hash: 1F31C4B1D04104EFFB14EB69D441B9A77F5EF81324F2540AFE9049B2A2EB795D40CB48
                                                    Function 0040A876 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67timeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
                                                    • wsprintfW.USER32 ref: 0040A905
                                                      • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,?,0040AF3F,?,?,?,?,?,00000000), ref: 00409D84
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: EventLocalTimewsprintf
                                                    • String ID: [%04i/%02i/%02i %02i:%02i:%02i $]
                                                    • API String ID: 1497725170-1359877963
                                                    • Opcode ID: 36e69b53dc53f66025ac65368d8d55c413fea1d575b54b7dd5230514eafd662c
                                                    • Instruction ID: fc972a95d23854bc9b4bbea89c8e615d9b1bb69bfa4db415bad433d1ad0b57c3
                                                    • Opcode Fuzzy Hash: 36e69b53dc53f66025ac65368d8d55c413fea1d575b54b7dd5230514eafd662c
                                                    • Instruction Fuzzy Hash: 5A118172400118AACB18FB56EC55CFE77B8AE48325F00013FF842620D1EF7C5A86C6E8
                                                    Function 0040A611 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
                                                      • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                      • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                    • CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040A691
                                                    • CreateThread.KERNEL32(00000000,00000000,Function_000099B5,?,00000000,00000000), ref: 0040A69D
                                                    • CreateThread.KERNEL32(00000000,00000000,004099C1,?,00000000,00000000), ref: 0040A6A9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateThread$LocalTime$wsprintf
                                                    • String ID: Online Keylogger Started
                                                    • API String ID: 112202259-1258561607
                                                    • Opcode ID: 35bc90d2576dbeac95018a630539701253067ab5c51327a8f4703c5e34731f69
                                                    • Instruction ID: 11da804b7f4806bc819379157d14523832a74cbdaa40f75774c11a3885c9476d
                                                    • Opcode Fuzzy Hash: 35bc90d2576dbeac95018a630539701253067ab5c51327a8f4703c5e34731f69
                                                    • Instruction Fuzzy Hash: 8A01C4916003093AE62076368C8BDBF3A6DCA813A8F40043EF541362C3E97D5D5582FB
                                                    Function 00404B29 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47synchronizationCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00404B26), ref: 00404B40
                                                    • CloseHandle.KERNEL32(?,?,?,?,00404B26), ref: 00404B98
                                                    • SetEvent.KERNEL32(?,?,?,?,00404B26), ref: 00404BA7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseEventHandleObjectSingleWait
                                                    • String ID: Connection Timeout
                                                    • API String ID: 2055531096-499159329
                                                    • Opcode ID: f305bfd07311d1c13337a4e5318bcab9ce6904fe2946ae268386a72c1b1384b4
                                                    • Instruction ID: 87453c7fdf87cbb5f51522b6001dca4eac29197b42c1cd59420238f874304a49
                                                    • Opcode Fuzzy Hash: f305bfd07311d1c13337a4e5318bcab9ce6904fe2946ae268386a72c1b1384b4
                                                    • Instruction Fuzzy Hash: 5F01F5B1900B41AFD325BB3A9C4655ABBE0AB45315700053FF6D396BB1DA38E840CB5A
                                                    Function 0040CDBE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0040CDC9
                                                    • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CE08
                                                      • Part of subcall function 004347CD: _Yarn.LIBCPMT ref: 004347EC
                                                      • Part of subcall function 004347CD: _Yarn.LIBCPMT ref: 00434810
                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040CE2C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                    • String ID: bad locale name
                                                    • API String ID: 3628047217-1405518554
                                                    • Opcode ID: ea2ce83f6b871e45ddc414103f177035841d2320bb142f548fd828e1a6c8a0e7
                                                    • Instruction ID: 10a02b8eb17e148bebaf39200f5874f6183f8458c9cdff10c330f193d408b506
                                                    • Opcode Fuzzy Hash: ea2ce83f6b871e45ddc414103f177035841d2320bb142f548fd828e1a6c8a0e7
                                                    • Instruction Fuzzy Hash: 3FF0A471400204EAC324FB23D853ACA73649F54748F90497FB446214D2FF3CB618CA8C
                                                    Function 004151B2 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 004151F4
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ExecuteShell
                                                    • String ID: /C $cmd.exe$open
                                                    • API String ID: 587946157-3896048727
                                                    • Opcode ID: ee6d09c7a5be61fc2c77f0fe381f15b1933766d643093560b744fac4f5f657b7
                                                    • Instruction ID: 3ae8c2b06d9b1922b9065f49b1512f2a4b1b87a12dccb2265ed1bd098505db2c
                                                    • Opcode Fuzzy Hash: ee6d09c7a5be61fc2c77f0fe381f15b1933766d643093560b744fac4f5f657b7
                                                    • Instruction Fuzzy Hash: D8E030701043006AC708FB61DC95C7F77AC9A80708F10083EB542A21E2EF3CA949C65E
                                                    Function 0040AFBA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • TerminateThread.KERNEL32(Function_000099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                                                    • UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                                    • TerminateThread.KERNEL32(Function_00009993,00000000,?,pth_unenc), ref: 0040AFE3
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: TerminateThread$HookUnhookWindows
                                                    • String ID: pth_unenc
                                                    • API String ID: 3123878439-4028850238
                                                    • Opcode ID: 46dff24612c1799e978f47a7720dcdfa0824c6f48cf00f8dbc5bb460590095c7
                                                    • Instruction ID: c35477c7b81069fed5c639b3d306817a7c517f63bcb5e1090982200d4e51bed9
                                                    • Opcode Fuzzy Hash: 46dff24612c1799e978f47a7720dcdfa0824c6f48cf00f8dbc5bb460590095c7
                                                    • Instruction Fuzzy Hash: 32E01DB1209317DFD3101F546C84825B799EB44356324047FF6C155252C5798C54C759
                                                    Function 00448D1B Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: __alldvrm$_strrchr
                                                    • String ID:
                                                    • API String ID: 1036877536-0
                                                    • Opcode ID: 63f75d4c6ddf9dfadee5a9a28b1451e266bcc439c32975fae3941ae33d1a5297
                                                    • Instruction ID: 44e25d054e292963cfc005d68317528f4d38ac36d82b99eb29904231438c363e
                                                    • Opcode Fuzzy Hash: 63f75d4c6ddf9dfadee5a9a28b1451e266bcc439c32975fae3941ae33d1a5297
                                                    • Instruction Fuzzy Hash: C5A14671A042469FFB218F58C8817AFBBA1EF25354F28416FE5859B382CA3C8D45C759
                                                    Function 004559DA Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _free
                                                    • String ID:
                                                    • API String ID: 269201875-0
                                                    • Opcode ID: fc29a47a32afb3350fc3e3c96543f328580f9b5143c0f3ce58bfce5294a38304
                                                    • Instruction ID: 20fe87377ae66d6b83c96c89e5a9e0461ad99f2e5d6db859ec29947640f8945c
                                                    • Opcode Fuzzy Hash: fc29a47a32afb3350fc3e3c96543f328580f9b5143c0f3ce58bfce5294a38304
                                                    • Instruction Fuzzy Hash: CB412D31A00E005BEF24AAB94CD567F37A4EF05775F18031FFC1496293D67C8C05869A
                                                    Function 00441A91 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d2c3ac181d975cfacaee5c3ec40136b8bdf5b2422b9dd14ab5655829a2308330
                                                    • Instruction ID: 06af4f468b8ce8c690b0d071e5f1d97fd8a921e774867ed9179d92c0916ed768
                                                    • Opcode Fuzzy Hash: d2c3ac181d975cfacaee5c3ec40136b8bdf5b2422b9dd14ab5655829a2308330
                                                    • Instruction Fuzzy Hash: 3A412971A00744AFE724AF79CC41BAABBE8EB88714F10452FF511DB291E779A9818784
                                                    Function 0040B806 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    • [Cleared browsers logins and cookies.], xrefs: 0040B8DE
                                                    • Cleared browsers logins and cookies., xrefs: 0040B8EF
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Sleep
                                                    • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                    • API String ID: 3472027048-1236744412
                                                    • Opcode ID: d2a0294277962853990a195d18ad75d93c5fb84cb6733bcbd89099a09a5abd0a
                                                    • Instruction ID: 79c0b3a62e4074401f8092341c6d65849921352ddae30cadc40705057ad9e0e2
                                                    • Opcode Fuzzy Hash: d2a0294277962853990a195d18ad75d93c5fb84cb6733bcbd89099a09a5abd0a
                                                    • Instruction Fuzzy Hash: FC31891564C3816ACA11777514167EB6F958A93754F0884BFF8C42B3E3DB7A480893EF
                                                    Function 00411524 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0041265D: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                                      • Part of subcall function 0041265D: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                      • Part of subcall function 0041265D: RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                                    • Sleep.KERNEL32(00000BB8), ref: 004115C3
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseOpenQuerySleepValue
                                                    • String ID: @CG$exepath$BG
                                                    • API String ID: 4119054056-3221201242
                                                    • Opcode ID: efcd0af1208699037f09edad500f6ec840cfbf7b9737e1f52f1688804d5b7727
                                                    • Instruction ID: 3bb97b322c4281cea59bb4e220ac43bd532ded5f68553a77fc2ada00b9ce30da
                                                    • Opcode Fuzzy Hash: efcd0af1208699037f09edad500f6ec840cfbf7b9737e1f52f1688804d5b7727
                                                    • Instruction Fuzzy Hash: EC21F4A0B002042BD614B77A6C06ABF724E8BD1308F00457FBD4AA72D3DF7D9D4581AD
                                                    Function 0041A99A Relevance: 6.1, APIs: 4, Instructions: 78timesleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: SystemTimes$Sleep__aulldiv
                                                    • String ID:
                                                    • API String ID: 188215759-0
                                                    • Opcode ID: a7aecd4cc0fde8f7b051f4ea324c4733a42c71902c3a125d4e8e0ff6e46eea08
                                                    • Instruction ID: a679ad691b1e431344cd65e278b90b5c6278f623fb05ceb41248f345421e7781
                                                    • Opcode Fuzzy Hash: a7aecd4cc0fde8f7b051f4ea324c4733a42c71902c3a125d4e8e0ff6e46eea08
                                                    • Instruction Fuzzy Hash: 30215E725093009BC304DFA5D98589FB7E8EFC8754F044A2EF585D3251EA35EA49CBA3
                                                    Function 00409C4B Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0041B6F6: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041B706
                                                      • Part of subcall function 0041B6F6: GetWindowTextLengthW.USER32(00000000), ref: 0041B70F
                                                      • Part of subcall function 0041B6F6: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041B739
                                                    • Sleep.KERNEL32(000001F4), ref: 00409C95
                                                    • Sleep.KERNEL32(00000064), ref: 00409D1F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Window$SleepText$ForegroundLength
                                                    • String ID: [ $ ]
                                                    • API String ID: 3309952895-93608704
                                                    • Opcode ID: d9bb369aee4f6e2201f2c860cf6756c16528595133d71e2ae5baff2000eb7cae
                                                    • Instruction ID: 884b77faaa60fb736012887943be30d2742787962025037229812ea18f618e82
                                                    • Opcode Fuzzy Hash: d9bb369aee4f6e2201f2c860cf6756c16528595133d71e2ae5baff2000eb7cae
                                                    • Instruction Fuzzy Hash: 2E119F325042005BD218BB26DD17AAEB7A8AF50708F40047FF542221D3EF39AE1986DF
                                                    Function 00442CE2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
                                                    • Instruction ID: dab0b0a7df633c5b48e856b81aae527c8b914588f9bdc990e5f583acd93a84b2
                                                    • Opcode Fuzzy Hash: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
                                                    • Instruction Fuzzy Hash: 5701F2F2A097163EF62116792CC0F6B670DDF413B9B31073BB921622E1EAE8CC42506C
                                                    Function 00442D61 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
                                                    • Instruction ID: 297bbf4b6e7cb62aad9c1df2c980cfc74e2a715ef03096c7e716b38b90e38ed5
                                                    • Opcode Fuzzy Hash: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
                                                    • Instruction Fuzzy Hash: 5401D1F2A096167EB7201A7A7DC0D67624EDF823B9371033BF421612D5EAA88C408179
                                                    Function 00438105 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • ___BuildCatchObject.LIBVCRUNTIME ref: 0043811F
                                                      • Part of subcall function 0043806C: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0043809B
                                                      • Part of subcall function 0043806C: ___AdjustPointer.LIBCMT ref: 004380B6
                                                    • _UnwindNestedFrames.LIBCMT ref: 00438134
                                                    • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00438145
                                                    • CallCatchBlock.LIBVCRUNTIME ref: 0043816D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                    • String ID:
                                                    • API String ID: 737400349-0
                                                    • Opcode ID: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                                    • Instruction ID: b756294ed3ea81ca49fa364012696409ae819ba0eb544c37e892c8a1feda9a6f
                                                    • Opcode Fuzzy Hash: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                                    • Instruction Fuzzy Hash: D7012D72100208BBDF126E96CC45DEB7B69EF4C758F04501DFE4866121C73AE862DBA4
                                                    Function 00447220 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,004471C7,00000000,00000000,00000000,00000000,?,004474F3,00000006,FlsSetValue), ref: 00447252
                                                    • GetLastError.KERNEL32(?,004471C7,00000000,00000000,00000000,00000000,?,004474F3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000,00000364,?,00446FA1), ref: 0044725E
                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004471C7,00000000,00000000,00000000,00000000,?,004474F3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000), ref: 0044726C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: LibraryLoad$ErrorLast
                                                    • String ID:
                                                    • API String ID: 3177248105-0
                                                    • Opcode ID: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                                    • Instruction ID: b3fe555fe56df17639c4036f58dc3a809bdc468a9df6621700516029eed46faf
                                                    • Opcode Fuzzy Hash: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                                    • Instruction Fuzzy Hash: 0D01D432649323ABD7214B79BC44A5737D8BB05BA2B2506B1F906E3241D768D802CAE8
                                                    Function 0041B62A Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B643
                                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 0041B657
                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041B67C
                                                    • CloseHandle.KERNEL32(00000000), ref: 0041B68A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: File$CloseCreateHandleReadSize
                                                    • String ID:
                                                    • API String ID: 3919263394-0
                                                    • Opcode ID: 5b639659936e0bf80293aa969ecd5facc1abbd81689efef7b5bf737102e1771e
                                                    • Instruction ID: 3f34627ebf18732c46889562bde790f52735f321db32931f0b6625c87776b378
                                                    • Opcode Fuzzy Hash: 5b639659936e0bf80293aa969ecd5facc1abbd81689efef7b5bf737102e1771e
                                                    • Instruction Fuzzy Hash: 81F0F6B12053047FE6101B21BC85FBF375CDB967A5F00027EFC01A22D1DA658C4591BA
                                                    Function 0041851C Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetSystemMetrics.USER32(0000004C), ref: 00418529
                                                    • GetSystemMetrics.USER32(0000004D), ref: 0041852F
                                                    • GetSystemMetrics.USER32(0000004E), ref: 00418535
                                                    • GetSystemMetrics.USER32(0000004F), ref: 0041853B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: MetricsSystem
                                                    • String ID:
                                                    • API String ID: 4116985748-0
                                                    • Opcode ID: a3bedc3d93ee6e0b45313aeec5082688588fe46082e633aeec829f05b9632c7f
                                                    • Instruction ID: f480d68fafb364c29fc67a5f666d93eee18e0abee54110dfc95006384cbaadd6
                                                    • Opcode Fuzzy Hash: a3bedc3d93ee6e0b45313aeec5082688588fe46082e633aeec829f05b9632c7f
                                                    • Instruction Fuzzy Hash: 72F0D672B043256BCA00EA7A4C4156FAB97DFC46A4F25083FE6059B341DE78EC4647D9
                                                    Function 00420F7E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 178COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _memcmp
                                                    • String ID: 4[G$4[G
                                                    • API String ID: 2931989736-4028565467
                                                    • Opcode ID: 499d9a999da2a443c979618ec85ef4d06b5b2aab7498d5870cc08a11d2f7c627
                                                    • Instruction ID: 33b36a833443cc607bae0a2c4f054eab59dd7b99d1d8389eb50a0704093c1055
                                                    • Opcode Fuzzy Hash: 499d9a999da2a443c979618ec85ef4d06b5b2aab7498d5870cc08a11d2f7c627
                                                    • Instruction Fuzzy Hash: E56110716047069AC714DF28D8406B3B7A8FF98304F44063EEC5D8F656E778AA25CBAD
                                                    Function 0044DB44 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 0044DB69
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Info
                                                    • String ID: $vD
                                                    • API String ID: 1807457897-3636070802
                                                    • Opcode ID: af305b060504fe74110eba1b75a066a7b29ec04ef294ab3684049637f65bd75b
                                                    • Instruction ID: 639e137743dbd1cdb094e6b6e994140176401b7572b89e22c1ac552797110b95
                                                    • Opcode Fuzzy Hash: af305b060504fe74110eba1b75a066a7b29ec04ef294ab3684049637f65bd75b
                                                    • Instruction Fuzzy Hash: 6A411C709043889AEF218F24CCC4AF6BBF9DF45308F1404EEE58A87242D279AA45DF65
                                                    Function 00417BEC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00417C18
                                                      • Part of subcall function 004177A2: GdipLoadImageFromStream.GDIPLUS(?,?,?,00417C2B,00000000,?,?,?,?,00000000), ref: 004177B6
                                                    • SHCreateMemStream.SHLWAPI(00000000), ref: 00417C65
                                                      • Part of subcall function 00417815: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00417C81,00000000,?,?), ref: 00417827
                                                      • Part of subcall function 004177C5: GdipDisposeImage.GDIPLUS(?,00417CDC), ref: 004177CE
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                                    • String ID: image/jpeg
                                                    • API String ID: 1291196975-3785015651
                                                    • Opcode ID: d4376d3aa41ba41f336d454eb71a79e6a36b8bd1c58ceebdc91cf2e64db4f38d
                                                    • Instruction ID: 3c33996df4896106dd3ee16a81609d02114e1f450a3ece369daacccd15328daf
                                                    • Opcode Fuzzy Hash: d4376d3aa41ba41f336d454eb71a79e6a36b8bd1c58ceebdc91cf2e64db4f38d
                                                    • Instruction Fuzzy Hash: 72315C75508300AFC301AF65C884DAFBBF9FF8A704F000A2EF94597251DB79A905CBA6
                                                    Function 004508EE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00450B49,?,00000050,?,?,?,?,?), ref: 004509C9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: ACP$OCP
                                                    • API String ID: 0-711371036
                                                    • Opcode ID: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                                    • Instruction ID: 0ee4350655218b6c75cd3052c0190142cf4d5733969cac988e1a0851f3347a37
                                                    • Opcode Fuzzy Hash: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                                    • Instruction Fuzzy Hash: 832148EBA00100A6F7308F55C801B9773AAAB90B23F564426EC49D730BF73ADE08C358
                                                    Function 00417CE9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00417D04
                                                      • Part of subcall function 004177A2: GdipLoadImageFromStream.GDIPLUS(?,?,?,00417C2B,00000000,?,?,?,?,00000000), ref: 004177B6
                                                    • SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,?,?,?,?,00000000), ref: 00417D29
                                                      • Part of subcall function 00417815: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00417C81,00000000,?,?), ref: 00417827
                                                      • Part of subcall function 004177C5: GdipDisposeImage.GDIPLUS(?,00417CDC), ref: 004177CE
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                                    • String ID: image/png
                                                    • API String ID: 1291196975-2966254431
                                                    • Opcode ID: 157e3c84acb298c00b8a811f8dbb714bd95cc3abe4333fe7ddc149ff661122fd
                                                    • Instruction ID: 1f40aeda14031b83fd9eea2ddee5e82f5a36372f8d90ac1696f7ac499827f772
                                                    • Opcode Fuzzy Hash: 157e3c84acb298c00b8a811f8dbb714bd95cc3abe4333fe7ddc149ff661122fd
                                                    • Instruction Fuzzy Hash: 4621A135204211AFC300AF61CC88CAFBBBDEFCA755F10052EF90693151DB399945CBA6
                                                    Function 004049BA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 004049F1
                                                      • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                    • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 00404A4E
                                                    Strings
                                                    • KeepAlive | Enabled | Timeout: , xrefs: 004049E5
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: LocalTime
                                                    • String ID: KeepAlive | Enabled | Timeout:
                                                    • API String ID: 481472006-1507639952
                                                    • Opcode ID: 9629856601c2ade6b9171a8da2872b59cbc4edb5dc9735de265d34bbd197e3ce
                                                    • Instruction ID: 8fc2066b5dd234cef981570443e677007340a491061b3c72667858eadfbc0999
                                                    • Opcode Fuzzy Hash: 9629856601c2ade6b9171a8da2872b59cbc4edb5dc9735de265d34bbd197e3ce
                                                    • Instruction Fuzzy Hash: EF2129A1A042806BC310FB6A980676B7B9457D1315F48417EF948532E2EB3C5999CB9F
                                                    Function 00448907 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetStdHandle.KERNEL32(000000F6), ref: 00448953
                                                    • GetFileType.KERNEL32(00000000), ref: 00448965
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FileHandleType
                                                    • String ID: P~
                                                    • API String ID: 3000768030-3912734195
                                                    • Opcode ID: ccc95ea5b6d1fe52f093f2cf044264499b4e41becef1697495b2cca3fae492d0
                                                    • Instruction ID: 03c332fa4d65096855afe89ce2e6c3883c8e1f4a59b9cdfc16643f66afc9cc0d
                                                    • Opcode Fuzzy Hash: ccc95ea5b6d1fe52f093f2cf044264499b4e41becef1697495b2cca3fae492d0
                                                    • Instruction Fuzzy Hash: 661187B1508F424AE7304E3D8C8863BBA95A756334B38072FD5B6966F1CF28D886954B
                                                    Function 0043AC40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _free
                                                    • String ID: P~
                                                    • API String ID: 269201875-3912734195
                                                    • Opcode ID: ca01ae77a811ea6e1882d950de224612bd516a70c3fdde4a712b874a0400f1fb
                                                    • Instruction ID: 10c441e30ddebb424098f76583f78025c68c63686931fb09378010773a582458
                                                    • Opcode Fuzzy Hash: ca01ae77a811ea6e1882d950de224612bd516a70c3fdde4a712b874a0400f1fb
                                                    • Instruction Fuzzy Hash: AC11D331A403114BF7249F2DAC42F563298E705734F15222BF979EA7E0E778C8C2478A
                                                    Function 004336FC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: LG$XG
                                                    • API String ID: 0-1482930923
                                                    • Opcode ID: c15126115d7b74b818ce8cc4bfc83f894c4a74ec01747284a75d25f55942686d
                                                    • Instruction ID: 7c4b062fcb32332b9137c766d59a1203f687c3695f5e31fbe0a477c862ff6f2a
                                                    • Opcode Fuzzy Hash: c15126115d7b74b818ce8cc4bfc83f894c4a74ec01747284a75d25f55942686d
                                                    • Instruction Fuzzy Hash: 07110AB5D01714AACF20DFA998017CFB7A55F05725F14D16BEC18EB281D378EB408798
                                                    Function 0041A696 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: LocalTime
                                                    • String ID: | $%02i:%02i:%02i:%03i
                                                    • API String ID: 481472006-2430845779
                                                    • Opcode ID: 7c541b1fe11d74047bf4de15ff6413637149af1765b06644cf8be9994c192f8f
                                                    • Instruction ID: f196d4ed1927782274832919bda13c77b2b6189c6c06a517aeeeb96a95a688aa
                                                    • Opcode Fuzzy Hash: 7c541b1fe11d74047bf4de15ff6413637149af1765b06644cf8be9994c192f8f
                                                    • Instruction Fuzzy Hash: 81114C725082045AC704EBA5D8568AF73E8EB94708F10053FFC85931E1EF38DA84C69E
                                                    Function 004125EE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00412612
                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00412648
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: QueryValue
                                                    • String ID: TUF
                                                    • API String ID: 3660427363-3431404234
                                                    • Opcode ID: b61ebc0f614823480ae8a09058f359643d2ad0dc2d3417e7ede49f7f1cf633c6
                                                    • Instruction ID: c735b93b908d9d71aa6a4d05a3740b5a2597980304af3aa5722c76a25f50973a
                                                    • Opcode Fuzzy Hash: b61ebc0f614823480ae8a09058f359643d2ad0dc2d3417e7ede49f7f1cf633c6
                                                    • Instruction Fuzzy Hash: B201A2B6A00108BFEB04EB95DD46EFFBABDEF44240F10007AF901E2251E6B4AF009664
                                                    Function 00419E99 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • PathFileExistsW.SHLWAPI(00000000), ref: 00419EBE
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ExistsFilePath
                                                    • String ID: TUF$alarm.wav
                                                    • API String ID: 1174141254-147985980
                                                    • Opcode ID: bb35db19ecf725e66f50cc2985e16286bdf7f8f1df2ddcf995444714096ddcfa
                                                    • Instruction ID: dd13df65ec224498850e23f6f848d4e774319f78d5db457f3497a795ed38963e
                                                    • Opcode Fuzzy Hash: bb35db19ecf725e66f50cc2985e16286bdf7f8f1df2ddcf995444714096ddcfa
                                                    • Instruction Fuzzy Hash: F301927060420166C604B676D866AEE77418BC1719F50413FF88A966E2EF7C9EC6C2CF
                                                    Function 0040A767 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
                                                      • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                      • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                    • CloseHandle.KERNEL32(?), ref: 0040A7CA
                                                    • UnhookWindowsHookEx.USER32 ref: 0040A7DD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                    • String ID: Online Keylogger Stopped
                                                    • API String ID: 1623830855-1496645233
                                                    • Opcode ID: aa2cc70d391a599e14960110e5ba635763145c369873a0ecd25f92c1668795cb
                                                    • Instruction ID: 9ca866747e1af720c58b6b078daeda0145c7b5fd7bd766bf2ea1503866da158c
                                                    • Opcode Fuzzy Hash: aa2cc70d391a599e14960110e5ba635763145c369873a0ecd25f92c1668795cb
                                                    • Instruction Fuzzy Hash: 8101D431A043019BDB25BB35C80B7AEBBB19B45315F40407FE481275D2EB7999A6C3DB
                                                    Function 00448773 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00444ADC: EnterCriticalSection.KERNEL32(-00471558,?,0044226B,00000000,0046DAC0,0000000C,00442226,0000000A,?,?,00448749,0000000A,?,00446F84,00000001,00000364), ref: 00444AEB
                                                    • DeleteCriticalSection.KERNEL32(?,?,?,?,?,0046DCA8,00000010,0043AD25), ref: 004487D5
                                                    • _free.LIBCMT ref: 004487E3
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CriticalSection$DeleteEnter_free
                                                    • String ID: P~
                                                    • API String ID: 1836352639-3912734195
                                                    • Opcode ID: 51c516a5e2b48352a8d1142a6f6fa66a18392bb48cbd4c2db484d0120f9ea5e0
                                                    • Instruction ID: 287829ab9e6adeec9a1d6f41ac2302fb93dc16d556a643b30fe3e24787baf737
                                                    • Opcode Fuzzy Hash: 51c516a5e2b48352a8d1142a6f6fa66a18392bb48cbd4c2db484d0120f9ea5e0
                                                    • Instruction Fuzzy Hash: 80118E359002118FE714EF9DDC42B5C33B0EB04724F61405AE964AB2B2CB78E8828B0D
                                                    Function 004016E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • waveInPrepareHeader.WINMM(007DD908,00000020,?,?,00000000,00475B90,00473EE8,?,00000000,00401913), ref: 00401747
                                                    • waveInAddBuffer.WINMM(007DD908,00000020,?,00000000,00401913), ref: 0040175D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: wave$BufferHeaderPrepare
                                                    • String ID: T=G
                                                    • API String ID: 2315374483-379896819
                                                    • Opcode ID: 0ff4070462d876ba9a0314f854ca9e5b2f4718fb39603aa566027c6b2d74496f
                                                    • Instruction ID: f8644d152c35c587af506687758c025c54344a6e575747702fe1289d7b8da532
                                                    • Opcode Fuzzy Hash: 0ff4070462d876ba9a0314f854ca9e5b2f4718fb39603aa566027c6b2d74496f
                                                    • Instruction Fuzzy Hash: 65018B71301300AFD7209F39EC45A69BBA9EB4931AF01413EB808D32B1EB34A8509B98
                                                    Function 0044DDF7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,00000000,?,0043B965,00000000,00000000), ref: 00446ED3
                                                      • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                                      • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F47
                                                      • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                                    • _abort.LIBCMT ref: 0044DE29
                                                    • _free.LIBCMT ref: 0044DE5D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorLast_abort_free
                                                    • String ID: 0O}
                                                    • API String ID: 289325740-2189386441
                                                    • Opcode ID: cba5e3b893efa1f4c196fd8b6ab646112b65b39245522f8e75cb99aab8fd3b38
                                                    • Instruction ID: c3d52a826ce14ac6b731adabf6d8033b48d69a437140057254d59f729b4b779c
                                                    • Opcode Fuzzy Hash: cba5e3b893efa1f4c196fd8b6ab646112b65b39245522f8e75cb99aab8fd3b38
                                                    • Instruction Fuzzy Hash: DB01A1B1D02E21DBEB71AF69980121EB3B0AF54B20B25011BE9546B381C73C6942CFCE
                                                    Function 004477A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • IsValidLocale.KERNEL32(00000000,z=D,00000000,00000001,?,?,00443D7A,?,?,?,?,00000004), ref: 004477EC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: LocaleValid
                                                    • String ID: IsValidLocaleName$z=D
                                                    • API String ID: 1901932003-2791046955
                                                    • Opcode ID: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                                                    • Instruction ID: b87742f2873dd73c0a7d5aade023b210d3410e3306d67f57874115e62e910f2b
                                                    • Opcode Fuzzy Hash: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                                                    • Instruction Fuzzy Hash: 72F0E930A45318F7DA106B659C06F5E7B54CF05711F50807BFD046A283CE796D0285DC
                                                    Function 00401D91 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: H_prolog
                                                    • String ID: T=G$T=G
                                                    • API String ID: 3519838083-3732185208
                                                    • Opcode ID: 138b4589fff14f79146b4c81e53a501c98e6cc4b2bf129928705b8782f8e57ab
                                                    • Instruction ID: f0e76400c825ed045590d0aed9209fb7c3a86c2d0af9b05bbbbea7315d156e8c
                                                    • Opcode Fuzzy Hash: 138b4589fff14f79146b4c81e53a501c98e6cc4b2bf129928705b8782f8e57ab
                                                    • Instruction Fuzzy Hash: 77F0E971A00221ABC714BB65C80569EB774EF4136DF10827FB416B72E1CBBD5D04D65D
                                                    Function 0040AD56 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetKeyState.USER32(00000011), ref: 0040AD5B
                                                      • Part of subcall function 00409B10: GetForegroundWindow.USER32(?,?,004740F8), ref: 00409B3F
                                                      • Part of subcall function 00409B10: GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                                      • Part of subcall function 00409B10: GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                                      • Part of subcall function 00409B10: GetKeyState.USER32(00000010), ref: 00409B5C
                                                      • Part of subcall function 00409B10: GetKeyboardState.USER32(?,?,004740F8), ref: 00409B67
                                                      • Part of subcall function 00409B10: ToUnicodeEx.USER32(0047414C,00000000,?,?,00000010,00000000,00000000), ref: 00409B8A
                                                      • Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                                      • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,?,0040AF3F,?,?,?,?,?,00000000), ref: 00409D84
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                                    • String ID: [AltL]$[AltR]
                                                    • API String ID: 2738857842-2658077756
                                                    • Opcode ID: 0fd097a0a4b99d70b02a08e9004214b89ee8ccd3163f9cf7526c1a47b2b50f16
                                                    • Instruction ID: d2c0c429c9fe13b3c6c970781ecfc4970ab7400740a1dec538c1fc9fef0a0b20
                                                    • Opcode Fuzzy Hash: 0fd097a0a4b99d70b02a08e9004214b89ee8ccd3163f9cf7526c1a47b2b50f16
                                                    • Instruction Fuzzy Hash: 47E0652134072117C898323EA91E6EE3A228F82B65B80416FF8866BAD6DD6D4D5053CB
                                                    Function 00448813 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _free.LIBCMT ref: 00448835
                                                      • Part of subcall function 00446AD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA60,0000000A,00000000,0000000A,00000000,?,0044FD04,0000000A,00000007,0000000A,?,00450215,0000000A), ref: 00446AEB
                                                      • Part of subcall function 00446AD5: GetLastError.KERNEL32(0000000A,?,0044FA60,0000000A,00000000,0000000A,00000000,?,0044FD04,0000000A,00000007,0000000A,?,00450215,0000000A,0000000A), ref: 00446AFD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorFreeHeapLast_free
                                                    • String ID: `@$`@
                                                    • API String ID: 1353095263-20545824
                                                    • Opcode ID: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                                    • Instruction ID: fd413ccac38a9f67c3de8d393d9e933a11814297f80871467d1a397382efd299
                                                    • Opcode Fuzzy Hash: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                                    • Instruction Fuzzy Hash: 4DE06D371006059F8720DE6DD400A86B7E5EF95720720852AE89DE3710D731E812CB40
                                                    Function 0040ADB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetKeyState.USER32(00000012), ref: 0040ADB5
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: State
                                                    • String ID: [CtrlL]$[CtrlR]
                                                    • API String ID: 1649606143-2446555240
                                                    • Opcode ID: 8f256fbae12a6d1972e20e0d193ff0540306bf2bf736503aba8af0ee0077a29a
                                                    • Instruction ID: 615b7dbe40c0b8188db9493e0f2b19f017fb36a74fa458c508a435569d7d4a1e
                                                    • Opcode Fuzzy Hash: 8f256fbae12a6d1972e20e0d193ff0540306bf2bf736503aba8af0ee0077a29a
                                                    • Instruction Fuzzy Hash: 71E0862170071117C514353DD61A67F39228F41776F80013FF882ABAC6E96D8D6023CB
                                                    Function 0041297A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040BFB2,00000000,004742E0,004742F8,?,pth_unenc), ref: 00412988
                                                    • RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 00412998
                                                    Strings
                                                    • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00412986
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: DeleteOpenValue
                                                    • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                    • API String ID: 2654517830-1051519024
                                                    • Opcode ID: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                                    • Instruction ID: 4813e9247c8a4fa7715124fbb4df20ddc3d96ddce1d5e270e7c0f337b45b5704
                                                    • Opcode Fuzzy Hash: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                                    • Instruction Fuzzy Hash: 0AE01270310304BFEF104F61ED06FDB37ACBB80B89F004165F505E5191E2B5DD54A658
                                                    Function 0043AD18 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00448773: DeleteCriticalSection.KERNEL32(?,?,?,?,?,0046DCA8,00000010,0043AD25), ref: 004487D5
                                                      • Part of subcall function 00448773: _free.LIBCMT ref: 004487E3
                                                      • Part of subcall function 00448813: _free.LIBCMT ref: 00448835
                                                    • DeleteCriticalSection.KERNEL32(007E50C0), ref: 0043AD41
                                                    • _free.LIBCMT ref: 0043AD55
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _free$CriticalDeleteSection
                                                    • String ID: P~
                                                    • API String ID: 1906768660-3912734195
                                                    • Opcode ID: 105ba6d038f868bf5ead38a2174c8304849bb37afa14ec3855613d5ccb5e7185
                                                    • Instruction ID: 2cf367d1c9d9c0f65f9b560f501a11daeff61e94e381e762cad774a2a77b4517
                                                    • Opcode Fuzzy Hash: 105ba6d038f868bf5ead38a2174c8304849bb37afa14ec3855613d5ccb5e7185
                                                    • Instruction Fuzzy Hash: D0E0D832C0421087F7347B5DFC4294D33A8DB4D325B12007EF85863571CE286CC0864D
                                                    Function 0040AF77 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040AF84
                                                    • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040AFAF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: DeleteDirectoryFileRemove
                                                    • String ID: pth_unenc
                                                    • API String ID: 3325800564-4028850238
                                                    • Opcode ID: 2e8d6704218f96b318e7a73bad0b28a6b8edcd2455483e95ffe0dafda84626ef
                                                    • Instruction ID: b68931c7331ddc333ece9e06749e281aefc344294653c9eba2f2de372e339d66
                                                    • Opcode Fuzzy Hash: 2e8d6704218f96b318e7a73bad0b28a6b8edcd2455483e95ffe0dafda84626ef
                                                    • Instruction Fuzzy Hash: FEE046715112108BC610AB31EC44AEBB398AB05316F00487FF8D3A36A1DE38A988CA98
                                                    Function 00411699 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                                    • WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ObjectProcessSingleTerminateWait
                                                    • String ID: pth_unenc
                                                    • API String ID: 1872346434-4028850238
                                                    • Opcode ID: 0bcc8583bbfeaf574487765c88b71504591df5916e82e2463f0204abfb9b1fb3
                                                    • Instruction ID: 4302d9c34f7b4dbdac7fc8682473a51625df35810590c52ad239c14707b44b4b
                                                    • Opcode Fuzzy Hash: 0bcc8583bbfeaf574487765c88b71504591df5916e82e2463f0204abfb9b1fb3
                                                    • Instruction Fuzzy Hash: C1D0C938559211AFD7614B68BC08B453B6AA745222F108277F828413F1C72598A4AE1C
                                                    Function 0044E0FB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CommandLine
                                                    • String ID: @)|
                                                    • API String ID: 3253501508-2452551214
                                                    • Opcode ID: 2702c5f118dd3839dbc4dd886e2cdb728e5ea39e06e223ea52f31eba807d30e7
                                                    • Instruction ID: 13d69598d350970c9b91df73096b24a53109b9b907d0ea4b726438dfa3130670
                                                    • Opcode Fuzzy Hash: 2702c5f118dd3839dbc4dd886e2cdb728e5ea39e06e223ea52f31eba807d30e7
                                                    • Instruction Fuzzy Hash: 09B0027D8157009FC7419F79BD5D1443BA0B75861339094B5DC19C7B35DA358085EF18
                                                    Function 0043FA6E Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401AD8), ref: 0043FB04
                                                    • GetLastError.KERNEL32 ref: 0043FB12
                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043FB6D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4573086204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4572967711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573146475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573175719.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4573202337.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ByteCharMultiWide$ErrorLast
                                                    • String ID:
                                                    • API String ID: 1717984340-0
                                                    • Opcode ID: a3a9a9c7793c2081db5377885f607edf127f94d6c053b0090e31d102b176707d
                                                    • Instruction ID: 94dc36b571f96c0084dd62d2177e44ea0606df48237064e9d41db09688609199
                                                    • Opcode Fuzzy Hash: a3a9a9c7793c2081db5377885f607edf127f94d6c053b0090e31d102b176707d
                                                    • Instruction Fuzzy Hash: 66413870E00206AFCF219F64C854A6BF7A9EF09320F1451BBF8585B2A1E738AC09C759