Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe

Overview

General Information

Sample name:1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe
Analysis ID:1585999
MD5:636e91c12e393d1ea1d07c9970de9cf7
SHA1:9b4d1af92501bda15857bc286aad9a40e918259a
SHA256:88058b77035a018b3582136f073a1fc44eee203786b76890b53ca22c090ae5d0
Tags:base64-decodedexeuser-abuse_ch
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Installs a global keyboard hook
Machine Learning detection for sample
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

  • System is w10x64
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
{"Host:Port:Password": ["municipioalcidiadechicamocha.ddnsgeek.com:1997:1"], "Assigned name": "07-01-25", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-MH2R80", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
SourceRuleDescriptionAuthorStrings
1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeJoeSecurity_RemcosYara detected Remcos RATJoe Security
      1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeWindows_Trojan_Remcos_b296e965unknownunknown
        • 0x6aaf8:$a1: Remcos restarted by watchdog!
        • 0x6b070:$a3: %02i:%02i:%02i:%03i
        1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeREMCOS_RAT_variantsunknownunknown
        • 0x64d94:$str_a1: C:\Windows\System32\cmd.exe
        • 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
        • 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
        • 0x64e04:$str_b2: Executing file:
        • 0x65c3c:$str_b3: GetDirectListeningPort
        • 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
        • 0x65780:$str_b7: \update.vbs
        • 0x64e2c:$str_b9: Downloaded file:
        • 0x64e18:$str_b10: Downloading file:
        • 0x64ebc:$str_b12: Failed to upload file:
        • 0x65c04:$str_b13: StartForward
        • 0x65c24:$str_b14: StopForward
        • 0x656d8:$str_b15: fso.DeleteFile "
        • 0x6566c:$str_b16: On Error Resume Next
        • 0x65708:$str_b17: fso.DeleteFolder "
        • 0x64eac:$str_b18: Uploaded file:
        • 0x64e6c:$str_b19: Unable to delete:
        • 0x656a0:$str_b20: while fso.FileExists("
        • 0x65349:$str_c0: [Firefox StoredLogins not found]
        Click to see the 1 entries
        SourceRuleDescriptionAuthorStrings
        C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security
          SourceRuleDescriptionAuthorStrings
          00000000.00000002.4171097043.00000000022BF000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            00000000.00000002.4170857245.000000000060C000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
              00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
                  00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                    Click to see the 10 entries
                    SourceRuleDescriptionAuthorStrings
                    0.0.1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe.400000.0.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                      0.0.1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                        0.0.1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe.400000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                          0.2.1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe.400000.0.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                            0.2.1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                              Click to see the 7 entries

                              Stealing of Sensitive Information

                              barindex
                              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe, ProcessId: 6908, TargetFilename: C:\ProgramData\remcos\logs.dat
                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2025-01-08T16:00:12.687662+010020365941Malware Command and Control Activity Detected192.168.2.449730179.15.136.61997TCP
                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2025-01-08T16:00:14.113096+010028033043Unknown Traffic192.168.2.449731178.237.33.5080TCP
                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2025-01-08T16:00:11.819235+010028349361A Network Trojan was detected192.168.2.4568951.1.1.153UDP

                              Click to jump to signature section

                              Show All Signature Results

                              AV Detection

                              barindex
                              Source: 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeAvira: detected
                              Source: municipioalcidiadechicamocha.ddnsgeek.comAvira URL Cloud: Label: malware
                              Source: 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeMalware Configuration Extractor: Remcos {"Host:Port:Password": ["municipioalcidiadechicamocha.ddnsgeek.com:1997:1"], "Assigned name": "07-01-25", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-MH2R80", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
                              Source: 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeReversingLabs: Detection: 71%
                              Source: Yara matchFile source: 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.2.1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000000.00000002.4171097043.00000000022BF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000000.00000002.4170857245.000000000060C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000000.00000000.1719762355.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000000.00000002.4170857245.00000000005BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe PID: 6908, type: MEMORYSTR
                              Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                              Source: 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeJoe Sandbox ML: detected
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_0043294A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,0_2_0043294A
                              Source: 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe, 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_a1e0ebd0-2

                              Exploits

                              barindex
                              Source: Yara matchFile source: 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.2.1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000000.00000000.1719762355.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe PID: 6908, type: MEMORYSTR

                              Privilege Escalation

                              barindex
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_00406764 _wcslen,CoGetObject,0_2_00406764
                              Source: 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040B335
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_0041B43F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,0_2_0041B43F
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040B53A
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,0_2_004089A9
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_00406AC2 FindFirstFileW,FindNextFileW,0_2_00406AC2
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,0_2_00407A8C
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_00418C79 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00418C79
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,0_2_00408DA7
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00406F06

                              Networking

                              barindex
                              Source: Network trafficSuricata IDS: 2834936 - Severity 1 - ETPRO MALWARE Observed DNS Query to Abused DDNS (ddnsgeek .com) : 192.168.2.4:56895 -> 1.1.1.1:53
                              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49730 -> 179.15.136.6:1997
                              Source: Malware configuration extractorURLs: municipioalcidiadechicamocha.ddnsgeek.com
                              Source: global trafficTCP traffic: 192.168.2.4:49730 -> 179.15.136.6:1997
                              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                              Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                              Source: Joe Sandbox ViewASN Name: ColombiaMovilCO ColombiaMovilCO
                              Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49731 -> 178.237.33.50:80
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_00426107 recv,0_2_00426107
                              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                              Source: global trafficDNS traffic detected: DNS query: municipioalcidiadechicamocha.ddnsgeek.com
                              Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                              Source: 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe, 00000000.00000003.1743907425.0000000000623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/
                              Source: 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe, 00000000.00000003.1743907425.0000000000623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/c
                              Source: 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe, 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe, 00000000.00000002.4170857245.00000000005BE000.00000004.00000020.00020000.00000000.sdmp, 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe, 00000000.00000003.1743907425.0000000000601000.00000004.00000020.00020000.00000000.sdmp, 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe, 00000000.00000003.1743907425.000000000060C000.00000004.00000020.00020000.00000000.sdmp, 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe, 00000000.00000002.4170857245.000000000060C000.00000004.00000020.00020000.00000000.sdmp, 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe, 00000000.00000002.4170857245.0000000000601000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
                              Source: 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeString found in binary or memory: http://geoplugin.net/json.gp/C
                              Source: 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe, 00000000.00000003.1743907425.000000000060C000.00000004.00000020.00020000.00000000.sdmp, 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe, 00000000.00000002.4170857245.000000000060C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpJuy
                              Source: 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe, 00000000.00000003.1743907425.0000000000601000.00000004.00000020.00020000.00000000.sdmp, 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe, 00000000.00000002.4170857245.0000000000601000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpRM5
                              Source: 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe, 00000000.00000002.4170857245.00000000005BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpSystem32
                              Source: 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe, 00000000.00000003.1743907425.0000000000601000.00000004.00000020.00020000.00000000.sdmp, 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe, 00000000.00000002.4170857245.0000000000601000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpcM
                              Source: 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe, 00000000.00000003.1743907425.000000000060C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpl

                              Key, Mouse, Clipboard, Microphone and Screen Capturing

                              barindex
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_004099E4 SetWindowsHookExA 0000000D,004099D0,000000000_2_004099E4
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeJump to behavior
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_004159C6
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_004159C6
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_004159C6
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_00409B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,0_2_00409B10
                              Source: Yara matchFile source: 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.2.1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000000.00000000.1719762355.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe PID: 6908, type: MEMORYSTR

                              E-Banking Fraud

                              barindex
                              Source: Yara matchFile source: 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.2.1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000000.00000002.4171097043.00000000022BF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000000.00000002.4170857245.000000000060C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000000.00000000.1719762355.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000000.00000002.4170857245.00000000005BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe PID: 6908, type: MEMORYSTR
                              Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                              Spam, unwanted Advertisements and Ransom Demands

                              barindex
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_0041BB81 SystemParametersInfoW,0_2_0041BB81
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_0041BB87 SystemParametersInfoW,0_2_0041BB87

                              System Summary

                              barindex
                              Source: 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                              Source: 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Author: unknown
                              Source: 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe, type: SAMPLEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                              Source: 0.0.1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                              Source: 0.2.1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                              Source: 0.0.1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                              Source: 0.0.1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                              Source: 0.2.1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                              Source: 0.2.1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                              Source: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                              Source: 00000000.00000000.1719762355.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                              Source: Process Memory Space: 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe PID: 6908, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeProcess Stats: CPU usage > 49%
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_0041ACD1 OpenProcess,NtSuspendProcess,CloseHandle,0_2_0041ACD1
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_0041ACFD OpenProcess,NtResumeProcess,CloseHandle,0_2_0041ACFD
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,0_2_004158B9
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_004520E20_2_004520E2
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_0041D0810_2_0041D081
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_0043D0A80_2_0043D0A8
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_004371600_2_00437160
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_004361BA0_2_004361BA
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_004262640_2_00426264
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_004313870_2_00431387
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_0043652C0_2_0043652C
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_0041E5EF0_2_0041E5EF
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_0044C7490_2_0044C749
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_004367D60_2_004367D6
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_004267DB0_2_004267DB
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_0043C9ED0_2_0043C9ED
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_00432A590_2_00432A59
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_00436A9D0_2_00436A9D
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_0043CC1C0_2_0043CC1C
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_00436D580_2_00436D58
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_00434D320_2_00434D32
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_0043CE4B0_2_0043CE4B
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_00440E300_2_00440E30
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_00426E830_2_00426E83
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_00412F450_2_00412F45
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_00452F100_2_00452F10
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_00426FBD0_2_00426FBD
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: String function: 00401F66 appears 50 times
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: String function: 004020E7 appears 40 times
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: String function: 004338B5 appears 42 times
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: String function: 00433FC0 appears 55 times
                              Source: 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                              Source: 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                              Source: 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                              Source: 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                              Source: 0.0.1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                              Source: 0.2.1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                              Source: 0.0.1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                              Source: 0.0.1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                              Source: 0.2.1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                              Source: 0.2.1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                              Source: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                              Source: 00000000.00000000.1719762355.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                              Source: Process Memory Space: 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe PID: 6908, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                              Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@1/2@2/2
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,0_2_00416AB7
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_0040E219 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,0_2_0040E219
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_0041A64F FindResourceA,LoadResource,LockResource,SizeofResource,0_2_0041A64F
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_00419BD4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_00419BD4
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\json[1].jsonJump to behavior
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-MH2R80
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCommand line argument: Software\0_2_0040D767
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCommand line argument: Rmc-MH2R800_2_0040D767
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCommand line argument: Exe0_2_0040D767
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCommand line argument: Exe0_2_0040D767
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCommand line argument: Rmc-MH2R800_2_0040D767
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCommand line argument: 0DG0_2_0040D767
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCommand line argument: Inj0_2_0040D767
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCommand line argument: Inj0_2_0040D767
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCommand line argument: BG0_2_0040D767
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCommand line argument: BG0_2_0040D767
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCommand line argument: BG0_2_0040D767
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCommand line argument: p=\0_2_0040D767
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCommand line argument: BG0_2_0040D767
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCommand line argument: exepath0_2_0040D767
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCommand line argument: p=\0_2_0040D767
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCommand line argument: exepath0_2_0040D767
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCommand line argument: BG0_2_0040D767
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCommand line argument: licence0_2_0040D767
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCommand line argument: `=G0_2_0040D767
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCommand line argument: dCG0_2_0040D767
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCommand line argument: Administrator0_2_0040D767
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCommand line argument: User0_2_0040D767
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCommand line argument: del0_2_0040D767
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCommand line argument: del0_2_0040D767
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCommand line argument: del0_2_0040D767
                              Source: 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                              Source: 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeReversingLabs: Detection: 71%
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeSection loaded: winmm.dllJump to behavior
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeSection loaded: wininet.dllJump to behavior
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeSection loaded: iphlpapi.dllJump to behavior
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeSection loaded: mswsock.dllJump to behavior
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeSection loaded: dnsapi.dllJump to behavior
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeSection loaded: rasadhlp.dllJump to behavior
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeSection loaded: fwpuclnt.dllJump to behavior
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeSection loaded: winhttp.dllJump to behavior
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeSection loaded: winnsi.dllJump to behavior
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                              Source: 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                              Source: 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                              Source: 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                              Source: 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                              Source: 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                              Source: 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                              Source: 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                              Source: 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                              Source: 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                              Source: 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                              Source: 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                              Source: 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_0041BCF3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041BCF3
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_00434006 push ecx; ret 0_2_00434019
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_004567F0 push eax; ret 0_2_0045680E
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_00455EBF push ecx; ret 0_2_00455ED2
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_00406128 ShellExecuteW,URLDownloadToFileW,0_2_00406128
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_00419BD4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_00419BD4
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_0041BCF3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041BCF3
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                              Malware Analysis System Evasion

                              barindex
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_0040E54F Sleep,ExitProcess,0_2_0040E54F
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,0_2_004198D2
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeWindow / User API: threadDelayed 5442Jump to behavior
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeWindow / User API: threadDelayed 4044Jump to behavior
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeWindow / User API: foregroundWindowGot 1766Jump to behavior
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe TID: 6976Thread sleep count: 247 > 30Jump to behavior
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe TID: 6976Thread sleep time: -123500s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe TID: 6972Thread sleep count: 5442 > 30Jump to behavior
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe TID: 6972Thread sleep time: -16326000s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe TID: 6972Thread sleep count: 4044 > 30Jump to behavior
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe TID: 6972Thread sleep time: -12132000s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040B335
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_0041B43F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,0_2_0041B43F
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040B53A
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,0_2_004089A9
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_00406AC2 FindFirstFileW,FindNextFileW,0_2_00406AC2
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,0_2_00407A8C
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_00418C79 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00418C79
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,0_2_00408DA7
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00406F06
                              Source: 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe, 00000000.00000002.4170857245.00000000005BE000.00000004.00000020.00020000.00000000.sdmp, 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe, 00000000.00000002.4170857245.0000000000639000.00000004.00000020.00020000.00000000.sdmp, 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe, 00000000.00000003.1743907425.0000000000639000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeAPI call chain: ExitProcess graph end nodegraph_0-47315
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_0043A66D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0043A66D
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_0041BCF3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041BCF3
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_00442564 mov eax, dword ptr fs:[00000030h]0_2_00442564
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_0044E93E GetProcessHeap,0_2_0044E93E
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_00434178 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00434178
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_0043A66D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0043A66D
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_00433B54 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00433B54
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_00433CE7 SetUnhandledExceptionFilter,0_2_00433CE7
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe0_2_00410F36
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_00418764 mouse_event,0_2_00418764
                              Source: 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe, 00000000.00000002.4170857245.0000000000623000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager80\q
                              Source: 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe, 00000000.00000002.4170857245.00000000005BE000.00000004.00000020.00020000.00000000.sdmp, 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe, 00000000.00000002.4170857245.0000000000632000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                              Source: 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe, 00000000.00000002.4170857245.0000000000623000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager80\437
                              Source: 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe, 00000000.00000002.4170857245.0000000000623000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager80\
                              Source: 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe, 00000000.00000002.4170857245.0000000000623000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager80\16
                              Source: 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe, 00000000.00000002.4170857245.0000000000632000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerl6\
                              Source: 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe, 00000000.00000003.1743907425.0000000000623000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managernet/
                              Source: 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe, 00000000.00000002.4170857245.0000000000623000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager80\^
                              Source: 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe, 00000000.00000002.4170857245.00000000005BE000.00000004.00000020.00020000.00000000.sdmp, 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe, 00000000.00000002.4170857245.000000000060C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                              Source: 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe, 00000000.00000002.4170857245.0000000000623000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager80\33
                              Source: 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe, 00000000.00000002.4170857245.0000000000623000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager80\Z
                              Source: 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe, 00000000.00000002.4170857245.0000000000623000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager80\
                              Source: 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe, 00000000.00000002.4170857245.0000000000623000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager80\49c
                              Source: 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe, 00000000.00000002.4170857245.00000000005BE000.00000004.00000020.00020000.00000000.sdmp, logs.dat.0.drBinary or memory string: [Program Manager]
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_00433E1A cpuid 0_2_00433E1A
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: GetLocaleInfoA,0_2_0040E679
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: GetLocaleInfoW,0_2_004510CA
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_004470BE
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_004511F3
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: GetLocaleInfoW,0_2_004512FA
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_004513C7
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: GetLocaleInfoW,0_2_004475A7
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_00450A8F
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_00450D52
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_00450D07
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_00450DED
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00450E7A
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_00404915 GetLocalTime,CreateEventA,CreateThread,0_2_00404915
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_0041A7B2 GetComputerNameExW,GetUserNameW,0_2_0041A7B2
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: 0_2_00448067 _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00448067
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                              Stealing of Sensitive Information

                              barindex
                              Source: Yara matchFile source: 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.2.1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000000.00000002.4171097043.00000000022BF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000000.00000002.4170857245.000000000060C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000000.00000000.1719762355.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000000.00000002.4170857245.00000000005BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe PID: 6908, type: MEMORYSTR
                              Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data0_2_0040B21B
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\0_2_0040B335
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: \key3.db0_2_0040B335

                              Remote Access Functionality

                              barindex
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-MH2R80Jump to behavior
                              Source: Yara matchFile source: 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.2.1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000000.00000002.4171097043.00000000022BF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000000.00000002.4170857245.000000000060C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000000.00000000.1719762355.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000000.00000002.4170857245.00000000005BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe PID: 6908, type: MEMORYSTR
                              Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                              Source: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeCode function: cmd.exe0_2_00405042
                              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                              Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                              Native API
                              1
                              DLL Side-Loading
                              1
                              DLL Side-Loading
                              1
                              Deobfuscate/Decode Files or Information
                              1
                              OS Credential Dumping
                              2
                              System Time Discovery
                              Remote Services11
                              Archive Collected Data
                              12
                              Ingress Tool Transfer
                              Exfiltration Over Other Network Medium1
                              System Shutdown/Reboot
                              CredentialsDomainsDefault Accounts12
                              Command and Scripting Interpreter
                              1
                              Windows Service
                              1
                              Bypass User Account Control
                              2
                              Obfuscated Files or Information
                              211
                              Input Capture
                              1
                              Account Discovery
                              Remote Desktop Protocol211
                              Input Capture
                              2
                              Encrypted Channel
                              Exfiltration Over Bluetooth1
                              Defacement
                              Email AddressesDNS ServerDomain Accounts2
                              Service Execution
                              Logon Script (Windows)1
                              Access Token Manipulation
                              1
                              DLL Side-Loading
                              2
                              Credentials In Files
                              1
                              System Service Discovery
                              SMB/Windows Admin Shares3
                              Clipboard Data
                              1
                              Non-Standard Port
                              Automated ExfiltrationData Encrypted for Impact
                              Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                              Windows Service
                              1
                              Bypass User Account Control
                              NTDS2
                              File and Directory Discovery
                              Distributed Component Object ModelInput Capture1
                              Remote Access Software
                              Traffic DuplicationData Destruction
                              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script11
                              Process Injection
                              1
                              Masquerading
                              LSA Secrets23
                              System Information Discovery
                              SSHKeylogging2
                              Non-Application Layer Protocol
                              Scheduled TransferData Encrypted for Impact
                              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                              Virtualization/Sandbox Evasion
                              Cached Domain Credentials21
                              Security Software Discovery
                              VNCGUI Input Capture12
                              Application Layer Protocol
                              Data Transfer Size LimitsService Stop
                              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                              Access Token Manipulation
                              DCSync1
                              Virtualization/Sandbox Evasion
                              Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                              Process Injection
                              Proc Filesystem2
                              Process Discovery
                              Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                              Application Window Discovery
                              Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                              System Owner/User Discovery
                              Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                              windows-stand
                              SourceDetectionScannerLabelLink
                              1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe71%ReversingLabsWin32.Backdoor.Remcos
                              1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe100%AviraBDS/Backdoor.Gen
                              1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe100%Joe Sandbox ML
                              No Antivirus matches
                              No Antivirus matches
                              No Antivirus matches
                              SourceDetectionScannerLabelLink
                              municipioalcidiadechicamocha.ddnsgeek.com100%Avira URL Cloudmalware
                              NameIPActiveMaliciousAntivirus DetectionReputation
                              geoplugin.net
                              178.237.33.50
                              truefalse
                                high
                                municipioalcidiadechicamocha.ddnsgeek.com
                                179.15.136.6
                                truetrue
                                  unknown
                                  NameMaliciousAntivirus DetectionReputation
                                  http://geoplugin.net/json.gpfalse
                                    high
                                    municipioalcidiadechicamocha.ddnsgeek.comtrue
                                    • Avira URL Cloud: malware
                                    unknown
                                    NameSourceMaliciousAntivirus DetectionReputation
                                    http://geoplugin.net/json.gpJuy1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe, 00000000.00000003.1743907425.000000000060C000.00000004.00000020.00020000.00000000.sdmp, 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe, 00000000.00000002.4170857245.000000000060C000.00000004.00000020.00020000.00000000.sdmpfalse
                                      high
                                      http://geoplugin.net/json.gpcM1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe, 00000000.00000003.1743907425.0000000000601000.00000004.00000020.00020000.00000000.sdmp, 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe, 00000000.00000002.4170857245.0000000000601000.00000004.00000020.00020000.00000000.sdmpfalse
                                        high
                                        http://geoplugin.net/1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe, 00000000.00000003.1743907425.0000000000623000.00000004.00000020.00020000.00000000.sdmpfalse
                                          high
                                          http://geoplugin.net/c1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe, 00000000.00000003.1743907425.0000000000623000.00000004.00000020.00020000.00000000.sdmpfalse
                                            high
                                            http://geoplugin.net/json.gpRM51736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe, 00000000.00000003.1743907425.0000000000601000.00000004.00000020.00020000.00000000.sdmp, 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe, 00000000.00000002.4170857245.0000000000601000.00000004.00000020.00020000.00000000.sdmpfalse
                                              high
                                              http://geoplugin.net/json.gp/C1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exefalse
                                                high
                                                http://geoplugin.net/json.gpl1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe, 00000000.00000003.1743907425.000000000060C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  high
                                                  http://geoplugin.net/json.gpSystem321736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe, 00000000.00000002.4170857245.00000000005BE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    high
                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs
                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    179.15.136.6
                                                    municipioalcidiadechicamocha.ddnsgeek.comColombia
                                                    27831ColombiaMovilCOtrue
                                                    178.237.33.50
                                                    geoplugin.netNetherlands
                                                    8455ATOM86-ASATOM86NLfalse
                                                    Joe Sandbox version:41.0.0 Charoite
                                                    Analysis ID:1585999
                                                    Start date and time:2025-01-08 15:59:14 +01:00
                                                    Joe Sandbox product:CloudBasic
                                                    Overall analysis duration:0h 6m 37s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:full
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                    Number of analysed new started processes analysed:5
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:0
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Sample name:1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe
                                                    Detection:MAL
                                                    Classification:mal100.rans.troj.spyw.expl.evad.winEXE@1/2@2/2
                                                    EGA Information:
                                                    • Successful, ratio: 100%
                                                    HCA Information:
                                                    • Successful, ratio: 100%
                                                    • Number of executed functions: 38
                                                    • Number of non-executed functions: 198
                                                    Cookbook Comments:
                                                    • Found application associated with file extension: .exe
                                                    • Override analysis time to 240s for sample files taking high CPU consumption
                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                    • Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.45, 20.109.210.53
                                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                    • Not all processes where analyzed, report is missing behavior information
                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                    • VT rate limit hit for: 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe
                                                    TimeTypeDescription
                                                    10:00:42API Interceptor6623490x Sleep call for process: 1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe modified
                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    179.15.136.617363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                      178.237.33.501736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                      • geoplugin.net/json.gp
                                                      17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                      • geoplugin.net/json.gp
                                                      DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                      • geoplugin.net/json.gp
                                                      c2.htaGet hashmaliciousRemcosBrowse
                                                      • geoplugin.net/json.gp
                                                      c2.htaGet hashmaliciousRemcosBrowse
                                                      • geoplugin.net/json.gp
                                                      RailProvides_nopump.exeGet hashmaliciousRemcosBrowse
                                                      • geoplugin.net/json.gp
                                                      c2.htaGet hashmaliciousRemcosBrowse
                                                      • geoplugin.net/json.gp
                                                      17360626254f6ab0798f0d71fe81e2d058a575b873a7088f40695d7fd8031d0961d3a3694a780.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                      • geoplugin.net/json.gp
                                                      Tax_Refund_Claim_2024_Australian_Taxation_Office.jsGet hashmaliciousRemcosBrowse
                                                      • geoplugin.net/json.gp
                                                      c2.htaGet hashmaliciousRemcosBrowse
                                                      • geoplugin.net/json.gp
                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      municipioalcidiadechicamocha.ddnsgeek.com17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                      • 179.15.136.6
                                                      geoplugin.net17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                      • 178.237.33.50
                                                      c2.htaGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      c2.htaGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      RailProvides_nopump.exeGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      c2.htaGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      17360626254f6ab0798f0d71fe81e2d058a575b873a7088f40695d7fd8031d0961d3a3694a780.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      Tax_Refund_Claim_2024_Australian_Taxation_Office.jsGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      c2.htaGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      4XYAW8PbZH.exeGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      ATOM86-ASATOM86NL1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                      • 178.237.33.50
                                                      c2.htaGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      c2.htaGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      RailProvides_nopump.exeGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      c2.htaGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      9W9jJCj9EV.batGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      17360626254f6ab0798f0d71fe81e2d058a575b873a7088f40695d7fd8031d0961d3a3694a780.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      Tax_Refund_Claim_2024_Australian_Taxation_Office.jsGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      ColombiaMovilCO17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                      • 179.15.136.6
                                                      sh4.elfGet hashmaliciousMiraiBrowse
                                                      • 177.252.126.19
                                                      armv5l.elfGet hashmaliciousUnknownBrowse
                                                      • 191.93.155.250
                                                      Fantazy.x86.elfGet hashmaliciousUnknownBrowse
                                                      • 179.12.199.43
                                                      armv5l.elfGet hashmaliciousUnknownBrowse
                                                      • 191.91.160.57
                                                      kwari.arm.elfGet hashmaliciousUnknownBrowse
                                                      • 181.204.131.174
                                                      2LDJIyMl2r.exeGet hashmaliciousRemcosBrowse
                                                      • 181.71.216.203
                                                      telnet.ppc.elfGet hashmaliciousUnknownBrowse
                                                      • 177.252.126.11
                                                      loligang.mpsl.elfGet hashmaliciousMiraiBrowse
                                                      • 186.181.45.206
                                                      armv6l.elfGet hashmaliciousUnknownBrowse
                                                      • 186.180.36.76
                                                      No context
                                                      No context
                                                      Process:C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):144
                                                      Entropy (8bit):3.312495185583119
                                                      Encrypted:false
                                                      SSDEEP:3:rgls1MNtliqlDl5JWRal2Jl+7R0DAlBG45klovDl6v:MlsaNyql55YcIeeDAlOWAv
                                                      MD5:5354363186EBFEA257491611AE0A9A14
                                                      SHA1:79CC8E8EE3C2795290C81FDDF7BCA5DBEAACE7E6
                                                      SHA-256:1834244BFDDCA5692063841902441F27272F6999E031FE63D665C81E031A5178
                                                      SHA-512:F3D43B5D8512FD359F9B485BE895922A94D0611462BEC6E10B4C157F8FCFD1214B93AA414937A8D562FC0788DDE0AE0957B82E820A9FF54B742331E9BDB5EA4A
                                                      Malicious:true
                                                      Yara Hits:
                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                                                      Reputation:low
                                                      Preview:....[.2.0.2.5./.0.1./.0.8. .1.0.:.0.0.:.1.0. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....
                                                      Process:C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe
                                                      File Type:JSON data
                                                      Category:dropped
                                                      Size (bytes):963
                                                      Entropy (8bit):5.020394374229354
                                                      Encrypted:false
                                                      SSDEEP:12:tkluWJmnd61GkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkk:qlupdluKyGX85jvXhNlT3/7AcV9Wro
                                                      MD5:7FC455BC78A39D81071CD646DCA331AE
                                                      SHA1:980ECE75E080350021F663F341E4EF44F474DE65
                                                      SHA-256:F389BFBE0B7188EBF3E1695319083E0E5C458F820CA5A1A503038E38F8FF98A1
                                                      SHA-512:B65C9D8CF0960AC1511822AED534B0EC2AC5714D504383CEBE0F16A0526FFA810FE4288E05868FD5991557FA1648266881E713C8E8F7968E976807D40601D63A
                                                      Malicious:false
                                                      Reputation:low
                                                      Preview:{. "geoplugin_request":"8.46.123.189",. "geoplugin_status":200,. "geoplugin_delay":"3ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}
                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                      Entropy (8bit):6.586627522474746
                                                      TrID:
                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                      • DOS Executable Generic (2002/1) 0.02%
                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                      File name:1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe
                                                      File size:493'056 bytes
                                                      MD5:636e91c12e393d1ea1d07c9970de9cf7
                                                      SHA1:9b4d1af92501bda15857bc286aad9a40e918259a
                                                      SHA256:88058b77035a018b3582136f073a1fc44eee203786b76890b53ca22c090ae5d0
                                                      SHA512:58ec575c6f2da8d76ecefd4df76bae19fa0c1b8b073ac5d93d099d383901e8b48e85e11de36a62861b18c9348cb671cfaaafe6136462fd7d5469720cf2205896
                                                      SSDEEP:12288:/9PgP3HAMwIGjY4vce6lnBthn5HSRVMf139F5woxr+IwtHwBtFhCsvZD5x+P32:d43HfwIGYMcn5PJrZj+
                                                      TLSH:BEA4BE01B6D2C072D57625300D26E775DEBDBD212835897BB3DA1D67FE30180E63AAB2
                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........)...H...H...H....(..H....*..H....+..H...0]..H..&....H... ...H... ...H... ...H...0J..H...H...I...!...H...!&..H...!...H..Rich.H.
                                                      Icon Hash:95694d05214c1b33
                                                      Entrypoint:0x433b4a
                                                      Entrypoint Section:.text
                                                      Digitally signed:false
                                                      Imagebase:0x400000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                      DLL Characteristics:TERMINAL_SERVER_AWARE
                                                      Time Stamp:0x6752B172 [Fri Dec 6 08:10:26 2024 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:
                                                      OS Version Major:5
                                                      OS Version Minor:1
                                                      File Version Major:5
                                                      File Version Minor:1
                                                      Subsystem Version Major:5
                                                      Subsystem Version Minor:1
                                                      Import Hash:e77512f955eaf60ccff45e02d69234de
                                                      Instruction
                                                      call 00007FAF60B5B803h
                                                      jmp 00007FAF60B5B15Fh
                                                      push ebp
                                                      mov ebp, esp
                                                      sub esp, 00000324h
                                                      push ebx
                                                      push 00000017h
                                                      call 00007FAF60B7D639h
                                                      test eax, eax
                                                      je 00007FAF60B5B2E7h
                                                      mov ecx, dword ptr [ebp+08h]
                                                      int 29h
                                                      push 00000003h
                                                      call 00007FAF60B5B4A4h
                                                      mov dword ptr [esp], 000002CCh
                                                      lea eax, dword ptr [ebp-00000324h]
                                                      push 00000000h
                                                      push eax
                                                      call 00007FAF60B5D7BBh
                                                      add esp, 0Ch
                                                      mov dword ptr [ebp-00000274h], eax
                                                      mov dword ptr [ebp-00000278h], ecx
                                                      mov dword ptr [ebp-0000027Ch], edx
                                                      mov dword ptr [ebp-00000280h], ebx
                                                      mov dword ptr [ebp-00000284h], esi
                                                      mov dword ptr [ebp-00000288h], edi
                                                      mov word ptr [ebp-0000025Ch], ss
                                                      mov word ptr [ebp-00000268h], cs
                                                      mov word ptr [ebp-0000028Ch], ds
                                                      mov word ptr [ebp-00000290h], es
                                                      mov word ptr [ebp-00000294h], fs
                                                      mov word ptr [ebp-00000298h], gs
                                                      pushfd
                                                      pop dword ptr [ebp-00000264h]
                                                      mov eax, dword ptr [ebp+04h]
                                                      mov dword ptr [ebp-0000026Ch], eax
                                                      lea eax, dword ptr [ebp+04h]
                                                      mov dword ptr [ebp-00000260h], eax
                                                      mov dword ptr [ebp-00000324h], 00010001h
                                                      mov eax, dword ptr [eax-04h]
                                                      push 00000050h
                                                      mov dword ptr [ebp-00000270h], eax
                                                      lea eax, dword ptr [ebp-58h]
                                                      push 00000000h
                                                      push eax
                                                      call 00007FAF60B5D731h
                                                      Programming Language:
                                                      • [C++] VS2008 SP1 build 30729
                                                      • [IMP] VS2008 SP1 build 30729
                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x6e0200x104.rdata
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x760000x4b08.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x7b0000x3b88.reloc
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x6c5100x38.rdata
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x6c5e80x18.rdata
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x6c5480x40.rdata
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x570000x4f4.rdata
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x10000x55f2d0x56000c9fb1fecb5f01a3c88e2bc00eccd57c4False0.5739377043968024data6.621523378040251IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                      .rdata0x570000x18b000x18c000ba285a9a28b1dec254a7539ab18f8d0False0.4981455176767677OpenPGP Secret Key Version 65.75873851406894IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .data0x700000x5d8c0xe0006414e748130e7e668ba2ba172d63448False0.22684151785714285data3.093339598098017IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                      .rsrc0x760000x4b080x4c001e2c91ef2d11a4c025453c82359baf46False0.2797594572368421data3.9848654889547657IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .reloc0x7b0000x3b880x3c00b875bbd60cc90da8a22f40034fe9606eFalse0.7575520833333333data6.702930468027394IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                      RT_ICON0x7618c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.3421985815602837
                                                      RT_ICON0x765f40x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.27704918032786885
                                                      RT_ICON0x76f7c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.23686679174484052
                                                      RT_ICON0x780240x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.22977178423236513
                                                      RT_RCDATA0x7a5cc0x4fcdata1.0086206896551724
                                                      RT_GROUP_ICON0x7aac80x3edataEnglishUnited States0.8064516129032258
                                                      DLLImport
                                                      KERNEL32.dllExpandEnvironmentStringsA, GetLongPathNameW, CopyFileW, GetLocaleInfoA, CreateToolhelp32Snapshot, Process32NextW, Process32FirstW, VirtualProtect, SetLastError, VirtualFree, VirtualAlloc, LoadLibraryA, GetNativeSystemInfo, HeapAlloc, GetProcessHeap, FreeLibrary, IsBadReadPtr, GetTempPathW, OpenProcess, OpenMutexA, lstrcatW, GetCurrentProcessId, GetTempFileNameW, GetSystemDirectoryA, GlobalAlloc, GlobalLock, GetTickCount, GlobalUnlock, WriteProcessMemory, ResumeThread, GetThreadContext, ReadProcessMemory, CreateProcessW, SetThreadContext, LocalAlloc, GlobalFree, MulDiv, SizeofResource, QueryDosDeviceW, FindFirstVolumeW, GetConsoleScreenBufferInfo, SetConsoleTextAttribute, lstrlenW, GetStdHandle, SetFilePointer, FindResourceA, LockResource, LoadResource, LocalFree, FindVolumeClose, GetVolumePathNamesForVolumeNameW, lstrcpyW, SetConsoleOutputCP, FormatMessageA, FindFirstFileA, AllocConsole, lstrcmpW, GetModuleFileNameA, lstrcpynA, QueryPerformanceFrequency, QueryPerformanceCounter, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, HeapSize, WriteConsoleW, SetStdHandle, SetEnvironmentVariableW, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindFirstFileExA, HeapReAlloc, ReadConsoleW, GetConsoleMode, GetConsoleCP, FlushFileBuffers, GetFileType, GetTimeZoneInformation, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetTimeFormatW, GetDateFormatW, GetACP, GetModuleHandleExW, MoveFileExW, LoadLibraryExW, RaiseException, RtlUnwind, GetCPInfo, GetStringTypeW, GetLocaleInfoW, LCMapStringW, CompareStringW, MultiByteToWideChar, DecodePointer, EncodePointer, TlsFree, TlsSetValue, GetFileSize, TerminateThread, GetLastError, GetModuleHandleA, RemoveDirectoryW, MoveFileW, SetFilePointerEx, CreateDirectoryW, GetLogicalDriveStringsA, DeleteFileW, FindNextFileA, DeleteFileA, SetFileAttributesW, GetFileAttributesW, FindClose, lstrlenA, GetDriveTypeA, FindNextFileW, GetFileSizeEx, FindFirstFileW, GetModuleHandleW, ExitProcess, GetProcAddress, CreateMutexA, GetCurrentProcess, CreateProcessA, PeekNamedPipe, CreatePipe, TerminateProcess, ReadFile, HeapFree, HeapCreate, CreateEventA, GetLocalTime, CreateThread, SetEvent, CreateEventW, WaitForSingleObject, Sleep, GetModuleFileNameW, CloseHandle, ExitThread, CreateFileW, WriteFile, FindNextVolumeW, TlsGetValue, TlsAlloc, SwitchToThread, WideCharToMultiByte, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, IsProcessorFeaturePresent, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, WaitForSingleObjectEx, ResetEvent, InitializeCriticalSectionAndSpinCount, SetEndOfFile
                                                      USER32.dllDefWindowProcA, TranslateMessage, DispatchMessageA, GetMessageA, GetWindowTextW, wsprintfW, GetClipboardData, UnhookWindowsHookEx, GetForegroundWindow, ToUnicodeEx, GetKeyboardLayout, SetWindowsHookExA, CloseClipboard, OpenClipboard, GetKeyboardState, CallNextHookEx, GetKeyboardLayoutNameA, GetKeyState, GetWindowTextLengthW, GetWindowThreadProcessId, SetForegroundWindow, SetClipboardData, EnumWindows, ExitWindowsEx, EmptyClipboard, ShowWindow, SetWindowTextW, MessageBoxW, IsWindowVisible, CreateWindowExA, SendInput, EnumDisplaySettingsW, mouse_event, MapVirtualKeyA, TrackPopupMenu, CreatePopupMenu, AppendMenuA, RegisterClassExA, GetCursorPos, SystemParametersInfoW, GetIconInfo, GetSystemMetrics, CloseWindow, DrawIcon
                                                      GDI32.dllBitBlt, CreateCompatibleBitmap, CreateCompatibleDC, StretchBlt, GetDIBits, DeleteDC, DeleteObject, CreateDCA, GetObjectA, SelectObject
                                                      ADVAPI32.dllLookupPrivilegeValueA, CryptAcquireContextA, CryptGenRandom, CryptReleaseContext, GetUserNameW, RegEnumKeyExA, QueryServiceStatus, CloseServiceHandle, OpenSCManagerW, OpenSCManagerA, ControlService, StartServiceW, QueryServiceConfigW, ChangeServiceConfigW, OpenServiceW, EnumServicesStatusW, AdjustTokenPrivileges, RegDeleteKeyA, OpenProcessToken, RegCreateKeyA, RegCloseKey, RegQueryInfoKeyW, RegQueryValueExA, RegCreateKeyExW, RegEnumKeyExW, RegSetValueExW, RegSetValueExA, RegOpenKeyExA, RegOpenKeyExW, RegCreateKeyW, RegDeleteValueW, RegEnumValueW, RegQueryValueExW
                                                      SHELL32.dllShellExecuteExA, Shell_NotifyIconA, ExtractIconA, ShellExecuteW
                                                      ole32.dllCoInitializeEx, CoGetObject, CoUninitialize
                                                      SHLWAPI.dllStrToIntA, PathFileExistsW, PathFileExistsA
                                                      WINMM.dllmciSendStringA, mciSendStringW, waveInClose, waveInStop, waveInStart, waveInUnprepareHeader, waveInOpen, waveInAddBuffer, waveInPrepareHeader, PlaySoundW
                                                      WS2_32.dllsend, WSAStartup, socket, connect, WSAGetLastError, recv, closesocket, inet_ntoa, htons, htonl, getservbyname, ntohs, getservbyport, gethostbyaddr, inet_addr, WSASetLastError, gethostbyname
                                                      urlmon.dllURLOpenBlockingStreamW, URLDownloadToFileW
                                                      gdiplus.dllGdipAlloc, GdiplusStartup, GdipGetImageEncoders, GdipLoadImageFromStream, GdipSaveImageToStream, GdipGetImageEncodersSize, GdipFree, GdipDisposeImage, GdipCloneImage
                                                      WININET.dllInternetOpenUrlW, InternetOpenW, InternetCloseHandle, InternetReadFile
                                                      Language of compilation systemCountry where language is spokenMap
                                                      EnglishUnited States
                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                      2025-01-08T16:00:11.819235+01002834936ETPRO MALWARE Observed DNS Query to Abused DDNS (ddnsgeek .com)1192.168.2.4568951.1.1.153UDP
                                                      2025-01-08T16:00:12.687662+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449730179.15.136.61997TCP
                                                      2025-01-08T16:00:14.113096+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.449731178.237.33.5080TCP
                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Jan 8, 2025 16:00:12.004339933 CET497301997192.168.2.4179.15.136.6
                                                      Jan 8, 2025 16:00:12.009179115 CET199749730179.15.136.6192.168.2.4
                                                      Jan 8, 2025 16:00:12.009274960 CET497301997192.168.2.4179.15.136.6
                                                      Jan 8, 2025 16:00:12.014571905 CET497301997192.168.2.4179.15.136.6
                                                      Jan 8, 2025 16:00:12.019368887 CET199749730179.15.136.6192.168.2.4
                                                      Jan 8, 2025 16:00:12.639126062 CET199749730179.15.136.6192.168.2.4
                                                      Jan 8, 2025 16:00:12.687661886 CET497301997192.168.2.4179.15.136.6
                                                      Jan 8, 2025 16:00:12.776175022 CET199749730179.15.136.6192.168.2.4
                                                      Jan 8, 2025 16:00:12.780675888 CET497301997192.168.2.4179.15.136.6
                                                      Jan 8, 2025 16:00:12.786380053 CET199749730179.15.136.6192.168.2.4
                                                      Jan 8, 2025 16:00:12.786461115 CET497301997192.168.2.4179.15.136.6
                                                      Jan 8, 2025 16:00:12.791268110 CET199749730179.15.136.6192.168.2.4
                                                      Jan 8, 2025 16:00:13.120791912 CET199749730179.15.136.6192.168.2.4
                                                      Jan 8, 2025 16:00:13.122509003 CET497301997192.168.2.4179.15.136.6
                                                      Jan 8, 2025 16:00:13.127466917 CET199749730179.15.136.6192.168.2.4
                                                      Jan 8, 2025 16:00:13.254786968 CET199749730179.15.136.6192.168.2.4
                                                      Jan 8, 2025 16:00:13.297013998 CET497301997192.168.2.4179.15.136.6
                                                      Jan 8, 2025 16:00:13.483300924 CET4973180192.168.2.4178.237.33.50
                                                      Jan 8, 2025 16:00:13.488131046 CET8049731178.237.33.50192.168.2.4
                                                      Jan 8, 2025 16:00:13.488213062 CET4973180192.168.2.4178.237.33.50
                                                      Jan 8, 2025 16:00:13.488311052 CET4973180192.168.2.4178.237.33.50
                                                      Jan 8, 2025 16:00:13.493026972 CET8049731178.237.33.50192.168.2.4
                                                      Jan 8, 2025 16:00:14.112934113 CET8049731178.237.33.50192.168.2.4
                                                      Jan 8, 2025 16:00:14.113095999 CET4973180192.168.2.4178.237.33.50
                                                      Jan 8, 2025 16:00:14.201598883 CET497301997192.168.2.4179.15.136.6
                                                      Jan 8, 2025 16:00:14.206496954 CET199749730179.15.136.6192.168.2.4
                                                      Jan 8, 2025 16:00:15.112261057 CET8049731178.237.33.50192.168.2.4
                                                      Jan 8, 2025 16:00:15.112565994 CET4973180192.168.2.4178.237.33.50
                                                      Jan 8, 2025 16:00:37.053730965 CET199749730179.15.136.6192.168.2.4
                                                      Jan 8, 2025 16:00:37.055179119 CET497301997192.168.2.4179.15.136.6
                                                      Jan 8, 2025 16:00:37.060015917 CET199749730179.15.136.6192.168.2.4
                                                      Jan 8, 2025 16:01:07.052396059 CET199749730179.15.136.6192.168.2.4
                                                      Jan 8, 2025 16:01:07.054579020 CET497301997192.168.2.4179.15.136.6
                                                      Jan 8, 2025 16:01:07.059320927 CET199749730179.15.136.6192.168.2.4
                                                      Jan 8, 2025 16:01:37.080786943 CET199749730179.15.136.6192.168.2.4
                                                      Jan 8, 2025 16:01:37.083287001 CET497301997192.168.2.4179.15.136.6
                                                      Jan 8, 2025 16:01:37.088165045 CET199749730179.15.136.6192.168.2.4
                                                      Jan 8, 2025 16:02:03.469364882 CET4973180192.168.2.4178.237.33.50
                                                      Jan 8, 2025 16:02:03.873332024 CET4973180192.168.2.4178.237.33.50
                                                      Jan 8, 2025 16:02:04.484750986 CET4973180192.168.2.4178.237.33.50
                                                      Jan 8, 2025 16:02:05.781630039 CET4973180192.168.2.4178.237.33.50
                                                      Jan 8, 2025 16:02:07.107952118 CET199749730179.15.136.6192.168.2.4
                                                      Jan 8, 2025 16:02:07.109457970 CET497301997192.168.2.4179.15.136.6
                                                      Jan 8, 2025 16:02:07.114269972 CET199749730179.15.136.6192.168.2.4
                                                      Jan 8, 2025 16:02:08.229278088 CET4973180192.168.2.4178.237.33.50
                                                      Jan 8, 2025 16:02:13.078562021 CET4973180192.168.2.4178.237.33.50
                                                      Jan 8, 2025 16:02:22.687963009 CET4973180192.168.2.4178.237.33.50
                                                      Jan 8, 2025 16:02:37.072683096 CET199749730179.15.136.6192.168.2.4
                                                      Jan 8, 2025 16:02:37.085800886 CET497301997192.168.2.4179.15.136.6
                                                      Jan 8, 2025 16:02:37.091571093 CET199749730179.15.136.6192.168.2.4
                                                      Jan 8, 2025 16:03:07.082709074 CET199749730179.15.136.6192.168.2.4
                                                      Jan 8, 2025 16:03:07.085948944 CET497301997192.168.2.4179.15.136.6
                                                      Jan 8, 2025 16:03:07.090766907 CET199749730179.15.136.6192.168.2.4
                                                      Jan 8, 2025 16:03:37.252814054 CET199749730179.15.136.6192.168.2.4
                                                      Jan 8, 2025 16:03:37.258198977 CET497301997192.168.2.4179.15.136.6
                                                      Jan 8, 2025 16:03:37.262979984 CET199749730179.15.136.6192.168.2.4
                                                      Jan 8, 2025 16:04:07.184537888 CET199749730179.15.136.6192.168.2.4
                                                      Jan 8, 2025 16:04:07.186276913 CET497301997192.168.2.4179.15.136.6
                                                      Jan 8, 2025 16:04:07.192245007 CET199749730179.15.136.6192.168.2.4
                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Jan 8, 2025 16:00:11.819235086 CET5689553192.168.2.41.1.1.1
                                                      Jan 8, 2025 16:00:12.000581026 CET53568951.1.1.1192.168.2.4
                                                      Jan 8, 2025 16:00:13.471400976 CET5085953192.168.2.41.1.1.1
                                                      Jan 8, 2025 16:00:13.479806900 CET53508591.1.1.1192.168.2.4
                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                      Jan 8, 2025 16:00:11.819235086 CET192.168.2.41.1.1.10xcc9fStandard query (0)municipioalcidiadechicamocha.ddnsgeek.comA (IP address)IN (0x0001)false
                                                      Jan 8, 2025 16:00:13.471400976 CET192.168.2.41.1.1.10xaddbStandard query (0)geoplugin.netA (IP address)IN (0x0001)false
                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                      Jan 8, 2025 16:00:12.000581026 CET1.1.1.1192.168.2.40xcc9fNo error (0)municipioalcidiadechicamocha.ddnsgeek.com179.15.136.6A (IP address)IN (0x0001)false
                                                      Jan 8, 2025 16:00:13.479806900 CET1.1.1.1192.168.2.40xaddbNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false
                                                      • geoplugin.net
                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      0192.168.2.449731178.237.33.50806908C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe
                                                      TimestampBytes transferredDirectionData
                                                      Jan 8, 2025 16:00:13.488311052 CET71OUTGET /json.gp HTTP/1.1
                                                      Host: geoplugin.net
                                                      Cache-Control: no-cache
                                                      Jan 8, 2025 16:00:14.112934113 CET1171INHTTP/1.1 200 OK
                                                      date: Wed, 08 Jan 2025 15:00:14 GMT
                                                      server: Apache
                                                      content-length: 963
                                                      content-type: application/json; charset=utf-8
                                                      cache-control: public, max-age=300
                                                      access-control-allow-origin: *
                                                      Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 33 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 [TRUNCATED]
                                                      Data Ascii: { "geoplugin_request":"8.46.123.189", "geoplugin_status":200, "geoplugin_delay":"3ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                      Click to jump to process

                                                      Click to jump to process

                                                      Click to dive into process behavior distribution

                                                      Target ID:0
                                                      Start time:10:00:10
                                                      Start date:08/01/2025
                                                      Path:C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe"
                                                      Imagebase:0x400000
                                                      File size:493'056 bytes
                                                      MD5 hash:636E91C12E393D1EA1D07C9970DE9CF7
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.4171097043.00000000022BF000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.4170857245.000000000060C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000000.1719762355.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000000.1719762355.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000000.1719762355.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000000.1719762355.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.4170857245.00000000005BE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                      Reputation:low
                                                      Has exited:false

                                                      Reset < >

                                                        Execution Graph

                                                        Execution Coverage:4.3%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:22.8%
                                                        Total number of Nodes:1327
                                                        Total number of Limit Nodes:65
                                                        execution_graph 45658 41d4e0 45660 41d4f6 ctype ___scrt_fastfail 45658->45660 45659 41d6f3 45664 41d744 45659->45664 45674 41d081 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_fastfail 45659->45674 45660->45659 45679 431fa9 21 API calls ___std_exception_copy 45660->45679 45663 41d704 45663->45664 45665 41d770 45663->45665 45675 431fa9 21 API calls ___std_exception_copy 45663->45675 45665->45664 45682 41d484 21 API calls ___scrt_fastfail 45665->45682 45667 41d6a6 ___scrt_fastfail 45667->45664 45680 431fa9 21 API calls ___std_exception_copy 45667->45680 45670 41d73d ___scrt_fastfail 45670->45664 45676 43265f 45670->45676 45672 41d6ce ___scrt_fastfail 45672->45664 45681 431fa9 21 API calls ___std_exception_copy 45672->45681 45674->45663 45675->45670 45683 43257f 45676->45683 45678 432667 45678->45665 45679->45667 45680->45672 45681->45659 45682->45664 45684 432598 45683->45684 45688 43258e 45683->45688 45684->45688 45689 431fa9 21 API calls ___std_exception_copy 45684->45689 45686 4325b9 45686->45688 45690 43294a CryptAcquireContextA 45686->45690 45688->45678 45689->45686 45691 43296b CryptGenRandom 45690->45691 45693 432966 45690->45693 45692 432980 CryptReleaseContext 45691->45692 45691->45693 45692->45693 45693->45688 45694 426040 45699 426107 recv 45694->45699 45700 44e8c6 45701 44e8d1 45700->45701 45702 44e8f9 45701->45702 45703 44e8ea 45701->45703 45704 44e908 45702->45704 45722 455583 27 API calls 2 library calls 45702->45722 45721 445364 20 API calls _free 45703->45721 45709 44b9ce 45704->45709 45708 44e8ef ___scrt_fastfail 45710 44b9e6 45709->45710 45711 44b9db 45709->45711 45713 44b9ee 45710->45713 45719 44b9f7 _strftime 45710->45719 45723 446b0f 45711->45723 45730 446ad5 45713->45730 45715 44ba21 RtlReAllocateHeap 45717 44b9e3 45715->45717 45715->45719 45716 44b9fc 45736 445364 20 API calls _free 45716->45736 45717->45708 45719->45715 45719->45716 45737 442210 7 API calls 2 library calls 45719->45737 45721->45708 45722->45704 45724 446b4d 45723->45724 45728 446b1d _strftime 45723->45728 45739 445364 20 API calls _free 45724->45739 45726 446b38 RtlAllocateHeap 45727 446b4b 45726->45727 45726->45728 45727->45717 45728->45724 45728->45726 45738 442210 7 API calls 2 library calls 45728->45738 45731 446ae0 RtlFreeHeap 45730->45731 45735 446b09 _free 45730->45735 45732 446af5 45731->45732 45731->45735 45740 445364 20 API calls _free 45732->45740 45734 446afb GetLastError 45734->45735 45735->45717 45736->45717 45737->45719 45738->45728 45739->45727 45740->45734 45741 4260a1 45746 42611e send 45741->45746 45747 425e66 45748 425e7b 45747->45748 45753 425f1b 45747->45753 45749 425fae 45748->45749 45752 425f6a 45748->45752 45748->45753 45755 425ec9 45748->45755 45757 425efe 45748->45757 45761 425f87 45748->45761 45762 425f35 45748->45762 45775 424364 50 API calls ctype 45748->45775 45749->45753 45780 4255d7 28 API calls 45749->45780 45752->45761 45779 424b8b 21 API calls 45752->45779 45755->45753 45755->45757 45776 41f085 54 API calls 45755->45776 45757->45753 45757->45762 45777 424364 50 API calls ctype 45757->45777 45761->45749 45761->45753 45763 424f88 45761->45763 45762->45752 45762->45753 45778 41f085 54 API calls 45762->45778 45764 424fa7 ___scrt_fastfail 45763->45764 45766 424fb6 45764->45766 45769 424fdb 45764->45769 45781 41e0a7 21 API calls 45764->45781 45766->45769 45774 424fbb 45766->45774 45782 41fae4 47 API calls 45766->45782 45769->45749 45770 424fc4 45770->45769 45785 424195 21 API calls 2 library calls 45770->45785 45772 42505e 45772->45769 45783 431fa9 21 API calls ___std_exception_copy 45772->45783 45774->45769 45774->45770 45784 41cf7e 50 API calls 45774->45784 45775->45755 45776->45755 45777->45762 45778->45762 45779->45761 45780->45753 45781->45766 45782->45772 45783->45774 45784->45770 45785->45769 45786 43a9a8 45789 43a9b4 _swprintf BuildCatchObjectHelperInternal 45786->45789 45787 43a9c2 45804 445364 20 API calls _free 45787->45804 45789->45787 45791 43a9ec 45789->45791 45790 43a9c7 45805 43a837 26 API calls _Deallocate 45790->45805 45799 444adc EnterCriticalSection 45791->45799 45794 43a9f7 45800 43aa98 45794->45800 45795 43a9d2 std::_Locinfo::_Locinfo_dtor 45799->45794 45802 43aaa6 45800->45802 45801 43aa02 45806 43aa1f LeaveCriticalSection std::_Lockit::~_Lockit 45801->45806 45802->45801 45807 448426 39 API calls 2 library calls 45802->45807 45804->45790 45805->45795 45806->45795 45807->45802 45808 414dba 45823 41a52b 45808->45823 45810 414dc3 45833 401fbd 45810->45833 45814 414dde 45815 4161f2 45814->45815 45838 401eea 45814->45838 45842 401d8c 45815->45842 45818 4161fb 45819 401eea 26 API calls 45818->45819 45820 416207 45819->45820 45821 401eea 26 API calls 45820->45821 45822 416213 45821->45822 45824 41a539 45823->45824 45848 43a89c 45824->45848 45827 41a56c InternetReadFile 45832 41a58f 45827->45832 45829 41a5bc InternetCloseHandle InternetCloseHandle 45830 41a5ce 45829->45830 45830->45810 45831 401eea 26 API calls 45831->45832 45832->45827 45832->45829 45832->45831 45855 401f86 45832->45855 45834 401fcc 45833->45834 45866 402501 45834->45866 45836 401fea 45837 404468 60 API calls ctype 45836->45837 45837->45814 45840 4021b9 45838->45840 45839 4021e8 45839->45815 45840->45839 45871 40262e 26 API calls _Deallocate 45840->45871 45844 40200a 45842->45844 45843 40203a 45843->45818 45844->45843 45872 402654 26 API calls 45844->45872 45846 40202b 45873 4026ba 26 API calls _Deallocate 45846->45873 45853 446b0f _strftime 45848->45853 45849 446b4d 45860 445364 20 API calls _free 45849->45860 45851 446b38 RtlAllocateHeap 45852 41a543 InternetOpenW InternetOpenUrlW 45851->45852 45851->45853 45852->45827 45853->45849 45853->45851 45859 442210 7 API calls 2 library calls 45853->45859 45856 401f8e 45855->45856 45861 402325 45856->45861 45858 401fa4 45858->45832 45859->45853 45860->45852 45862 40232f 45861->45862 45864 40233a 45862->45864 45865 40294a 28 API calls 45862->45865 45864->45858 45865->45864 45867 40250d 45866->45867 45869 40252b 45867->45869 45870 40261a 28 API calls 45867->45870 45869->45836 45870->45869 45871->45839 45872->45846 45873->45843 45874 402bcc 45875 402bd7 45874->45875 45876 402bdf 45874->45876 45892 403315 28 API calls _Deallocate 45875->45892 45877 402beb 45876->45877 45882 4015d3 45876->45882 45880 402bdd 45884 43361d 45882->45884 45883 43a89c ___std_exception_copy 21 API calls 45883->45884 45884->45883 45885 402be9 45884->45885 45888 43363e std::_Facet_Register 45884->45888 45893 442210 7 API calls 2 library calls 45884->45893 45887 433dfc std::_Facet_Register 45895 437be7 RaiseException 45887->45895 45888->45887 45894 437be7 RaiseException 45888->45894 45890 433e19 45892->45880 45893->45884 45894->45887 45895->45890 45896 4339ce 45897 4339da BuildCatchObjectHelperInternal 45896->45897 45928 4336c3 45897->45928 45899 4339e1 45900 433b34 45899->45900 45903 433a0b 45899->45903 46228 433b54 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 45900->46228 45902 433b3b 46229 4426ce 28 API calls _Atexit 45902->46229 45914 433a4a ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 45903->45914 46222 4434e1 5 API calls _ValidateLocalCookies 45903->46222 45905 433b41 46230 442680 28 API calls _Atexit 45905->46230 45908 433a24 45910 433a2a 45908->45910 46223 443485 5 API calls _ValidateLocalCookies 45908->46223 45909 433b49 45912 433aab 45939 433c6e 45912->45939 45914->45912 46224 43ee04 38 API calls 4 library calls 45914->46224 45922 433acd 45922->45902 45923 433ad1 45922->45923 45924 433ada 45923->45924 46226 442671 28 API calls _Atexit 45923->46226 46227 433852 13 API calls 2 library calls 45924->46227 45927 433ae2 45927->45910 45929 4336cc 45928->45929 46231 433e1a IsProcessorFeaturePresent 45929->46231 45931 4336d8 46232 4379fe 10 API calls 3 library calls 45931->46232 45933 4336dd 45938 4336e1 45933->45938 46233 44336e IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 45933->46233 45935 4336ea 45936 4336f8 45935->45936 46234 437a27 8 API calls 3 library calls 45935->46234 45936->45899 45938->45899 46235 436060 45939->46235 45942 433ab1 45943 443432 45942->45943 46237 44ddd9 45943->46237 45945 433aba 45948 40d767 45945->45948 45946 44343b 45946->45945 46241 44e0e3 38 API calls 45946->46241 46243 41bcf3 LoadLibraryA GetProcAddress 45948->46243 45950 40d783 GetModuleFileNameW 46248 40e168 45950->46248 45952 40d79f 45953 401fbd 28 API calls 45952->45953 45954 40d7ae 45953->45954 45955 401fbd 28 API calls 45954->45955 45956 40d7bd 45955->45956 46263 41afd3 45956->46263 45960 40d7cf 45961 401d8c 26 API calls 45960->45961 45962 40d7d8 45961->45962 45963 40d835 45962->45963 45964 40d7eb 45962->45964 46288 401d64 45963->46288 46542 40e986 90 API calls 45964->46542 45967 40d7fd 45969 401d64 28 API calls 45967->45969 45968 40d845 45970 401d64 28 API calls 45968->45970 45973 40d809 45969->45973 45971 40d864 45970->45971 46293 404cbf 45971->46293 46543 40e937 68 API calls 45973->46543 45974 40d873 46297 405ce6 45974->46297 45977 40d87f 46300 401eef 45977->46300 45978 40d824 46544 40e155 68 API calls 45978->46544 45981 40d88b 45982 401eea 26 API calls 45981->45982 45983 40d894 45982->45983 45985 401eea 26 API calls 45983->45985 45984 401eea 26 API calls 45986 40dc9f 45984->45986 45987 40d89d 45985->45987 46225 433ca4 GetModuleHandleW 45986->46225 45988 401d64 28 API calls 45987->45988 45989 40d8a6 45988->45989 46304 401ebd 45989->46304 45991 40d8b1 45992 401d64 28 API calls 45991->45992 45993 40d8ca 45992->45993 45994 401d64 28 API calls 45993->45994 45996 40d8e5 45994->45996 45995 40d946 45997 401d64 28 API calls 45995->45997 46012 40e134 45995->46012 45996->45995 46545 4085b4 45996->46545 46004 40d95d 45997->46004 45999 40d912 46000 401eef 26 API calls 45999->46000 46001 40d91e 46000->46001 46002 401eea 26 API calls 46001->46002 46005 40d927 46002->46005 46003 40d9a4 46308 40bed7 46003->46308 46004->46003 46009 4124b7 3 API calls 46004->46009 46549 4124b7 RegOpenKeyExA 46005->46549 46007 40d9aa 46008 40d82d 46007->46008 46311 41a473 46007->46311 46008->45984 46014 40d988 46009->46014 46627 412902 30 API calls 46012->46627 46013 40d9c5 46016 40da18 46013->46016 46328 40697b 46013->46328 46014->46003 46552 412902 30 API calls 46014->46552 46017 401d64 28 API calls 46016->46017 46020 40da21 46017->46020 46029 40da32 46020->46029 46030 40da2d 46020->46030 46022 40e14a 46628 4112b5 64 API calls ___scrt_fastfail 46022->46628 46023 40d9e4 46553 40699d 30 API calls 46023->46553 46024 40d9ee 46028 401d64 28 API calls 46024->46028 46037 40d9f7 46028->46037 46034 401d64 28 API calls 46029->46034 46556 4069ba CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 46030->46556 46031 40d9e9 46554 4064d0 97 API calls 46031->46554 46035 40da3b 46034->46035 46332 41ae18 46035->46332 46037->46016 46039 40da13 46037->46039 46038 40da46 46336 401e18 46038->46336 46555 4064d0 97 API calls 46039->46555 46041 40da51 46340 401e13 46041->46340 46044 40da5a 46045 401d64 28 API calls 46044->46045 46046 40da63 46045->46046 46047 401d64 28 API calls 46046->46047 46048 40da7d 46047->46048 46049 401d64 28 API calls 46048->46049 46050 40da97 46049->46050 46051 401d64 28 API calls 46050->46051 46053 40dab0 46051->46053 46052 40db1d 46055 40db2c 46052->46055 46061 40dcaa ___scrt_fastfail 46052->46061 46053->46052 46054 401d64 28 API calls 46053->46054 46059 40dac5 _wcslen 46054->46059 46056 40db35 46055->46056 46084 40dbb1 ___scrt_fastfail 46055->46084 46057 401d64 28 API calls 46056->46057 46058 40db3e 46057->46058 46060 401d64 28 API calls 46058->46060 46059->46052 46063 401d64 28 API calls 46059->46063 46062 40db50 46060->46062 46616 41265d RegOpenKeyExA 46061->46616 46066 401d64 28 API calls 46062->46066 46064 40dae0 46063->46064 46068 401d64 28 API calls 46064->46068 46067 40db62 46066->46067 46071 401d64 28 API calls 46067->46071 46069 40daf5 46068->46069 46557 40c89e 46069->46557 46070 40dcef 46072 401d64 28 API calls 46070->46072 46074 40db8b 46071->46074 46075 40dd16 46072->46075 46080 401d64 28 API calls 46074->46080 46354 401f66 46075->46354 46077 401e18 26 API calls 46079 40db14 46077->46079 46082 401e13 26 API calls 46079->46082 46083 40db9c 46080->46083 46081 40dd25 46358 4126d2 RegCreateKeyA 46081->46358 46082->46052 46614 40bc67 46 API calls _wcslen 46083->46614 46344 4128a2 46084->46344 46088 40dbac 46088->46084 46090 40dc45 ctype 46093 401d64 28 API calls 46090->46093 46091 401d64 28 API calls 46092 40dd47 46091->46092 46364 43a5f7 46092->46364 46094 40dc5c 46093->46094 46094->46070 46097 40dc70 46094->46097 46100 401d64 28 API calls 46097->46100 46098 40dd5e 46619 41bec0 87 API calls ___scrt_fastfail 46098->46619 46099 40dd81 46103 401f66 28 API calls 46099->46103 46101 40dc7e 46100->46101 46104 41ae18 28 API calls 46101->46104 46106 40dd96 46103->46106 46107 40dc87 46104->46107 46105 40dd65 CreateThread 46105->46099 47319 41c97f 10 API calls 46105->47319 46108 401f66 28 API calls 46106->46108 46615 40e219 112 API calls 46107->46615 46110 40dda5 46108->46110 46368 41a696 46110->46368 46111 40dc8c 46111->46070 46113 40dc93 46111->46113 46113->46008 46115 401d64 28 API calls 46116 40ddb6 46115->46116 46117 401d64 28 API calls 46116->46117 46118 40ddcb 46117->46118 46119 401d64 28 API calls 46118->46119 46120 40ddeb 46119->46120 46121 43a5f7 42 API calls 46120->46121 46122 40ddf8 46121->46122 46123 401d64 28 API calls 46122->46123 46124 40de03 46123->46124 46125 401d64 28 API calls 46124->46125 46126 40de14 46125->46126 46127 401d64 28 API calls 46126->46127 46128 40de29 46127->46128 46129 401d64 28 API calls 46128->46129 46130 40de3a 46129->46130 46131 40de41 StrToIntA 46130->46131 46392 409517 46131->46392 46134 401d64 28 API calls 46135 40de5c 46134->46135 46136 40dea1 46135->46136 46137 40de68 46135->46137 46140 401d64 28 API calls 46136->46140 46620 43361d 22 API calls 3 library calls 46137->46620 46139 40de71 46141 401d64 28 API calls 46139->46141 46142 40deb1 46140->46142 46143 40de84 46141->46143 46145 40def9 46142->46145 46146 40debd 46142->46146 46144 40de8b CreateThread 46143->46144 46144->46136 47316 419138 109 API calls __EH_prolog 46144->47316 46147 401d64 28 API calls 46145->46147 46621 43361d 22 API calls 3 library calls 46146->46621 46149 40df02 46147->46149 46153 40df6c 46149->46153 46154 40df0e 46149->46154 46150 40dec6 46151 401d64 28 API calls 46150->46151 46152 40ded8 46151->46152 46155 40dedf CreateThread 46152->46155 46156 401d64 28 API calls 46153->46156 46157 401d64 28 API calls 46154->46157 46155->46145 47321 419138 109 API calls __EH_prolog 46155->47321 46158 40df75 46156->46158 46159 40df1e 46157->46159 46160 40df81 46158->46160 46161 40dfba 46158->46161 46162 401d64 28 API calls 46159->46162 46164 401d64 28 API calls 46160->46164 46417 41a7b2 GetComputerNameExW GetUserNameW 46161->46417 46165 40df33 46162->46165 46167 40df8a 46164->46167 46622 40c854 32 API calls 46165->46622 46171 401d64 28 API calls 46167->46171 46168 401e18 26 API calls 46170 40dfce 46168->46170 46173 401e13 26 API calls 46170->46173 46174 40df9f 46171->46174 46172 40df46 46175 401e18 26 API calls 46172->46175 46176 40dfd7 46173->46176 46185 43a5f7 42 API calls 46174->46185 46177 40df52 46175->46177 46178 40dfe0 SetProcessDEPPolicy 46176->46178 46179 40dfe3 CreateThread 46176->46179 46182 401e13 26 API calls 46177->46182 46178->46179 46180 40e004 46179->46180 46181 40dff8 CreateThread 46179->46181 47289 40e54f 46179->47289 46183 40e019 46180->46183 46184 40e00d CreateThread 46180->46184 46181->46180 47317 410f36 138 API calls 46181->47317 46186 40df5b CreateThread 46182->46186 46188 40e073 46183->46188 46190 401f66 28 API calls 46183->46190 46184->46183 47318 411524 38 API calls ___scrt_fastfail 46184->47318 46187 40dfac 46185->46187 46186->46153 47320 40196b 49 API calls 46186->47320 46623 40b95c 7 API calls 46187->46623 46428 41246e RegOpenKeyExA 46188->46428 46191 40e046 46190->46191 46624 404c9e 28 API calls 46191->46624 46195 40e053 46197 401f66 28 API calls 46195->46197 46196 40e12a 46440 40cbac 46196->46440 46200 40e062 46197->46200 46199 41ae18 28 API calls 46202 40e0a4 46199->46202 46203 41a696 79 API calls 46200->46203 46431 412584 RegOpenKeyExW 46202->46431 46205 40e067 46203->46205 46206 401eea 26 API calls 46205->46206 46206->46188 46209 401e13 26 API calls 46212 40e0c5 46209->46212 46210 40e0ed DeleteFileW 46211 40e0f4 46210->46211 46210->46212 46214 41ae18 28 API calls 46211->46214 46212->46210 46212->46211 46213 40e0db Sleep 46212->46213 46625 401e07 46213->46625 46216 40e104 46214->46216 46436 41297a RegOpenKeyExW 46216->46436 46218 40e117 46219 401e13 26 API calls 46218->46219 46220 40e121 46219->46220 46221 401e13 26 API calls 46220->46221 46221->46196 46222->45908 46223->45914 46224->45912 46225->45922 46226->45924 46227->45927 46228->45902 46229->45905 46230->45909 46231->45931 46232->45933 46233->45935 46234->45938 46236 433c81 GetStartupInfoW 46235->46236 46236->45942 46238 44ddeb 46237->46238 46239 44dde2 46237->46239 46238->45946 46242 44dcd8 51 API calls 4 library calls 46239->46242 46241->45946 46242->46238 46244 41bd32 LoadLibraryA GetProcAddress 46243->46244 46245 41bd22 GetModuleHandleA GetProcAddress 46243->46245 46246 41bd5b 32 API calls 46244->46246 46247 41bd4b LoadLibraryA GetProcAddress 46244->46247 46245->46244 46246->45950 46247->46246 46629 41a64f FindResourceA 46248->46629 46251 43a89c ___std_exception_copy 21 API calls 46252 40e192 ctype 46251->46252 46253 401f86 28 API calls 46252->46253 46254 40e1ad 46253->46254 46255 401eef 26 API calls 46254->46255 46256 40e1b8 46255->46256 46257 401eea 26 API calls 46256->46257 46258 40e1c1 46257->46258 46259 43a89c ___std_exception_copy 21 API calls 46258->46259 46260 40e1d2 ctype 46259->46260 46632 406052 46260->46632 46262 40e205 46262->45952 46264 41afe6 46263->46264 46267 41b058 46264->46267 46275 401eef 26 API calls 46264->46275 46279 401eea 26 API calls 46264->46279 46283 41b056 46264->46283 46635 403b60 46264->46635 46638 41bfb9 28 API calls 46264->46638 46265 401eea 26 API calls 46266 41b088 46265->46266 46268 401eea 26 API calls 46266->46268 46269 403b60 28 API calls 46267->46269 46271 41b090 46268->46271 46272 41b064 46269->46272 46273 401eea 26 API calls 46271->46273 46274 401eef 26 API calls 46272->46274 46276 40d7c6 46273->46276 46277 41b06d 46274->46277 46275->46264 46284 40e8bd 46276->46284 46278 401eea 26 API calls 46277->46278 46280 41b075 46278->46280 46279->46264 46639 41bfb9 28 API calls 46280->46639 46283->46265 46285 40e8ca 46284->46285 46287 40e8da 46285->46287 46656 40200a 26 API calls 46285->46656 46287->45960 46290 401d6c 46288->46290 46289 401d74 46289->45968 46290->46289 46657 401fff 28 API calls 46290->46657 46294 404ccb 46293->46294 46658 402e78 46294->46658 46296 404cee 46296->45974 46667 404bc4 46297->46667 46299 405cf4 46299->45977 46301 401efe 46300->46301 46303 401f0a 46301->46303 46676 4021b9 26 API calls 46301->46676 46303->45981 46306 401ec9 46304->46306 46305 401ee4 46305->45991 46306->46305 46307 402325 28 API calls 46306->46307 46307->46305 46677 401e8f 46308->46677 46310 40bee1 CreateMutexA GetLastError 46310->46007 46679 41b16b 46311->46679 46313 41a481 46683 412513 RegOpenKeyExA 46313->46683 46316 401eef 26 API calls 46317 41a4af 46316->46317 46318 401eea 26 API calls 46317->46318 46319 41a4b7 46318->46319 46320 41a50a 46319->46320 46321 412513 31 API calls 46319->46321 46320->46013 46322 41a4dd 46321->46322 46323 41a4e8 StrToIntA 46322->46323 46324 41a4ff 46323->46324 46325 41a4f6 46323->46325 46326 401eea 26 API calls 46324->46326 46688 41c112 28 API calls 46325->46688 46326->46320 46329 40698f 46328->46329 46330 4124b7 3 API calls 46329->46330 46331 406996 46330->46331 46331->46023 46331->46024 46333 41ae2c 46332->46333 46689 40b027 46333->46689 46335 41ae34 46335->46038 46337 401e27 46336->46337 46339 401e33 46337->46339 46698 402121 26 API calls 46337->46698 46339->46041 46342 402121 46340->46342 46341 402150 46341->46044 46342->46341 46699 402718 26 API calls _Deallocate 46342->46699 46345 4128c0 46344->46345 46346 406052 28 API calls 46345->46346 46347 4128d5 46346->46347 46348 401fbd 28 API calls 46347->46348 46349 4128e5 46348->46349 46350 4126d2 29 API calls 46349->46350 46351 4128ef 46350->46351 46352 401eea 26 API calls 46351->46352 46353 4128fc 46352->46353 46353->46090 46355 401f6e 46354->46355 46700 402301 46355->46700 46359 412722 46358->46359 46360 4126eb 46358->46360 46361 401eea 26 API calls 46359->46361 46363 4126fd RegSetValueExA RegCloseKey 46360->46363 46362 40dd3b 46361->46362 46362->46091 46363->46359 46365 43a610 _swprintf 46364->46365 46704 43994e 46365->46704 46369 41a747 46368->46369 46370 41a6ac GetLocalTime 46368->46370 46372 401eea 26 API calls 46369->46372 46371 404cbf 28 API calls 46370->46371 46373 41a6ee 46371->46373 46374 41a74f 46372->46374 46375 405ce6 28 API calls 46373->46375 46376 401eea 26 API calls 46374->46376 46378 41a6fa 46375->46378 46377 40ddaa 46376->46377 46377->46115 46738 4027cb 46378->46738 46380 41a706 46381 405ce6 28 API calls 46380->46381 46382 41a712 46381->46382 46741 406478 76 API calls 46382->46741 46384 41a720 46385 401eea 26 API calls 46384->46385 46386 41a72c 46385->46386 46387 401eea 26 API calls 46386->46387 46388 41a735 46387->46388 46389 401eea 26 API calls 46388->46389 46390 41a73e 46389->46390 46391 401eea 26 API calls 46390->46391 46391->46369 46393 409536 _wcslen 46392->46393 46394 409541 46393->46394 46395 409558 46393->46395 46396 40c89e 32 API calls 46394->46396 46397 40c89e 32 API calls 46395->46397 46398 409549 46396->46398 46399 409560 46397->46399 46400 401e18 26 API calls 46398->46400 46401 401e18 26 API calls 46399->46401 46403 409553 46400->46403 46402 40956e 46401->46402 46404 401e13 26 API calls 46402->46404 46405 401e13 26 API calls 46403->46405 46406 409576 46404->46406 46407 4095ad 46405->46407 46761 40856b 28 API calls 46406->46761 46746 409837 46407->46746 46410 409588 46762 4028cf 46410->46762 46413 409593 46414 401e18 26 API calls 46413->46414 46415 40959d 46414->46415 46416 401e13 26 API calls 46415->46416 46416->46403 46941 403b40 46417->46941 46421 41a80d 46422 4028cf 28 API calls 46421->46422 46423 41a817 46422->46423 46424 401e13 26 API calls 46423->46424 46425 41a820 46424->46425 46426 401e13 26 API calls 46425->46426 46427 40dfc3 46426->46427 46427->46168 46429 40e08b 46428->46429 46430 41248f RegQueryValueExA RegCloseKey 46428->46430 46429->46196 46429->46199 46430->46429 46432 4125b0 RegQueryValueExW RegCloseKey 46431->46432 46433 4125dd 46431->46433 46432->46433 46434 403b40 28 API calls 46433->46434 46435 40e0ba 46434->46435 46435->46209 46437 412992 RegDeleteValueW 46436->46437 46438 4129a6 46436->46438 46437->46438 46439 4129a2 46437->46439 46438->46218 46439->46218 46441 40cbc5 46440->46441 46442 41246e 3 API calls 46441->46442 46443 40cbcc 46442->46443 46444 40cbeb 46443->46444 46963 401602 46443->46963 46448 413fd4 46444->46448 46446 40cbd9 46966 4127d5 RegCreateKeyA 46446->46966 46449 413feb 46448->46449 46983 41aa83 46449->46983 46451 413ff6 46452 401d64 28 API calls 46451->46452 46453 41400f 46452->46453 46454 43a5f7 42 API calls 46453->46454 46455 41401c 46454->46455 46456 414021 Sleep 46455->46456 46457 41402e 46455->46457 46456->46457 46458 401f66 28 API calls 46457->46458 46459 41403d 46458->46459 46460 401d64 28 API calls 46459->46460 46461 41404b 46460->46461 46462 401fbd 28 API calls 46461->46462 46463 414053 46462->46463 46464 41afd3 28 API calls 46463->46464 46465 41405b 46464->46465 46987 404262 WSAStartup 46465->46987 46467 414065 46468 401d64 28 API calls 46467->46468 46469 41406e 46468->46469 46470 401d64 28 API calls 46469->46470 46489 4140ed 46469->46489 46471 414087 46470->46471 46474 401d64 28 API calls 46471->46474 46472 401d64 28 API calls 46472->46489 46473 401fbd 28 API calls 46473->46489 46475 414098 46474->46475 46477 401d64 28 API calls 46475->46477 46476 41afd3 28 API calls 46476->46489 46478 4140a9 46477->46478 46479 401d64 28 API calls 46478->46479 46481 4140ba 46479->46481 46480 4085b4 28 API calls 46480->46489 46483 401d64 28 API calls 46481->46483 46482 401eef 26 API calls 46482->46489 46484 4140cb 46483->46484 46486 401d64 28 API calls 46484->46486 46485 401eea 26 API calls 46485->46489 46487 4140dd 46486->46487 47120 404101 87 API calls 46487->47120 46489->46472 46489->46473 46489->46476 46489->46480 46489->46482 46489->46485 46491 414244 WSAGetLastError 46489->46491 46499 404cbf 28 API calls 46489->46499 46504 405ce6 28 API calls 46489->46504 46505 4027cb 28 API calls 46489->46505 46506 401f66 28 API calls 46489->46506 46507 41a696 79 API calls 46489->46507 46510 4082dc 28 API calls 46489->46510 46511 440c61 26 API calls 46489->46511 46512 41265d 3 API calls 46489->46512 46513 412513 31 API calls 46489->46513 46514 403b40 28 API calls 46489->46514 46518 41ad56 28 API calls 46489->46518 46519 401d64 28 API calls 46489->46519 46540 414259 46489->46540 46988 413f9a 46489->46988 46993 4041f1 46489->46993 47000 404915 46489->47000 47015 40428c connect 46489->47015 47075 41a97d 46489->47075 47078 413683 46489->47078 47081 40cbf1 46489->47081 47087 41adfe 46489->47087 47090 41aed8 46489->47090 47121 41bc86 30 API calls 46491->47121 46496 401f66 28 API calls 46496->46540 46499->46489 46500 401d64 28 API calls 46500->46540 46501 401d8c 26 API calls 46501->46540 46502 43a5f7 42 API calls 46503 414b80 Sleep 46502->46503 46503->46540 46504->46489 46505->46489 46506->46489 46507->46489 46510->46489 46511->46489 46512->46489 46513->46489 46514->46489 46518->46489 46520 4144ed GetTickCount 46519->46520 46521 41ad56 28 API calls 46520->46521 46534 414507 46521->46534 46523 41ad56 28 API calls 46523->46534 46526 41aed8 28 API calls 46526->46534 46528 40275c 28 API calls 46528->46534 46529 405ce6 28 API calls 46529->46534 46530 4027cb 28 API calls 46530->46534 46532 401eea 26 API calls 46532->46534 46533 401e13 26 API calls 46533->46534 46534->46523 46534->46526 46534->46528 46534->46529 46534->46530 46534->46532 46534->46533 47094 41acb0 GetLastInputInfo GetTickCount 46534->47094 47095 41ac62 46534->47095 47100 40e679 GetLocaleInfoA 46534->47100 47103 4027ec 28 API calls 46534->47103 47104 4045d5 46534->47104 47123 404468 60 API calls ctype 46534->47123 46537 41a696 79 API calls 46537->46540 46538 414b22 CreateThread 46538->46540 47282 419e99 104 API calls 46538->47282 46539 401eea 26 API calls 46539->46540 46540->46489 46540->46496 46540->46500 46540->46501 46540->46502 46540->46537 46540->46538 46540->46539 46541 401e13 26 API calls 46540->46541 47122 404c9e 28 API calls 46540->47122 47124 40a767 84 API calls 46540->47124 47125 4047eb 98 API calls 46540->47125 46541->46540 46542->45967 46543->45978 46546 4085c0 46545->46546 46547 402e78 28 API calls 46546->46547 46548 4085e4 46547->46548 46548->45999 46550 4124e1 RegQueryValueExA RegCloseKey 46549->46550 46551 41250b 46549->46551 46550->46551 46551->45995 46552->46003 46553->46031 46554->46024 46555->46016 46556->46029 46558 40c8ba 46557->46558 46559 40c8da 46558->46559 46560 40c90f 46558->46560 46563 40c8d0 46558->46563 47283 41a75b 29 API calls 46559->47283 46562 41b16b 2 API calls 46560->46562 46561 40ca03 GetLongPathNameW 46565 403b40 28 API calls 46561->46565 46566 40c914 46562->46566 46563->46561 46568 40ca18 46565->46568 46569 40c918 46566->46569 46570 40c96a 46566->46570 46567 40c8e3 46571 401e18 26 API calls 46567->46571 46572 403b40 28 API calls 46568->46572 46574 403b40 28 API calls 46569->46574 46573 403b40 28 API calls 46570->46573 46575 40c8ed 46571->46575 46576 40ca27 46572->46576 46577 40c978 46573->46577 46578 40c926 46574->46578 46579 401e13 26 API calls 46575->46579 47286 40cc37 28 API calls 46576->47286 46583 403b40 28 API calls 46577->46583 46584 403b40 28 API calls 46578->46584 46579->46563 46581 40ca3a 47287 402860 28 API calls 46581->47287 46586 40c98e 46583->46586 46587 40c93c 46584->46587 46585 40ca45 47288 402860 28 API calls 46585->47288 47285 402860 28 API calls 46586->47285 47284 402860 28 API calls 46587->47284 46591 40c999 46594 401e18 26 API calls 46591->46594 46592 40c947 46595 401e18 26 API calls 46592->46595 46593 40ca4f 46596 401e13 26 API calls 46593->46596 46598 40c9a4 46594->46598 46599 40c952 46595->46599 46597 40ca59 46596->46597 46600 401e13 26 API calls 46597->46600 46601 401e13 26 API calls 46598->46601 46602 401e13 26 API calls 46599->46602 46603 40ca62 46600->46603 46604 40c9ad 46601->46604 46605 40c95b 46602->46605 46606 401e13 26 API calls 46603->46606 46607 401e13 26 API calls 46604->46607 46608 401e13 26 API calls 46605->46608 46609 40ca6b 46606->46609 46607->46575 46608->46575 46610 401e13 26 API calls 46609->46610 46611 40ca74 46610->46611 46612 401e13 26 API calls 46611->46612 46613 40ca7d 46612->46613 46613->46077 46614->46088 46615->46111 46617 412683 RegQueryValueExA RegCloseKey 46616->46617 46618 4126a7 46616->46618 46617->46618 46618->46070 46619->46105 46620->46139 46621->46150 46622->46172 46623->46161 46624->46195 46626 401e0c 46625->46626 46627->46022 46630 40e183 46629->46630 46631 41a66c LoadResource LockResource SizeofResource 46629->46631 46630->46251 46631->46630 46633 401f86 28 API calls 46632->46633 46634 406066 46633->46634 46634->46262 46640 403c30 46635->46640 46638->46264 46639->46283 46641 403c39 46640->46641 46644 403c59 46641->46644 46645 403c68 46644->46645 46650 4032a4 46645->46650 46647 403c74 46648 402325 28 API calls 46647->46648 46649 403b73 46648->46649 46649->46264 46651 4032b0 46650->46651 46652 4032ad 46650->46652 46655 4032b6 28 API calls 46651->46655 46652->46647 46656->46287 46659 402e85 46658->46659 46660 402e98 46659->46660 46662 402ea9 46659->46662 46663 402eae 46659->46663 46665 403445 28 API calls 46660->46665 46662->46296 46663->46662 46666 40225b 26 API calls 46663->46666 46665->46662 46666->46662 46668 404bd0 46667->46668 46671 40245c 46668->46671 46670 404be4 46670->46299 46672 402469 46671->46672 46674 402478 46672->46674 46675 402ad3 28 API calls 46672->46675 46674->46670 46675->46674 46676->46303 46678 401e94 46677->46678 46680 41b193 46679->46680 46681 41b178 GetCurrentProcess IsWow64Process 46679->46681 46680->46313 46681->46680 46682 41b18f 46681->46682 46682->46313 46684 412541 RegQueryValueExA RegCloseKey 46683->46684 46685 412569 46683->46685 46684->46685 46686 401f66 28 API calls 46685->46686 46687 41257e 46686->46687 46687->46316 46688->46324 46690 40b02f 46689->46690 46693 40b04b 46690->46693 46692 40b045 46692->46335 46694 40b055 46693->46694 46696 40b060 46694->46696 46697 40b138 28 API calls 46694->46697 46696->46692 46697->46696 46698->46339 46699->46341 46701 40230d 46700->46701 46702 402325 28 API calls 46701->46702 46703 401f80 46702->46703 46703->46081 46722 43a555 46704->46722 46706 43999b 46731 4392ee 38 API calls 2 library calls 46706->46731 46707 439960 46707->46706 46708 439975 46707->46708 46721 40dd54 46707->46721 46729 445364 20 API calls _free 46708->46729 46711 43997a 46730 43a837 26 API calls _Deallocate 46711->46730 46714 4399a7 46715 4399d6 46714->46715 46732 43a59a 42 API calls __Tolower 46714->46732 46716 439a42 46715->46716 46733 43a501 26 API calls 2 library calls 46715->46733 46734 43a501 26 API calls 2 library calls 46716->46734 46719 439b09 _swprintf 46719->46721 46735 445364 20 API calls _free 46719->46735 46721->46098 46721->46099 46723 43a55a 46722->46723 46724 43a56d 46722->46724 46736 445364 20 API calls _free 46723->46736 46724->46707 46726 43a55f 46737 43a837 26 API calls _Deallocate 46726->46737 46728 43a56a 46728->46707 46729->46711 46730->46721 46731->46714 46732->46714 46733->46716 46734->46719 46735->46721 46736->46726 46737->46728 46742 401e9b 46738->46742 46740 4027d9 46740->46380 46741->46384 46743 401ea7 46742->46743 46744 40245c 28 API calls 46743->46744 46745 401eb9 46744->46745 46745->46740 46747 409855 46746->46747 46748 4124b7 3 API calls 46747->46748 46749 40985c 46748->46749 46750 409870 46749->46750 46751 40988a 46749->46751 46752 4095cf 46750->46752 46753 409875 46750->46753 46765 4082dc 46751->46765 46752->46134 46755 4082dc 28 API calls 46753->46755 46757 409883 46755->46757 46791 409959 29 API calls 46757->46791 46760 409888 46760->46752 46761->46410 46932 402d8b 46762->46932 46764 4028dd 46764->46413 46766 4082eb 46765->46766 46792 408431 46766->46792 46768 408309 46769 4098a5 46768->46769 46797 40affa 46769->46797 46772 4098f6 46775 401f66 28 API calls 46772->46775 46773 4098ce 46774 401f66 28 API calls 46773->46774 46776 4098d8 46774->46776 46777 409901 46775->46777 46778 41ae18 28 API calls 46776->46778 46779 401f66 28 API calls 46777->46779 46780 4098e6 46778->46780 46781 409910 46779->46781 46801 40a876 31 API calls ___std_exception_copy 46780->46801 46783 41a696 79 API calls 46781->46783 46785 409915 CreateThread 46783->46785 46784 4098ed 46786 401eea 26 API calls 46784->46786 46787 409930 CreateThread 46785->46787 46788 40993c CreateThread 46785->46788 46813 4099a9 46785->46813 46786->46772 46787->46788 46810 409993 46787->46810 46789 401e13 26 API calls 46788->46789 46807 4099b5 46788->46807 46790 409950 46789->46790 46790->46752 46791->46760 46931 40999f 136 API calls 46791->46931 46793 40843d 46792->46793 46795 40845b 46793->46795 46796 402f0d 28 API calls 46793->46796 46795->46768 46796->46795 46799 40b006 46797->46799 46798 4098c3 46798->46772 46798->46773 46799->46798 46802 403b9e 46799->46802 46801->46784 46803 403ba8 46802->46803 46805 403bb3 46803->46805 46806 403cfd 28 API calls 46803->46806 46805->46798 46806->46805 46816 40a3f4 46807->46816 46865 4099e4 46810->46865 46886 409e48 46813->46886 46844 40a402 46816->46844 46817 4099be 46818 40a45c Sleep GetForegroundWindow GetWindowTextLengthW 46819 40b027 28 API calls 46818->46819 46819->46844 46823 41acb0 GetLastInputInfo GetTickCount 46823->46844 46824 40a4a2 GetWindowTextW 46824->46844 46826 40affa 28 API calls 46826->46844 46827 40a5ff 46828 401e13 26 API calls 46827->46828 46828->46817 46829 40a569 Sleep 46829->46844 46832 401f66 28 API calls 46832->46844 46833 40a4f1 46835 4082dc 28 API calls 46833->46835 46833->46844 46849 40a876 31 API calls ___std_exception_copy 46833->46849 46835->46833 46837 4028cf 28 API calls 46837->46844 46838 405ce6 28 API calls 46838->46844 46840 409d58 27 API calls 46840->46844 46841 41ae18 28 API calls 46841->46844 46842 401e13 26 API calls 46842->46844 46843 401eea 26 API calls 46843->46844 46844->46817 46844->46818 46844->46823 46844->46824 46844->46826 46844->46827 46844->46829 46844->46832 46844->46833 46844->46837 46844->46838 46844->46840 46844->46841 46844->46842 46844->46843 46845 433529 5 API calls __Init_thread_wait 46844->46845 46846 4338b5 29 API calls __onexit 46844->46846 46847 4334df EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 46844->46847 46848 4082a8 28 API calls 46844->46848 46850 40b0dd 28 API calls 46844->46850 46851 40ae58 44 API calls 2 library calls 46844->46851 46852 440c61 46844->46852 46856 404c9e 28 API calls 46844->46856 46845->46844 46846->46844 46847->46844 46848->46844 46849->46833 46850->46844 46851->46844 46853 440c6d 46852->46853 46857 440a5d 46853->46857 46856->46844 46858 440a74 46857->46858 46862 440ab5 46858->46862 46863 445364 20 API calls _free 46858->46863 46860 440aab 46864 43a837 26 API calls _Deallocate 46860->46864 46862->46844 46863->46860 46864->46862 46866 409a63 GetMessageA 46865->46866 46867 4099ff GetModuleHandleA SetWindowsHookExA 46865->46867 46868 409a75 TranslateMessage DispatchMessageA 46866->46868 46871 40999c 46866->46871 46867->46866 46869 409a1b GetLastError 46867->46869 46868->46866 46868->46871 46880 41ad56 46869->46880 46874 409a3e 46875 401f66 28 API calls 46874->46875 46876 409a4d 46875->46876 46877 41a696 79 API calls 46876->46877 46878 409a52 46877->46878 46879 401eea 26 API calls 46878->46879 46879->46871 46881 440c61 26 API calls 46880->46881 46882 41ad77 46881->46882 46883 401f66 28 API calls 46882->46883 46884 409a31 46883->46884 46885 404c9e 28 API calls 46884->46885 46885->46874 46887 409e5d Sleep 46886->46887 46906 409d97 46887->46906 46889 4099b2 46890 409e9d CreateDirectoryW 46892 409e6f 46890->46892 46891 409eae GetFileAttributesW 46891->46892 46892->46887 46892->46889 46892->46890 46892->46891 46893 409ec5 SetFileAttributesW 46892->46893 46896 401d64 28 API calls 46892->46896 46897 409f10 46892->46897 46919 41b59f 46892->46919 46893->46892 46895 409f3f PathFileExistsW 46895->46897 46896->46892 46897->46895 46899 401f86 28 API calls 46897->46899 46900 40a048 SetFileAttributesW 46897->46900 46901 401eea 26 API calls 46897->46901 46902 406052 28 API calls 46897->46902 46903 401eef 26 API calls 46897->46903 46905 401eea 26 API calls 46897->46905 46928 41b62a 32 API calls 46897->46928 46929 41b697 CreateFileW SetFilePointer WriteFile CloseHandle 46897->46929 46899->46897 46900->46892 46901->46897 46902->46897 46903->46897 46905->46892 46907 409e44 46906->46907 46909 409dad 46906->46909 46907->46892 46908 409dcc CreateFileW 46908->46909 46910 409dda GetFileSize 46908->46910 46909->46908 46911 409e0f CloseHandle 46909->46911 46912 409e04 Sleep 46909->46912 46913 409dfd 46909->46913 46914 409e21 46909->46914 46910->46909 46910->46911 46911->46909 46912->46911 46930 40a7f0 83 API calls 46913->46930 46914->46907 46916 4082dc 28 API calls 46914->46916 46917 409e3d 46916->46917 46918 4098a5 127 API calls 46917->46918 46918->46907 46920 41b5b2 CreateFileW 46919->46920 46922 41b5eb 46920->46922 46923 41b5ef 46920->46923 46922->46892 46924 41b606 WriteFile 46923->46924 46925 41b5f6 SetFilePointer 46923->46925 46926 41b61b CloseHandle 46924->46926 46927 41b619 46924->46927 46925->46924 46925->46926 46926->46922 46927->46926 46928->46897 46929->46897 46930->46912 46933 402d97 46932->46933 46936 4030f7 46933->46936 46935 402dab 46935->46764 46937 403101 46936->46937 46939 403115 46937->46939 46940 4036c2 28 API calls 46937->46940 46939->46935 46940->46939 46942 403b48 46941->46942 46948 403b7a 46942->46948 46945 403cbb 46952 403dc2 46945->46952 46947 403cc9 46947->46421 46949 403b86 46948->46949 46950 403b9e 28 API calls 46949->46950 46951 403b5a 46950->46951 46951->46945 46953 403dce 46952->46953 46956 402ffd 46953->46956 46955 403de3 46955->46947 46957 40300e 46956->46957 46958 4032a4 28 API calls 46957->46958 46959 40301a 46958->46959 46961 40302e 46959->46961 46962 4035e8 28 API calls 46959->46962 46961->46955 46962->46961 46969 4395ca 46963->46969 46967 412814 46966->46967 46968 4127ed RegSetValueExA RegCloseKey 46966->46968 46967->46444 46968->46967 46972 43954b 46969->46972 46971 401608 46971->46446 46973 43955a 46972->46973 46974 43956e 46972->46974 46980 445364 20 API calls _free 46973->46980 46979 43956a __alldvrm 46974->46979 46982 447611 11 API calls 2 library calls 46974->46982 46976 43955f 46981 43a837 26 API calls _Deallocate 46976->46981 46979->46971 46980->46976 46981->46979 46982->46979 46984 41aac9 ctype ___scrt_fastfail 46983->46984 46985 401f66 28 API calls 46984->46985 46986 41ab3e 46985->46986 46986->46451 46987->46467 46989 413fb3 getaddrinfo WSASetLastError 46988->46989 46990 413fa9 46988->46990 46989->46489 47126 413e37 35 API calls ___std_exception_copy 46990->47126 46992 413fae 46992->46989 46994 404206 socket 46993->46994 46995 4041fd 46993->46995 46997 404220 46994->46997 46998 404224 CreateEventW 46994->46998 47127 404262 WSAStartup 46995->47127 46997->46489 46998->46489 46999 404202 46999->46994 46999->46997 47001 4049b1 47000->47001 47003 40492a 47000->47003 47001->46489 47002 404933 47004 404987 CreateEventA CreateThread 47002->47004 47003->47002 47003->47004 47005 404942 GetLocalTime 47003->47005 47004->47001 47129 404b1d 47004->47129 47006 41ad56 28 API calls 47005->47006 47007 40495b 47006->47007 47128 404c9e 28 API calls 47007->47128 47009 404968 47010 401f66 28 API calls 47009->47010 47011 404977 47010->47011 47012 41a696 79 API calls 47011->47012 47013 40497c 47012->47013 47014 401eea 26 API calls 47013->47014 47014->47004 47016 4043e1 47015->47016 47017 4042b3 47015->47017 47018 4043e7 WSAGetLastError 47016->47018 47069 404343 47016->47069 47019 4042e8 47017->47019 47021 404cbf 28 API calls 47017->47021 47017->47069 47020 4043f7 47018->47020 47018->47069 47133 420161 27 API calls 47019->47133 47022 4042f7 47020->47022 47023 4043fc 47020->47023 47025 4042d4 47021->47025 47029 401f66 28 API calls 47022->47029 47138 41bc86 30 API calls 47023->47138 47030 401f66 28 API calls 47025->47030 47027 4042f0 47027->47022 47028 404306 47027->47028 47038 404315 47028->47038 47039 40434c 47028->47039 47032 404448 47029->47032 47033 4042e3 47030->47033 47031 40440b 47139 404c9e 28 API calls 47031->47139 47035 401f66 28 API calls 47032->47035 47036 41a696 79 API calls 47033->47036 47040 404457 47035->47040 47036->47019 47037 404418 47041 401f66 28 API calls 47037->47041 47042 401f66 28 API calls 47038->47042 47135 420f44 56 API calls 47039->47135 47043 41a696 79 API calls 47040->47043 47045 404427 47041->47045 47048 404324 47042->47048 47043->47069 47047 41a696 79 API calls 47045->47047 47046 404354 47049 404389 47046->47049 47050 404359 47046->47050 47051 40442c 47047->47051 47052 401f66 28 API calls 47048->47052 47137 4202fa 28 API calls 47049->47137 47053 401f66 28 API calls 47050->47053 47054 401eea 26 API calls 47051->47054 47055 404333 47052->47055 47057 404368 47053->47057 47054->47069 47058 41a696 79 API calls 47055->47058 47060 401f66 28 API calls 47057->47060 47073 404338 47058->47073 47059 404391 47061 4043be CreateEventW CreateEventW 47059->47061 47063 401f66 28 API calls 47059->47063 47062 404377 47060->47062 47061->47069 47064 41a696 79 API calls 47062->47064 47066 4043a7 47063->47066 47068 40437c 47064->47068 47067 401f66 28 API calls 47066->47067 47070 4043b6 47067->47070 47136 4205a2 54 API calls 47068->47136 47069->46489 47072 41a696 79 API calls 47070->47072 47074 4043bb 47072->47074 47134 41dc25 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 47073->47134 47074->47061 47140 41a955 GlobalMemoryStatusEx 47075->47140 47077 41a992 47077->46489 47141 413646 47078->47141 47082 40cc0d 47081->47082 47083 41246e 3 API calls 47082->47083 47085 40cc14 47083->47085 47084 40cc2c 47084->46489 47085->47084 47086 4124b7 3 API calls 47085->47086 47086->47084 47088 401f86 28 API calls 47087->47088 47089 41ae13 47088->47089 47089->46489 47091 41aee5 47090->47091 47092 401f86 28 API calls 47091->47092 47093 41aef7 47092->47093 47093->46489 47094->46534 47096 436060 ___scrt_fastfail 47095->47096 47097 41ac81 GetForegroundWindow GetWindowTextW 47096->47097 47098 403b40 28 API calls 47097->47098 47099 41acab 47098->47099 47099->46534 47101 401f66 28 API calls 47100->47101 47102 40e69e 47101->47102 47102->46534 47103->46534 47118 4045ec 47104->47118 47105 43a89c ___std_exception_copy 21 API calls 47105->47118 47107 40465b 47110 404666 47107->47110 47107->47118 47108 401f86 28 API calls 47108->47118 47109 401eef 26 API calls 47109->47118 47194 4047eb 98 API calls 47110->47194 47112 401eea 26 API calls 47112->47118 47113 40466d 47114 401eea 26 API calls 47113->47114 47115 404676 47114->47115 47116 401eea 26 API calls 47115->47116 47117 40467f 47116->47117 47117->46540 47118->47105 47118->47107 47118->47108 47118->47109 47118->47112 47182 404688 47118->47182 47193 40455b 59 API calls 47118->47193 47120->46489 47121->46540 47122->46540 47123->46534 47124->46540 47125->46540 47126->46992 47127->46999 47128->47009 47132 404b29 101 API calls 47129->47132 47131 404b26 47132->47131 47133->47027 47134->47069 47135->47046 47136->47073 47137->47059 47138->47031 47139->47037 47140->47077 47144 413619 47141->47144 47145 41362e ___scrt_initialize_default_local_stdio_options 47144->47145 47148 43e2ed 47145->47148 47151 43b040 47148->47151 47152 43b080 47151->47152 47153 43b068 47151->47153 47152->47153 47154 43b088 47152->47154 47175 445364 20 API calls _free 47153->47175 47177 4392ee 38 API calls 2 library calls 47154->47177 47157 43b06d 47176 43a837 26 API calls _Deallocate 47157->47176 47159 43b098 47178 43b7c6 20 API calls 2 library calls 47159->47178 47162 41363c 47162->46489 47163 43b110 47179 43be34 50 API calls 3 library calls 47163->47179 47166 43b11b 47180 43b830 20 API calls _free 47166->47180 47167 43b078 47168 433d3c 47167->47168 47169 433d47 IsProcessorFeaturePresent 47168->47169 47170 433d45 47168->47170 47172 4341b4 47169->47172 47170->47162 47181 434178 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 47172->47181 47174 434297 47174->47162 47175->47157 47176->47167 47177->47159 47178->47163 47179->47166 47180->47167 47181->47174 47183 4046a3 47182->47183 47184 4047d8 47183->47184 47187 403b60 28 API calls 47183->47187 47188 401ebd 28 API calls 47183->47188 47189 401fbd 28 API calls 47183->47189 47191 401eef 26 API calls 47183->47191 47192 401eea 26 API calls 47183->47192 47185 401eea 26 API calls 47184->47185 47186 4047e1 47185->47186 47186->47107 47187->47183 47190 404772 CreateEventA CreateThread WaitForSingleObject CloseHandle 47188->47190 47189->47183 47190->47183 47195 414b9b 47190->47195 47191->47183 47192->47183 47193->47118 47194->47113 47196 401fbd 28 API calls 47195->47196 47197 414bbd SetEvent 47196->47197 47198 414bd2 47197->47198 47199 403b60 28 API calls 47198->47199 47200 414bec 47199->47200 47201 401fbd 28 API calls 47200->47201 47202 414bfc 47201->47202 47203 401fbd 28 API calls 47202->47203 47204 414c0e 47203->47204 47205 41afd3 28 API calls 47204->47205 47206 414c17 47205->47206 47207 4161f2 47206->47207 47209 414de3 47206->47209 47210 414c37 GetTickCount 47206->47210 47208 401d8c 26 API calls 47207->47208 47211 4161fb 47208->47211 47209->47207 47273 414d99 47209->47273 47212 41ad56 28 API calls 47210->47212 47213 401eea 26 API calls 47211->47213 47214 414c4d 47212->47214 47216 416207 47213->47216 47274 41acb0 GetLastInputInfo GetTickCount 47214->47274 47218 401eea 26 API calls 47216->47218 47220 416213 47218->47220 47219 414c54 47221 41ad56 28 API calls 47219->47221 47222 414c5f 47221->47222 47223 41ac62 30 API calls 47222->47223 47224 414c6d 47223->47224 47225 41aed8 28 API calls 47224->47225 47226 414c7b 47225->47226 47227 401d64 28 API calls 47226->47227 47228 414c89 47227->47228 47275 4027ec 28 API calls 47228->47275 47230 414c97 47276 40275c 28 API calls 47230->47276 47232 414ca6 47233 4027cb 28 API calls 47232->47233 47234 414cb5 47233->47234 47277 40275c 28 API calls 47234->47277 47236 414cc4 47237 4027cb 28 API calls 47236->47237 47238 414cd0 47237->47238 47278 40275c 28 API calls 47238->47278 47240 414cda 47279 404468 60 API calls ctype 47240->47279 47242 414ce9 47243 401eea 26 API calls 47242->47243 47244 414cf2 47243->47244 47245 401eea 26 API calls 47244->47245 47246 414cfe 47245->47246 47247 401eea 26 API calls 47246->47247 47248 414d0a 47247->47248 47249 401eea 26 API calls 47248->47249 47250 414d16 47249->47250 47251 401eea 26 API calls 47250->47251 47252 414d22 47251->47252 47253 401eea 26 API calls 47252->47253 47254 414d2e 47253->47254 47255 401e13 26 API calls 47254->47255 47256 414d3a 47255->47256 47257 401eea 26 API calls 47256->47257 47258 414d43 47257->47258 47259 401eea 26 API calls 47258->47259 47260 414d4c 47259->47260 47261 401d64 28 API calls 47260->47261 47262 414d57 47261->47262 47263 43a5f7 42 API calls 47262->47263 47264 414d64 47263->47264 47265 414d69 47264->47265 47266 414d8f 47264->47266 47268 414d82 47265->47268 47269 414d77 47265->47269 47267 401d64 28 API calls 47266->47267 47267->47273 47271 404915 104 API calls 47268->47271 47280 4049ba 81 API calls 47269->47280 47272 414d7d 47271->47272 47272->47207 47273->47207 47281 404ab1 83 API calls 47273->47281 47274->47219 47275->47230 47276->47232 47277->47236 47278->47240 47279->47242 47280->47272 47281->47272 47283->46567 47284->46592 47285->46591 47286->46581 47287->46585 47288->46593 47291 40e56a 47289->47291 47290 4124b7 3 API calls 47290->47291 47291->47290 47292 40e60e 47291->47292 47294 40e5fe Sleep 47291->47294 47311 40e59c 47291->47311 47295 4082dc 28 API calls 47292->47295 47293 4082dc 28 API calls 47293->47311 47294->47291 47298 40e619 47295->47298 47297 41ae18 28 API calls 47297->47311 47299 41ae18 28 API calls 47298->47299 47300 40e625 47299->47300 47324 412774 29 API calls 47300->47324 47303 401e13 26 API calls 47303->47311 47304 40e638 47305 401e13 26 API calls 47304->47305 47307 40e644 47305->47307 47306 401f66 28 API calls 47306->47311 47308 401f66 28 API calls 47307->47308 47309 40e655 47308->47309 47312 4126d2 29 API calls 47309->47312 47310 4126d2 29 API calls 47310->47311 47311->47293 47311->47294 47311->47297 47311->47303 47311->47306 47311->47310 47322 40bf04 73 API calls ___scrt_fastfail 47311->47322 47323 412774 29 API calls 47311->47323 47313 40e668 47312->47313 47325 411699 TerminateProcess WaitForSingleObject 47313->47325 47315 40e670 ExitProcess 47326 411637 61 API calls 47317->47326 47323->47311 47324->47304 47325->47315

                                                        Control-flow Graph

                                                        APIs
                                                        • LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD08
                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BD11
                                                        • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD28
                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BD2B
                                                        • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD3D
                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BD40
                                                        • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD51
                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BD54
                                                        • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD65
                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                                                        • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD75
                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                                                        • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD85
                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                                                        • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD95
                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BD98
                                                        • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BDA9
                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                                                        • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDB9
                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BDBC
                                                        • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDCD
                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BDD0
                                                        • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDE1
                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BDE4
                                                        • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDF5
                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                                                        • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BE05
                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BE08
                                                        • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE16
                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BE19
                                                        • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040D783), ref: 0041BE26
                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BE29
                                                        • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040D783), ref: 0041BE3B
                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BE3E
                                                        • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040D783), ref: 0041BE4B
                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BE4E
                                                        • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040D783), ref: 0041BE60
                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BE63
                                                        • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040D783), ref: 0041BE70
                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BE73
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AddressProc$HandleLibraryLoadModule
                                                        • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                        • API String ID: 384173800-625181639
                                                        • Opcode ID: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                                        • Instruction ID: 9dbe04c74af77a7e1246f7e7b4568b240d3cb110e698a9ec5713b860520f9e80
                                                        • Opcode Fuzzy Hash: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                                        • Instruction Fuzzy Hash: EC31EEA0E4031C7ADA107FB69C49E5B7E9CD940B953110827B508D3162FB7DA980DEEE

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 5 40d767-40d7e9 call 41bcf3 GetModuleFileNameW call 40e168 call 401fbd * 2 call 41afd3 call 40e8bd call 401d8c call 43e830 22 40d835-40d8fd call 401d64 call 401e8f call 401d64 call 404cbf call 405ce6 call 401eef call 401eea * 2 call 401d64 call 401ebd call 40541d call 401d64 call 404bb1 call 401d64 call 404bb1 5->22 23 40d7eb-40d830 call 40e986 call 401d64 call 401e8f call 40fcba call 40e937 call 40e155 5->23 69 40d950-40d96b call 401d64 call 40b125 22->69 70 40d8ff-40d94a call 4085b4 call 401eef call 401eea call 401e8f call 4124b7 22->70 49 40dc96-40dca7 call 401eea 23->49 80 40d9a5-40d9ac call 40bed7 69->80 81 40d96d-40d98c call 401e8f call 4124b7 69->81 70->69 101 40e134-40e154 call 401e8f call 412902 call 4112b5 70->101 89 40d9b5-40d9bc 80->89 90 40d9ae-40d9b0 80->90 81->80 97 40d98e-40d9a4 call 401e8f call 412902 81->97 94 40d9c0-40d9cc call 41a473 89->94 95 40d9be 89->95 93 40dc95 90->93 93->49 105 40d9d5-40d9d9 94->105 106 40d9ce-40d9d0 94->106 95->94 97->80 108 40da18-40da2b call 401d64 call 401e8f 105->108 109 40d9db call 40697b 105->109 106->105 127 40da32-40daba call 401d64 call 41ae18 call 401e18 call 401e13 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f 108->127 128 40da2d call 4069ba 108->128 117 40d9e0-40d9e2 109->117 120 40d9e4-40d9e9 call 40699d call 4064d0 117->120 121 40d9ee-40da01 call 401d64 call 401e8f 117->121 120->121 121->108 138 40da03-40da09 121->138 163 40db22-40db26 127->163 164 40dabc-40dad5 call 401d64 call 401e8f call 43a621 127->164 128->127 138->108 139 40da0b-40da11 138->139 139->108 141 40da13 call 4064d0 139->141 141->108 166 40dcaa-40dd01 call 436060 call 4022f8 call 401e8f * 2 call 41265d call 4082d7 163->166 167 40db2c-40db33 163->167 164->163 191 40dad7-40db1d call 401d64 call 401e8f call 401d64 call 401e8f call 40c89e call 401e18 call 401e13 164->191 222 40dd06-40dd5c call 401d64 call 401e8f call 401f66 call 401e8f call 4126d2 call 401d64 call 401e8f call 43a5f7 166->222 169 40dbb1-40dbbb call 4082d7 167->169 170 40db35-40dbaf call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 40bc67 167->170 177 40dbc0-40dbe4 call 4022f8 call 4338d8 169->177 170->177 198 40dbf3 177->198 199 40dbe6-40dbf1 call 436060 177->199 191->163 204 40dbf5-40dc40 call 401e07 call 43e359 call 4022f8 call 401e8f call 4022f8 call 401e8f call 4128a2 198->204 199->204 259 40dc45-40dc6a call 4338e1 call 401d64 call 40b125 204->259 273 40dd79-40dd7b 222->273 274 40dd5e 222->274 259->222 272 40dc70-40dc91 call 401d64 call 41ae18 call 40e219 259->272 272->222 292 40dc93 272->292 275 40dd81 273->275 276 40dd7d-40dd7f 273->276 278 40dd60-40dd77 call 41bec0 CreateThread 274->278 279 40dd87-40de66 call 401f66 * 2 call 41a696 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 43a5f7 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f StrToIntA call 409517 call 401d64 call 401e8f 275->279 276->278 278->279 330 40dea1 279->330 331 40de68-40de9f call 43361d call 401d64 call 401e8f CreateThread 279->331 292->93 332 40dea3-40debb call 401d64 call 401e8f 330->332 331->332 343 40def9-40df0c call 401d64 call 401e8f 332->343 344 40debd-40def4 call 43361d call 401d64 call 401e8f CreateThread 332->344 354 40df6c-40df7f call 401d64 call 401e8f 343->354 355 40df0e-40df67 call 401d64 call 401e8f call 401d64 call 401e8f call 40c854 call 401e18 call 401e13 CreateThread 343->355 344->343 365 40df81-40dfb5 call 401d64 call 401e8f call 401d64 call 401e8f call 43a5f7 call 40b95c 354->365 366 40dfba-40dfde call 41a7b2 call 401e18 call 401e13 354->366 355->354 365->366 388 40dfe0-40dfe1 SetProcessDEPPolicy 366->388 389 40dfe3-40dff6 CreateThread 366->389 388->389 390 40e004-40e00b 389->390 391 40dff8-40e002 CreateThread 389->391 394 40e019-40e020 390->394 395 40e00d-40e017 CreateThread 390->395 391->390 398 40e022-40e025 394->398 399 40e033-40e038 394->399 395->394 401 40e073-40e08e call 401e8f call 41246e 398->401 402 40e027-40e031 398->402 404 40e03d-40e06e call 401f66 call 404c9e call 401f66 call 41a696 call 401eea 399->404 413 40e094-40e0d4 call 41ae18 call 401e07 call 412584 call 401e13 call 401e07 401->413 414 40e12a-40e12f call 40cbac call 413fd4 401->414 402->404 404->401 433 40e0ed-40e0f2 DeleteFileW 413->433 414->101 434 40e0f4-40e125 call 41ae18 call 401e07 call 41297a call 401e13 * 2 433->434 435 40e0d6-40e0d9 433->435 434->414 435->434 436 40e0db-40e0e8 Sleep call 401e07 435->436 436->433
                                                        APIs
                                                          • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD08
                                                          • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD11
                                                          • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD28
                                                          • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD2B
                                                          • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD3D
                                                          • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD40
                                                          • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD51
                                                          • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD54
                                                          • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD65
                                                          • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                                                          • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD75
                                                          • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                                                          • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD85
                                                          • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                                                          • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD95
                                                          • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD98
                                                          • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BDA9
                                                          • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                                                          • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDB9
                                                          • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BDBC
                                                          • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDCD
                                                          • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BDD0
                                                          • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDE1
                                                          • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BDE4
                                                          • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDF5
                                                          • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                                                          • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BE05
                                                          • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BE08
                                                          • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE16
                                                        • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe,00000104), ref: 0040D790
                                                          • Part of subcall function 0040FCBA: __EH_prolog.LIBCMT ref: 0040FCBF
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                                        • String ID: 0DG$Access Level: $Administrator$C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe$Exe$Exe$Inj$Remcos Agent initialized$Rmc-MH2R80$Software\$User$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$`=G$dCG$del$del$exepath$licence$license_code.txt$p=\$BG$BG$BG$BG$BG
                                                        • API String ID: 2830904901-2792831151
                                                        • Opcode ID: a1e1641ac996dd8d3d4c21876c80dae499284de3cda9a76a993c65e0cbfa66c7
                                                        • Instruction ID: 3e021a1a4b13f59cbd2257f1e4af8b1458c06fff599f70b9144805750af3581d
                                                        • Opcode Fuzzy Hash: a1e1641ac996dd8d3d4c21876c80dae499284de3cda9a76a993c65e0cbfa66c7
                                                        • Instruction Fuzzy Hash: 31329260B043406ADA18B776DC57BBE269A8FC1748F04443FB8467B2E2DE7C9D45839E

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1259 4099e4-4099fd 1260 409a63-409a73 GetMessageA 1259->1260 1261 4099ff-409a19 GetModuleHandleA SetWindowsHookExA 1259->1261 1262 409a75-409a8d TranslateMessage DispatchMessageA 1260->1262 1263 409a8f 1260->1263 1261->1260 1264 409a1b-409a61 GetLastError call 41ad56 call 404c9e call 401f66 call 41a696 call 401eea 1261->1264 1262->1260 1262->1263 1266 409a91-409a96 1263->1266 1264->1266
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00409A01
                                                        • SetWindowsHookExA.USER32(0000000D,004099D0,00000000), ref: 00409A0F
                                                        • GetLastError.KERNEL32 ref: 00409A1B
                                                          • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                        • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00409A6B
                                                        • TranslateMessage.USER32(?), ref: 00409A7A
                                                        • DispatchMessageA.USER32(?), ref: 00409A85
                                                        Strings
                                                        • Keylogger initialization failure: error , xrefs: 00409A32
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                        • String ID: Keylogger initialization failure: error
                                                        • API String ID: 3219506041-952744263
                                                        • Opcode ID: 1c1c47e8679d2b224dd733d0129ac0d0ac4193f5d3ce86d790f17fa939d258fc
                                                        • Instruction ID: 51093fa3456b5fa5e68b97b38f4420b838fb12217e42543f2b1c539fb4fc9beb
                                                        • Opcode Fuzzy Hash: 1c1c47e8679d2b224dd733d0129ac0d0ac4193f5d3ce86d790f17fa939d258fc
                                                        • Instruction Fuzzy Hash: 281194716043015FC710AB7AAC4996B77ECAB94B15B10057FFC45D2291FB34DE01CBAA

                                                        Control-flow Graph

                                                        APIs
                                                          • Part of subcall function 004124B7: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                                          • Part of subcall function 004124B7: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                                                          • Part of subcall function 004124B7: RegCloseKey.KERNEL32(?), ref: 00412500
                                                        • Sleep.KERNEL32(00000BB8), ref: 0040E603
                                                        • ExitProcess.KERNEL32 ref: 0040E672
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseExitOpenProcessQuerySleepValue
                                                        • String ID: 5.3.0 Pro$override$pth_unenc$BG
                                                        • API String ID: 2281282204-3981147832
                                                        • Opcode ID: ef5e2cde1c6eacbd3823fb9ed910c6fe3935d25d8f4b30635bdf8653ba33eb6e
                                                        • Instruction ID: 5cf4e9032f47a3efac01ff8ef37086889acd92013af90c8396a8a4e29292548f
                                                        • Opcode Fuzzy Hash: ef5e2cde1c6eacbd3823fb9ed910c6fe3935d25d8f4b30635bdf8653ba33eb6e
                                                        • Instruction Fuzzy Hash: 7B21A131B0031027C608767A891BA6F359A9B91719F90443EF805A72D7EE7D8A6083DF

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1419 404915-404924 1420 4049b1 1419->1420 1421 40492a-404931 1419->1421 1422 4049b3-4049b7 1420->1422 1423 404933-404937 1421->1423 1424 404939-404940 1421->1424 1425 404987-4049af CreateEventA CreateThread 1423->1425 1424->1425 1426 404942-404982 GetLocalTime call 41ad56 call 404c9e call 401f66 call 41a696 call 401eea 1424->1426 1425->1422 1426->1425
                                                        APIs
                                                        • GetLocalTime.KERNEL32(00000001,00473EE8,004745A8,00000000,?,?,?,?,?,00414D8A,?,00000001), ref: 00404946
                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00473EE8,004745A8,00000000,?,?,?,?,?,00414D8A,?,00000001), ref: 00404994
                                                        • CreateThread.KERNEL32(00000000,00000000,00404B1D,?,00000000,00000000), ref: 004049A7
                                                        Strings
                                                        • KeepAlive | Enabled | Timeout: , xrefs: 0040495C
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Create$EventLocalThreadTime
                                                        • String ID: KeepAlive | Enabled | Timeout:
                                                        • API String ID: 2532271599-1507639952
                                                        • Opcode ID: a36eacb2df50b02e654fe97b9ad9f3b4b14a6fc902c8466c71e8a12677958319
                                                        • Instruction ID: b3b3bd05b27f7402d17ec3e4b95caf04d044377deb2a76ff13a13b362c137b93
                                                        • Opcode Fuzzy Hash: a36eacb2df50b02e654fe97b9ad9f3b4b14a6fc902c8466c71e8a12677958319
                                                        • Instruction Fuzzy Hash: C2113AB19042543AC710A7BA8C09BCB7FAC9F86364F04407BF50462192D7789845CBFA
                                                        APIs
                                                        • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,00000001,004326D2,00000024,?,?,?), ref: 0043295C
                                                        • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,0042CBCE,?), ref: 00432972
                                                        • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,0042CBCE,?), ref: 00432984
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Crypt$Context$AcquireRandomRelease
                                                        • String ID:
                                                        • API String ID: 1815803762-0
                                                        • Opcode ID: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                                        • Instruction ID: 265e42ecfadf18463eab4f7c57cd3d944434f2f899047e0b797dffc1cacfdca9
                                                        • Opcode Fuzzy Hash: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                                        • Instruction Fuzzy Hash: 06E06531318311BBEB310E21BC08F577AE4AF89B72F650A3AF251E40E4D2A288019A1C
                                                        APIs
                                                        • GetComputerNameExW.KERNEL32(00000001,?,0000002B,00474358), ref: 0041A7CF
                                                        • GetUserNameW.ADVAPI32(?,0040DFC3), ref: 0041A7E7
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Name$ComputerUser
                                                        • String ID:
                                                        • API String ID: 4229901323-0
                                                        • Opcode ID: d080141cef9e3990b2f6bec53120ee530cdf67b1126702e4f13589ad74e7334c
                                                        • Instruction ID: 0a408ea7b536296bc4698588bf682dce528bd2697060893402f21fe22c13e40a
                                                        • Opcode Fuzzy Hash: d080141cef9e3990b2f6bec53120ee530cdf67b1126702e4f13589ad74e7334c
                                                        • Instruction Fuzzy Hash: 8801FF7290011CAADB14EB90DC45ADDBBBCEF44715F10017AB501B21D5EFB4AB898A98
                                                        APIs
                                                        • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004145AD,00473EE8,00474A30,00473EE8,00000000,00473EE8,?,00473EE8,5.3.0 Pro), ref: 0040E68D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: InfoLocale
                                                        • String ID:
                                                        • API String ID: 2299586839-0
                                                        • Opcode ID: 2f0bd58ff2c46692be8fd04023cab22914861fe3b087e1ba55e03f3e1b92ba33
                                                        • Instruction ID: fdf89a5244b67fc368892e36cd71d3b7bc7b33248e42f87f25a9228cb5794c84
                                                        • Opcode Fuzzy Hash: 2f0bd58ff2c46692be8fd04023cab22914861fe3b087e1ba55e03f3e1b92ba33
                                                        • Instruction Fuzzy Hash: E6D05E607002197BEA109291DC0AE9B7A9CE700B66F000165BA01E72C0E9A0AF008AE1
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: recv
                                                        • String ID:
                                                        • API String ID: 1507349165-0
                                                        • Opcode ID: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                                                        • Instruction ID: fbcf0fb35859d26dd0bec2a34c6193cd90ff2e5205aa97c5c9b80f8ed11fde70
                                                        • Opcode Fuzzy Hash: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                                                        • Instruction Fuzzy Hash: 35B09279118202FFCA051B60DC0887ABEBAABCC381F108D2DB586501B0CA37C451AB26

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 447 413fd4-41401f call 401faa call 41aa83 call 401faa call 401d64 call 401e8f call 43a5f7 460 414021-414028 Sleep 447->460 461 41402e-41407c call 401f66 call 401d64 call 401fbd call 41afd3 call 404262 call 401d64 call 40b125 447->461 460->461 476 4140f0-41418a call 401f66 call 401d64 call 401fbd call 41afd3 call 401d64 * 2 call 4085b4 call 4027cb call 401eef call 401eea * 2 call 401d64 call 405422 461->476 477 41407e-4140ed call 401d64 call 4022f8 call 401d64 call 401e8f call 401d64 call 4022f8 call 401d64 call 401e8f call 401d64 call 4022f8 call 401d64 call 401e8f call 404101 461->477 530 41419a-4141a1 476->530 531 41418c-414198 476->531 477->476 532 4141a6-414242 call 40541d call 404cbf call 405ce6 call 4027cb call 401f66 call 41a696 call 401eea * 2 call 401d64 call 401e8f call 401d64 call 401e8f call 413f9a 530->532 531->532 559 414244-41428a WSAGetLastError call 41bc86 call 404c9e call 401f66 call 41a696 call 401eea 532->559 560 41428f-41429d call 4041f1 532->560 582 414b54-414b66 call 4047eb call 4020b4 559->582 565 4142ca-4142df call 404915 call 40428c 560->565 566 41429f-4142c5 call 401f66 * 2 call 41a696 560->566 581 4142e5-414432 call 401d64 * 2 call 404cbf call 405ce6 call 4027cb call 405ce6 call 4027cb call 401f66 call 41a696 call 401eea * 4 call 41a97d call 413683 call 4082dc call 440c61 call 401d64 call 401fbd call 4022f8 call 401e8f * 2 call 41265d 565->581 565->582 566->582 647 414434-414441 call 40541d 581->647 648 414446-41446d call 401e8f call 412513 581->648 596 414b68-414b88 call 401d64 call 401e8f call 43a5f7 Sleep 582->596 597 414b8e-414b96 call 401d8c 582->597 596->597 597->476 647->648 654 414474-414830 call 403b40 call 40cbf1 call 41adfe call 41aed8 call 41ad56 call 401d64 GetTickCount call 41ad56 call 41acb0 call 41ad56 * 2 call 41ac62 call 41aed8 * 5 call 40e679 call 41aed8 call 4027ec call 40275c call 4027cb call 40275c call 4027cb * 3 call 40275c call 4027cb call 405ce6 call 4027cb call 405ce6 call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 405ce6 call 4027cb * 5 call 40275c call 4027cb call 40275c call 4027cb * 7 call 40275c 648->654 655 41446f-414471 648->655 781 414832 call 404468 654->781 655->654 782 414837-414abb call 401eea * 50 call 401e13 call 401eea * 6 call 401e13 call 4045d5 781->782 900 414ac0-414ac7 782->900 901 414ac9-414ad0 900->901 902 414adb-414ae2 900->902 901->902 903 414ad2-414ad4 901->903 904 414ae4-414ae9 call 40a767 902->904 905 414aee-414b20 call 405415 call 401f66 * 2 call 41a696 902->905 903->902 904->905 916 414b22-414b2e CreateThread 905->916 917 414b34-414b4f call 401eea * 2 call 401e13 905->917 916->917 917->582
                                                        APIs
                                                        • Sleep.KERNEL32(00000000,00000029,004742F8,?,00000000), ref: 00414028
                                                        • WSAGetLastError.WS2_32 ref: 00414249
                                                        • Sleep.KERNEL32(00000000,00000002), ref: 00414B88
                                                          • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Sleep$ErrorLastLocalTime
                                                        • String ID: | $%I64u$5.3.0 Pro$C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$Exe$Rmc-MH2R80$TLS Off$TLS On $TUF$XCG$XCG$XCG$`=G$dCG$hlight$name$p=\$>G$>G$BG
                                                        • API String ID: 524882891-2875028627
                                                        • Opcode ID: d87e8caa7572595075e7298c32b86889769859a0b55a2115f334d47f6d2759e2
                                                        • Instruction ID: 1c0fcd5d2769b0c1ed3f5537d8c306574ebe830810c6f13c8178cbf41d879861
                                                        • Opcode Fuzzy Hash: d87e8caa7572595075e7298c32b86889769859a0b55a2115f334d47f6d2759e2
                                                        • Instruction Fuzzy Hash: 3B525E31A001145ADB18F771DDA6AEE73A59F90708F1041BFB80A771E2EF385E85CA9D

                                                        Control-flow Graph

                                                        APIs
                                                        • __Init_thread_footer.LIBCMT ref: 0040A456
                                                        • Sleep.KERNEL32(000001F4), ref: 0040A461
                                                        • GetForegroundWindow.USER32 ref: 0040A467
                                                        • GetWindowTextLengthW.USER32(00000000), ref: 0040A470
                                                        • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040A4A4
                                                        • Sleep.KERNEL32(000003E8), ref: 0040A574
                                                          • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,?,0040AF3F,?,?,?,?,?,00000000), ref: 00409D84
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                        • String ID: [${ User has been idle for $ minutes }$4]G$4]G$4]G$]
                                                        • API String ID: 911427763-1497357211
                                                        • Opcode ID: 04cc7eafda87e2f954416aa54820f6384b634bf120f851fbe548fbfea1a1b6bc
                                                        • Instruction ID: afbd458ed10e5c7c401a96cf43e60d64e5e0c384de04be689a5a7141a0feef4c
                                                        • Opcode Fuzzy Hash: 04cc7eafda87e2f954416aa54820f6384b634bf120f851fbe548fbfea1a1b6bc
                                                        • Instruction Fuzzy Hash: 8851B1716043409BC224FB21D85AAAE7794BF84318F40493FF846A72D2DF7C9D55869F

                                                        Control-flow Graph

                                                        APIs
                                                        • Sleep.KERNEL32(00001388), ref: 00409E62
                                                          • Part of subcall function 00409D97: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                                          • Part of subcall function 00409D97: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                                          • Part of subcall function 00409D97: Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                                          • Part of subcall function 00409D97: CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                                        • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409E9E
                                                        • GetFileAttributesW.KERNEL32(00000000), ref: 00409EAF
                                                        • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00409EC6
                                                        • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409F40
                                                          • Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B643
                                                        • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00465900,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A049
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                        • String ID: XCG$XCG$p=\$xAG$xAG
                                                        • API String ID: 3795512280-3414089979
                                                        • Opcode ID: 431120ea2e0ec05f5d77566325f4bfbe655a1002eb612d18d4f3077bf3784cb0
                                                        • Instruction ID: 8be46055dc56f0d2ec4b071ca6400761e29966989419bbb2416efbd82a73718c
                                                        • Opcode Fuzzy Hash: 431120ea2e0ec05f5d77566325f4bfbe655a1002eb612d18d4f3077bf3784cb0
                                                        • Instruction Fuzzy Hash: 06517C616043005ACB05BB71D866ABF769AAFD1309F00053FF886B71E2DF3DA945869A

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1102 40428c-4042ad connect 1103 4043e1-4043e5 1102->1103 1104 4042b3-4042b6 1102->1104 1107 4043e7-4043f5 WSAGetLastError 1103->1107 1108 40445f 1103->1108 1105 4043da-4043dc 1104->1105 1106 4042bc-4042bf 1104->1106 1109 404461-404465 1105->1109 1110 4042c1-4042e8 call 404cbf call 401f66 call 41a696 1106->1110 1111 4042eb-4042f5 call 420161 1106->1111 1107->1108 1112 4043f7-4043fa 1107->1112 1108->1109 1110->1111 1121 404306-404313 call 420383 1111->1121 1122 4042f7-404301 1111->1122 1114 404439-40443e 1112->1114 1115 4043fc-404437 call 41bc86 call 404c9e call 401f66 call 41a696 call 401eea 1112->1115 1117 404443-40445c call 401f66 * 2 call 41a696 1114->1117 1115->1108 1117->1108 1134 404315-404338 call 401f66 * 2 call 41a696 1121->1134 1135 40434c-404357 call 420f44 1121->1135 1122->1117 1164 40433b-404347 call 4201a1 1134->1164 1147 404389-404396 call 4202fa 1135->1147 1148 404359-404387 call 401f66 * 2 call 41a696 call 4205a2 1135->1148 1161 404398-4043bb call 401f66 * 2 call 41a696 1147->1161 1162 4043be-4043d7 CreateEventW * 2 1147->1162 1148->1164 1161->1162 1162->1105 1164->1108
                                                        APIs
                                                        • connect.WS2_32(?,?,?), ref: 004042A5
                                                        • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043CB
                                                        • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043D5
                                                        • WSAGetLastError.WS2_32(?,?,?,0040192B), ref: 004043E7
                                                          • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                        • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                        • API String ID: 994465650-2151626615
                                                        • Opcode ID: 3ddcc2c8b25d131ed1d8981cf26e6009bfc8be3c208b881942b02508a6528955
                                                        • Instruction ID: feeaa4dc0a5480c3be004408dd81f6e2390fe6c9429734df96c13844dfc6b1ca
                                                        • Opcode Fuzzy Hash: 3ddcc2c8b25d131ed1d8981cf26e6009bfc8be3c208b881942b02508a6528955
                                                        • Instruction Fuzzy Hash: 3E4116B1B002026BCB04B77A8C4B66E7A55AB81354B40016FE901676D3FE79AD6087DF

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1177 40c89e-40c8c3 call 401e52 1180 40c8c9 1177->1180 1181 40c9ed-40ca13 call 401e07 GetLongPathNameW call 403b40 1177->1181 1183 40c8d0-40c8d5 1180->1183 1184 40c9c2-40c9c7 1180->1184 1185 40c905-40c90a 1180->1185 1186 40c9d8 1180->1186 1187 40c9c9-40c9ce call 43ac1f 1180->1187 1188 40c8da-40c8e8 call 41a75b call 401e18 1180->1188 1189 40c8fb-40c900 1180->1189 1190 40c9bb-40c9c0 1180->1190 1191 40c90f-40c916 call 41b16b 1180->1191 1202 40ca18-40ca85 call 403b40 call 40cc37 call 402860 * 2 call 401e13 * 5 1181->1202 1193 40c9dd-40c9e2 call 43ac1f 1183->1193 1184->1193 1185->1193 1186->1193 1199 40c9d3-40c9d6 1187->1199 1208 40c8ed 1188->1208 1189->1193 1190->1193 1203 40c918-40c968 call 403b40 call 43ac1f call 403b40 call 402860 call 401e18 call 401e13 * 2 1191->1203 1204 40c96a-40c9b6 call 403b40 call 43ac1f call 403b40 call 402860 call 401e18 call 401e13 * 2 1191->1204 1205 40c9e3-40c9e8 call 4082d7 1193->1205 1199->1186 1199->1205 1213 40c8f1-40c8f6 call 401e13 1203->1213 1204->1208 1205->1181 1208->1213 1213->1181
                                                        APIs
                                                        • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040CA04
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: LongNamePath
                                                        • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                        • API String ID: 82841172-425784914
                                                        • Opcode ID: 5638771ac5714ddadc0d5b1694dde0f121ac45befe08588207784c80853873f1
                                                        • Instruction ID: a37aa742da7f535015bd00beacd4484d13b2c9c5bc690283ee024c69455bfc47
                                                        • Opcode Fuzzy Hash: 5638771ac5714ddadc0d5b1694dde0f121ac45befe08588207784c80853873f1
                                                        • Instruction Fuzzy Hash: 68413A721442009AC214F721DD97DAFB7A4AE90759F10063FB546720E2FE7CAA49C69F

                                                        Control-flow Graph

                                                        APIs
                                                          • Part of subcall function 0041B16B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B17C
                                                          • Part of subcall function 0041B16B: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B183
                                                          • Part of subcall function 00412513: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                          • Part of subcall function 00412513: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                          • Part of subcall function 00412513: RegCloseKey.KERNEL32(?), ref: 0041255F
                                                        • StrToIntA.SHLWAPI(00000000,0046BC48,?,00000000,00000000,00474358,00000003,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0041A4E9
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Process$CloseCurrentOpenQueryValueWow64
                                                        • String ID: (32 bit)$ (64 bit)$0JG$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                        • API String ID: 782494840-3211212173
                                                        • Opcode ID: 26c60f6affbee6d217ba86e1928e9c23d3fea0a75ab30a776bd0b760c07e420e
                                                        • Instruction ID: ceb3f8158c83cee62a9ab3acf094014ca2543c25b31c887bfc35cbf025930a6e
                                                        • Opcode Fuzzy Hash: 26c60f6affbee6d217ba86e1928e9c23d3fea0a75ab30a776bd0b760c07e420e
                                                        • Instruction Fuzzy Hash: F611CAA050020566C704B765DC9BDBF765ADB90304F40453FB506E31D2EB6C8E8583EE

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1347 41a52b-41a56a call 401faa call 43a89c InternetOpenW InternetOpenUrlW 1352 41a56c-41a58d InternetReadFile 1347->1352 1353 41a5b3-41a5b6 1352->1353 1354 41a58f-41a5af call 401f86 call 402f08 call 401eea 1352->1354 1356 41a5b8-41a5ba 1353->1356 1357 41a5bc-41a5c9 InternetCloseHandle * 2 call 43a897 1353->1357 1354->1353 1356->1352 1356->1357 1361 41a5ce-41a5d8 1357->1361
                                                        APIs
                                                        • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041A54E
                                                        • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041A564
                                                        • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041A57D
                                                        • InternetCloseHandle.WININET(00000000), ref: 0041A5C3
                                                        • InternetCloseHandle.WININET(00000000), ref: 0041A5C6
                                                        Strings
                                                        • http://geoplugin.net/json.gp, xrefs: 0041A55E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Internet$CloseHandleOpen$FileRead
                                                        • String ID: http://geoplugin.net/json.gp
                                                        • API String ID: 3121278467-91888290
                                                        • Opcode ID: a574e59ae2a6d8659b3b708bfc28c48046a6cfc8e174729ee45d25f2e2c52857
                                                        • Instruction ID: 987b679836a9d55d587b89d74e0435f254c545d991055b4d64d2ada4334a4818
                                                        • Opcode Fuzzy Hash: a574e59ae2a6d8659b3b708bfc28c48046a6cfc8e174729ee45d25f2e2c52857
                                                        • Instruction Fuzzy Hash: C111C4311093126BD224EA169C45DBF7FEDEF86365F00043EF905E2192DB689848C6BA

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1365 409d97-409da7 1366 409e44-409e47 1365->1366 1367 409dad-409daf 1365->1367 1368 409db2-409dd8 call 401e07 CreateFileW 1367->1368 1371 409e18 1368->1371 1372 409dda-409de8 GetFileSize 1368->1372 1375 409e1b-409e1f 1371->1375 1373 409dea 1372->1373 1374 409e0f-409e16 CloseHandle 1372->1374 1376 409df4-409dfb 1373->1376 1377 409dec-409df2 1373->1377 1374->1375 1375->1368 1378 409e21-409e24 1375->1378 1380 409e04-409e09 Sleep 1376->1380 1381 409dfd-409dff call 40a7f0 1376->1381 1377->1374 1377->1376 1378->1366 1379 409e26-409e2d 1378->1379 1379->1366 1382 409e2f-409e3f call 4082dc call 4098a5 1379->1382 1380->1374 1381->1380 1382->1366
                                                        APIs
                                                        • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                                        • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                                        • Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                                        • CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$CloseCreateHandleSizeSleep
                                                        • String ID: `AG
                                                        • API String ID: 1958988193-3058481221
                                                        • Opcode ID: b0d5ab9d96485228d01e653f577d9a536d0e325b1c446dee4fcf46d6e6ae2c45
                                                        • Instruction ID: 61dc848fc85204ea7fc5a67171cad01df1347b3512dd41eabc6ad436608203b4
                                                        • Opcode Fuzzy Hash: b0d5ab9d96485228d01e653f577d9a536d0e325b1c446dee4fcf46d6e6ae2c45
                                                        • Instruction Fuzzy Hash: 3A11C4303407406AE731E764E88962B7A9AAB91311F44057EF18562AE3D7389CD1829D

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1387 4126d2-4126e9 RegCreateKeyA 1388 412722 1387->1388 1389 4126eb-412720 call 4022f8 call 401e8f RegSetValueExA RegCloseKey 1387->1389 1391 412724-412730 call 401eea 1388->1391 1389->1391
                                                        APIs
                                                        • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004126E1
                                                        • RegSetValueExA.KERNEL32(?,HgF,00000000,?,00000000,00000000,004742F8,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412709
                                                        • RegCloseKey.KERNEL32(?,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412714
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseCreateValue
                                                        • String ID: HgF$pth_unenc
                                                        • API String ID: 1818849710-3662775637
                                                        • Opcode ID: 1bd7bc63bfcb718f8a00b857ba0206b1347799401e36ec3cc1597cb67c32c774
                                                        • Instruction ID: d7c223529d0a909ac1d5b5cf1be9cbd74eb10d05c00374dbcf2eb8abb0eb8976
                                                        • Opcode Fuzzy Hash: 1bd7bc63bfcb718f8a00b857ba0206b1347799401e36ec3cc1597cb67c32c774
                                                        • Instruction Fuzzy Hash: 98F09032040104FBCB019FA0ED55EEF37ACEF04751F108139FD06A61A1EA75DE04EA94

                                                        Control-flow Graph

                                                        APIs
                                                        • CreateThread.KERNEL32(00000000,00000000,004099A9,?,00000000,00000000), ref: 0040992A
                                                        • CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040993A
                                                        • CreateThread.KERNEL32(00000000,00000000,Function_000099B5,?,00000000,00000000), ref: 00409946
                                                          • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
                                                          • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateThread$LocalTimewsprintf
                                                        • String ID: Offline Keylogger Started
                                                        • API String ID: 465354869-4114347211
                                                        • Opcode ID: 7dd086592dd2feb5cbf2408a3828b0047df0053d07ac6005fceb7baaed354c62
                                                        • Instruction ID: 39d66220788a70d2f795ee3c864da876fba87127a7a6d83764b6ce8c19119ba3
                                                        • Opcode Fuzzy Hash: 7dd086592dd2feb5cbf2408a3828b0047df0053d07ac6005fceb7baaed354c62
                                                        • Instruction Fuzzy Hash: 8011A7B25003097ED220BA36DC87CBF765CDA813A8B40053EF845222D3EA785E54C6FB
                                                        APIs
                                                        • RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                        • RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                        • RegCloseKey.KERNEL32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseCreateValue
                                                        • String ID: TUF
                                                        • API String ID: 1818849710-3431404234
                                                        • Opcode ID: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                                        • Instruction ID: 4d8f19d4f5fba69279ea975c705bdc3302fb28fe13ea63ccb444db4f968143a5
                                                        • Opcode Fuzzy Hash: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                                        • Instruction Fuzzy Hash: 8DE03071540204BFEF115B909C05FDB3BA8EB05B95F004161FA05F6191D271CE14D7A4
                                                        APIs
                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,?), ref: 00404778
                                                        • CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 0040478C
                                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000,?,?,00000000), ref: 00404797
                                                        • CloseHandle.KERNEL32(?,?,00000000,00000000,?,?,00000000), ref: 004047A0
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                        • String ID:
                                                        • API String ID: 3360349984-0
                                                        • Opcode ID: 72b013782cf94b1f3d34b8331976b904c6ebf93714f67b57431e08570f282644
                                                        • Instruction ID: f4983b6e647f91c6eb1a16b69ab68a2f9d5597509a23169db7b615edd0c6cdea
                                                        • Opcode Fuzzy Hash: 72b013782cf94b1f3d34b8331976b904c6ebf93714f67b57431e08570f282644
                                                        • Instruction Fuzzy Hash: 34417171508301ABC700FB61CC55D7FB7E9AFD5315F00093EF892A32E2EA389909866A
                                                        APIs
                                                        • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041B6B5,00000000,00000000,?), ref: 0041B5DE
                                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,0040A009,?,00000000,00000000), ref: 0041B5FB
                                                        • WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040A009,?,00000000,00000000), ref: 0041B60F
                                                        • CloseHandle.KERNEL32(00000000,?,0040A009,?,00000000,00000000), ref: 0041B61C
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$CloseCreateHandlePointerWrite
                                                        • String ID:
                                                        • API String ID: 3604237281-0
                                                        • Opcode ID: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                                        • Instruction ID: 3b94612a358327762e597db0d4245ee78264fa841ead315e3e24d1cb8b3ec7b7
                                                        • Opcode Fuzzy Hash: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                                        • Instruction Fuzzy Hash: 3F01F5712082147FE6104F28AC89EBB739DEB96379F14063AF952C22C0D765CC8596BE
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CountEventTick
                                                        • String ID: >G
                                                        • API String ID: 180926312-1296849874
                                                        • Opcode ID: 4dea9cf180482d33175dd0781c2a7a7f11c81ec4a99f4dcef033a069f5296280
                                                        • Instruction ID: 080f125417303e5552765b07387c73e695832f87024c8a27cfac38d5c25ddd71
                                                        • Opcode Fuzzy Hash: 4dea9cf180482d33175dd0781c2a7a7f11c81ec4a99f4dcef033a069f5296280
                                                        • Instruction Fuzzy Hash: 7E5191315042409AC224FB71D8A2AEF73E5AFD1314F40853FF94A671E2EF389949C69E
                                                        APIs
                                                        • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040D9AA,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0040BEE6
                                                        • GetLastError.KERNEL32 ref: 0040BEF1
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateErrorLastMutex
                                                        • String ID: Rmc-MH2R80
                                                        • API String ID: 1925916568-3696290669
                                                        • Opcode ID: defc0333e3605ddb085507e8cb5f1de2847b42d11ba618549d06c615cf8541f0
                                                        • Instruction ID: f970ec9d0541ab61c93bafde2a4f59c5c821b48a7874ab2150ad5935bc14b509
                                                        • Opcode Fuzzy Hash: defc0333e3605ddb085507e8cb5f1de2847b42d11ba618549d06c615cf8541f0
                                                        • Instruction Fuzzy Hash: 75D012707083009BD7181774BC8A77D3555E784703F00417AB90FD55E1CB6888409919
                                                        APIs
                                                        • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                        • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                        • RegCloseKey.KERNEL32(?), ref: 0041255F
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseOpenQueryValue
                                                        • String ID:
                                                        • API String ID: 3677997916-0
                                                        • Opcode ID: 1a25bcfb25f4c61a33ed6ceb80866840e5ee7adcdacacd2e2e41860cf5e9bac8
                                                        • Instruction ID: 155fce86b91483c744b9f02885d56de91ccd1cdd8f33956e2d71fd22bd1c87ae
                                                        • Opcode Fuzzy Hash: 1a25bcfb25f4c61a33ed6ceb80866840e5ee7adcdacacd2e2e41860cf5e9bac8
                                                        • Instruction Fuzzy Hash: F0F08176900118BBCB209BA1ED48DEF7FBDEB44751F004066BA06E2150D6749E55DBA8
                                                        APIs
                                                        • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                                        • RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                        • RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseOpenQueryValue
                                                        • String ID:
                                                        • API String ID: 3677997916-0
                                                        • Opcode ID: f35e7c15da94557ef338f13a10ac7e5db7717a73998ec4005cb99cacd37e3820
                                                        • Instruction ID: c18416eb0b1572374c3e2b3be0649ca89fc6f9e16ed4320a44d925c8ae57db2a
                                                        • Opcode Fuzzy Hash: f35e7c15da94557ef338f13a10ac7e5db7717a73998ec4005cb99cacd37e3820
                                                        • Instruction Fuzzy Hash: BD018131404229FBDF216FA1DC45DDF7F78EF11754F004065BA04A21A1D7758AB5DBA8
                                                        APIs
                                                        • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                                        • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                                                        • RegCloseKey.KERNEL32(?), ref: 00412500
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseOpenQueryValue
                                                        • String ID:
                                                        • API String ID: 3677997916-0
                                                        • Opcode ID: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                                                        • Instruction ID: 3c8b5742b91bab9b7a0bfd6479237677f271592d1db5ef4b45a1d16c6b8d7bbd
                                                        • Opcode Fuzzy Hash: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                                                        • Instruction Fuzzy Hash: C0F03A76900208BFDF119FA0AC45FDF7BB9EB04B55F1040A1FA05F6291D670DA54EB98
                                                        APIs
                                                        • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?,00000000,?,?,0040B996,004660E0), ref: 00412485
                                                        • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0040B996,004660E0), ref: 00412499
                                                        • RegCloseKey.KERNEL32(?,?,?,0040B996,004660E0), ref: 004124A4
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseOpenQueryValue
                                                        • String ID:
                                                        • API String ID: 3677997916-0
                                                        • Opcode ID: e297991b72ec1606279c96c89a25a7ac8737aea41b7b6b8683e2e1c686c69e22
                                                        • Instruction ID: 2a31b93e49ffe9e6f23ef690bd11c8afd6de107f9352384350bf23698ee7218d
                                                        • Opcode Fuzzy Hash: e297991b72ec1606279c96c89a25a7ac8737aea41b7b6b8683e2e1c686c69e22
                                                        • Instruction Fuzzy Hash: 46E06531405234BBDF314BA2AD0DDDB7FACEF16BA17004061BC09A2251D2658E50E6E8
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _wcslen
                                                        • String ID: xAG
                                                        • API String ID: 176396367-2759412365
                                                        • Opcode ID: 5b2808d6a420319a8e352f948dca3b51851caf84ac7e067c3f15d365214f07ca
                                                        • Instruction ID: 06a27fc39790a6443aa461e0e984232ee7603be4cd8470566e0b89af9a4a2a71
                                                        • Opcode Fuzzy Hash: 5b2808d6a420319a8e352f948dca3b51851caf84ac7e067c3f15d365214f07ca
                                                        • Instruction Fuzzy Hash: FE1163329002059FCB15FF66D8969EF77A4EF64314B10453FF842622E2EF38A955CB98
                                                        APIs
                                                        • GlobalMemoryStatusEx.KERNEL32(?), ref: 0041A969
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: GlobalMemoryStatus
                                                        • String ID: @
                                                        • API String ID: 1890195054-2766056989
                                                        • Opcode ID: 6a5e85952f382d12afcc854e62baf2dc0b8e461fb7fe04101b075e185c2318ef
                                                        • Instruction ID: dd145fffdacd7bda74fa2c6e5abe56fe406d4b7e613986be5c07feff288e4f4e
                                                        • Opcode Fuzzy Hash: 6a5e85952f382d12afcc854e62baf2dc0b8e461fb7fe04101b075e185c2318ef
                                                        • Instruction Fuzzy Hash: EFD067B99013189FCB20DFA8E945A8DBBF8FB48214F004529E946E3344E774E945CB95
                                                        APIs
                                                        • _free.LIBCMT ref: 0044B9EF
                                                          • Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,00434413,?,?,00437237,?,?,?,?,?,0040CC87,00434413,?,?,?,?), ref: 00446B41
                                                        • RtlReAllocateHeap.NTDLL(00000000,00475D50,?,00000004,00000000,?,0044E91A,00475D50,00000004,?,00475D50,?,?,00443135,00475D50,?), ref: 0044BA2B
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AllocateHeap$_free
                                                        • String ID:
                                                        • API String ID: 1482568997-0
                                                        • Opcode ID: 4aeba00e3fff788b378028bf06d7bcfcb791a64fa1e6dc072cb532da7a87caba
                                                        • Instruction ID: 4ec374b27fdcb4e51bf886fe72aa52163d481902fd3bbe85b5f84076fdb7f7cd
                                                        • Opcode Fuzzy Hash: 4aeba00e3fff788b378028bf06d7bcfcb791a64fa1e6dc072cb532da7a87caba
                                                        • Instruction Fuzzy Hash: 0FF0C23260051166FB216E679C05F6B2B68DF827B0F15412BFD04B6291DF6CC80191ED
                                                        APIs
                                                        • socket.WS2_32(?,00000001,00000006), ref: 00404212
                                                          • Part of subcall function 00404262: WSAStartup.WS2_32(00000202,00000000), ref: 00404277
                                                        • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404252
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateEventStartupsocket
                                                        • String ID:
                                                        • API String ID: 1953588214-0
                                                        • Opcode ID: 854d00471859da485f7a9b00171063840124e4cdae7de36f8ad07afc2a8c10ec
                                                        • Instruction ID: 6d5c4ce7eefecebe47fda3b025552a79fd8a61a73b62065855ea20d17e135052
                                                        • Opcode Fuzzy Hash: 854d00471859da485f7a9b00171063840124e4cdae7de36f8ad07afc2a8c10ec
                                                        • Instruction Fuzzy Hash: A20171B05087809ED7358F38B8456977FE0AB15314F044DAEF1D697BA1C3B5A481CB18
                                                        APIs
                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00433DF7
                                                          • Part of subcall function 00437BE7: RaiseException.KERNEL32(?,?,00434421,?,?,?,?,?,?,?,?,00434421,?,0046D644,0041AD85,?), ref: 00437C47
                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00433E14
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Exception@8Throw$ExceptionRaise
                                                        • String ID:
                                                        • API String ID: 3476068407-0
                                                        • Opcode ID: a80fbdf5468804761b56489a3a39c56644ed3c61f36a154b7cd34dcf14c41ed8
                                                        • Instruction ID: a120e58b429b9861eb3006866c51ef53ea309f8249189fce9472b36b7df41f91
                                                        • Opcode Fuzzy Hash: a80fbdf5468804761b56489a3a39c56644ed3c61f36a154b7cd34dcf14c41ed8
                                                        • Instruction Fuzzy Hash: EFF0243080430D7BCB14BEAAE80799D772C5D08319F60612BB825955E1EF7CE715C58E
                                                        APIs
                                                        • GetForegroundWindow.USER32 ref: 0041AC84
                                                        • GetWindowTextW.USER32(00000000,?,00000100), ref: 0041AC97
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Window$ForegroundText
                                                        • String ID:
                                                        • API String ID: 29597999-0
                                                        • Opcode ID: 1796dd390df28a7f4dbf89d7f01fc1bba1536ee62ee2177b21e7863b89c7f1ab
                                                        • Instruction ID: cc2156d331005380bc7f387210694eb4be3f76427b44d354f8bc4e4bef854abe
                                                        • Opcode Fuzzy Hash: 1796dd390df28a7f4dbf89d7f01fc1bba1536ee62ee2177b21e7863b89c7f1ab
                                                        • Instruction Fuzzy Hash: CFE04875A0031867FB24A765AD4EFD6766C9704715F0000B9BA19E21C3E9B4EA04C7E4
                                                        APIs
                                                        • getaddrinfo.WS2_32(00000000,00000000,00000000,00471B28,00474358,00000000,00414240,00000000,00000001), ref: 00413FBC
                                                        • WSASetLastError.WS2_32(00000000), ref: 00413FC1
                                                          • Part of subcall function 00413E37: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413E86
                                                          • Part of subcall function 00413E37: LoadLibraryA.KERNEL32(?), ref: 00413EC8
                                                          • Part of subcall function 00413E37: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413EE8
                                                          • Part of subcall function 00413E37: FreeLibrary.KERNEL32(00000000), ref: 00413EEF
                                                          • Part of subcall function 00413E37: LoadLibraryA.KERNEL32(?), ref: 00413F27
                                                          • Part of subcall function 00413E37: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413F39
                                                          • Part of subcall function 00413E37: FreeLibrary.KERNEL32(00000000), ref: 00413F40
                                                          • Part of subcall function 00413E37: GetProcAddress.KERNEL32(00000000,?), ref: 00413F4F
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
                                                        • String ID:
                                                        • API String ID: 1170566393-0
                                                        • Opcode ID: fe532004205893b42ca3e78fe98bfc0c037fcd8dad322742003ca3565627297f
                                                        • Instruction ID: 6b8e1b3bf706901e9cebb32ced8ad4f2671330a9e567d97b4cc2d1cd49d6d23a
                                                        • Opcode Fuzzy Hash: fe532004205893b42ca3e78fe98bfc0c037fcd8dad322742003ca3565627297f
                                                        • Instruction Fuzzy Hash: CED05B326406216FA310575D6D01FFBB5DCDFA67717110077F408D7110D6946D8283ED
                                                        APIs
                                                        • RtlAllocateHeap.NTDLL(00000000,00434413,?,?,00437237,?,?,?,?,?,0040CC87,00434413,?,?,?,?), ref: 00446B41
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AllocateHeap
                                                        • String ID:
                                                        • API String ID: 1279760036-0
                                                        • Opcode ID: 382123f4ff15faebfb065adfee4593ee0e25617df91b7722ec70fd9da05ca189
                                                        • Instruction ID: 9aef8a7b80d5ef8cde78cc1a95e43686bba12cbd10c6cd592e8946dff14ce016
                                                        • Opcode Fuzzy Hash: 382123f4ff15faebfb065adfee4593ee0e25617df91b7722ec70fd9da05ca189
                                                        • Instruction Fuzzy Hash: 54E0E5312012B5A7FB202A6A9C05F5B7688DB437A4F060033AC45D66D0CB58EC4181AF
                                                        APIs
                                                        • WSAStartup.WS2_32(00000202,00000000), ref: 00404277
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Startup
                                                        • String ID:
                                                        • API String ID: 724789610-0
                                                        • Opcode ID: 95a2dab67d29c7ac03eac8c0eb79289a66407e1e5cc97b6f0f8b459783d59ee5
                                                        • Instruction ID: eac2355bac846bce9fd0ddf676e945afe2a4b646382637a0be3cadb4b1fbcda1
                                                        • Opcode Fuzzy Hash: 95a2dab67d29c7ac03eac8c0eb79289a66407e1e5cc97b6f0f8b459783d59ee5
                                                        • Instruction Fuzzy Hash: E1D012325596084ED610AAB8AC0F8A47B5CD317611F0003BA6CB5826E3E640661CC6AB
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: send
                                                        • String ID:
                                                        • API String ID: 2809346765-0
                                                        • Opcode ID: 95a0fd16484bf767f6aff194c57c23075fd16a0a1a5a2095ebc589c6d407ffe4
                                                        • Instruction ID: f30177ef1ac25d972003a71432bbdafa3536f6886768dd9ca1b11e7f0a6bf502
                                                        • Opcode Fuzzy Hash: 95a0fd16484bf767f6aff194c57c23075fd16a0a1a5a2095ebc589c6d407ffe4
                                                        • Instruction Fuzzy Hash: 4FB09279118302BFCA051B60DC0887A7EBAABC9381B108C2CB146512B0CA37C490EB36
                                                        APIs
                                                        • SetEvent.KERNEL32(?,?), ref: 00406F28
                                                        • GetFileAttributesW.KERNEL32(00000000,00000000,00000000), ref: 00406FF8
                                                        • DeleteFileW.KERNEL32(00000000), ref: 00407018
                                                          • Part of subcall function 0041B43F: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B499
                                                          • Part of subcall function 0041B43F: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B4CB
                                                          • Part of subcall function 0041B43F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B51C
                                                          • Part of subcall function 0041B43F: FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B571
                                                          • Part of subcall function 0041B43F: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B578
                                                          • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                          • Part of subcall function 00406BE9: CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                                          • Part of subcall function 00406BE9: WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                                          • Part of subcall function 00406BE9: CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                                          • Part of subcall function 00406BE9: MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                                          • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                          • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(00000330,00000000,LAL,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000), ref: 0040450E
                                                          • Part of subcall function 00404468: SetEvent.KERNEL32(00000330,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000,?,?,?,?,?,00414CE9), ref: 0040453C
                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407416
                                                        • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004074F5
                                                        • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 0040773A
                                                        • DeleteFileA.KERNEL32(?), ref: 004078CC
                                                          • Part of subcall function 00407A8C: __EH_prolog.LIBCMT ref: 00407A91
                                                          • Part of subcall function 00407A8C: FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                                          • Part of subcall function 00407A8C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                                        • Sleep.KERNEL32(000007D0), ref: 00407976
                                                        • StrToIntA.SHLWAPI(00000000,00000000), ref: 004079BA
                                                          • Part of subcall function 0041BB87: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC7C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$Find$AttributesCloseDeleteDirectoryEventFirstNextRemove$CreateDriveExecuteH_prologHandleInfoLocalLogicalMoveObjectParametersShellSingleSleepStringsSystemTimeWaitWritesend
                                                        • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $H@G$TTF$Unable to delete: $Unable to rename file!$V>G$open$x@G$x@G$x@G$x@G$>G
                                                        • API String ID: 2918587301-184849705
                                                        • Opcode ID: d91289d3051c322bdd857101a0a8adc0020f2fb1390e52d7e39c11ee2c34041e
                                                        • Instruction ID: 1bc88c7e1bb4371a25effcd92402389f4e4e7f2dfcf0a55fa2f5aa785e242239
                                                        • Opcode Fuzzy Hash: d91289d3051c322bdd857101a0a8adc0020f2fb1390e52d7e39c11ee2c34041e
                                                        • Instruction Fuzzy Hash: CC42A372A043005BC604F776C8979AF76A59F90718F40493FF946771E2EE3CAA09C69B
                                                        APIs
                                                        • __Init_thread_footer.LIBCMT ref: 0040508E
                                                          • Part of subcall function 004334DF: EnterCriticalSection.KERNEL32(00470D18,00475D4C,?,0040AEAC,00475D4C,00456DA7,?,00000000,00000000), ref: 004334E9
                                                          • Part of subcall function 004334DF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D4C,00456DA7,?,00000000,00000000), ref: 0043351C
                                                          • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                        • __Init_thread_footer.LIBCMT ref: 004050CB
                                                        • CreatePipe.KERNEL32(00475D0C,00475CF4,00475C18,00000000,0046556C,00000000), ref: 0040515E
                                                        • CreatePipe.KERNEL32(00475CF8,00475D14,00475C18,00000000), ref: 00405174
                                                        • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00475C28,00475CFC), ref: 004051E7
                                                          • Part of subcall function 00433529: EnterCriticalSection.KERNEL32(00470D18,?,00475D4C,?,0040AE8B,00475D4C,?,00000000,00000000), ref: 00433534
                                                          • Part of subcall function 00433529: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D4C,?,00000000,00000000), ref: 00433571
                                                        • Sleep.KERNEL32(0000012C,00000093,?), ref: 0040523F
                                                        • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00405264
                                                        • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 00405291
                                                          • Part of subcall function 004338B5: __onexit.LIBCMT ref: 004338BB
                                                        • WriteFile.KERNEL32(00000000,00000000,?,00000000,00473F98,00465570,00000062,00465554), ref: 0040538E
                                                        • Sleep.KERNEL32(00000064,00000062,00465554), ref: 004053A8
                                                        • TerminateProcess.KERNEL32(00000000), ref: 004053C1
                                                        • CloseHandle.KERNEL32 ref: 004053CD
                                                        • CloseHandle.KERNEL32 ref: 004053D5
                                                        • CloseHandle.KERNEL32 ref: 004053E7
                                                        • CloseHandle.KERNEL32 ref: 004053EF
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseCriticalHandleSection$CreatePipe$EnterFileInit_thread_footerLeaveProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                        • String ID: (\G$SystemDrive$cmd.exe$p\G$p\G$p\G$p\G$p\G
                                                        • API String ID: 3815868655-1274243119
                                                        • Opcode ID: bf49341456b4085afcbe2274af5a1afd8befb6bfa4028430823d957bc0f49eac
                                                        • Instruction ID: e174317c0cfdf92f2f57875e471bcaa01af682fbbee25a17085fe39bc952a1f7
                                                        • Opcode Fuzzy Hash: bf49341456b4085afcbe2274af5a1afd8befb6bfa4028430823d957bc0f49eac
                                                        • Instruction Fuzzy Hash: 97910971504705AFD701BB25EC45A2F37A8EB84344F50443FF94ABA2E2DABC9D448B6E
                                                        APIs
                                                        • GetCurrentProcessId.KERNEL32 ref: 00410F45
                                                          • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                          • Part of subcall function 004127D5: RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                          • Part of subcall function 004127D5: RegCloseKey.KERNEL32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                        • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00410F81
                                                        • CreateThread.KERNEL32(00000000,00000000,00411637,00000000,00000000,00000000), ref: 00410FE6
                                                          • Part of subcall function 004124B7: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                                          • Part of subcall function 004124B7: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                                                          • Part of subcall function 004124B7: RegCloseKey.KERNEL32(?), ref: 00412500
                                                        • CloseHandle.KERNEL32(00000000), ref: 00410F90
                                                          • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                        • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041125A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseOpen$CreateProcessValue$CurrentHandleLocalMutexQueryThreadTime
                                                        • String ID: 0DG$Remcos restarted by watchdog!$TTF$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe$BG
                                                        • API String ID: 65172268-329858390
                                                        • Opcode ID: 8a2a67840985eedd0dbda374961972b5c6f523c752149b0273765c4031c1f616
                                                        • Instruction ID: cd90af3caa6d69ca3e9ea8718b5663318d6259183dea3b669bddfb6979e5fbe1
                                                        • Opcode Fuzzy Hash: 8a2a67840985eedd0dbda374961972b5c6f523c752149b0273765c4031c1f616
                                                        • Instruction Fuzzy Hash: 9F718E316042415BC614FB32D8579AE77A4AED4718F40053FF582A21F2EF7CAA49C69F
                                                        APIs
                                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B3B4
                                                        • FindClose.KERNEL32(00000000), ref: 0040B3CE
                                                        • FindNextFileA.KERNEL32(00000000,?), ref: 0040B4F1
                                                        • FindClose.KERNEL32(00000000), ref: 0040B517
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Find$CloseFile$FirstNext
                                                        • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                        • API String ID: 1164774033-3681987949
                                                        • Opcode ID: 16969a060028ea01768b3e7f8d1dd51863cff663cb6b33d182e29f9985d51af6
                                                        • Instruction ID: 6ff196721abdd8e0f3db8d3f3c96df629808f1f9148939b99990ee587e15bfec
                                                        • Opcode Fuzzy Hash: 16969a060028ea01768b3e7f8d1dd51863cff663cb6b33d182e29f9985d51af6
                                                        • Instruction Fuzzy Hash: 31512C319042195ADB14FBA1EC96AEE7768EF50318F50007FF805B31E2EF389A45CA9D
                                                        APIs
                                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B5B2
                                                        • FindClose.KERNEL32(00000000), ref: 0040B5CC
                                                        • FindNextFileA.KERNEL32(00000000,?), ref: 0040B68C
                                                        • FindClose.KERNEL32(00000000), ref: 0040B6B2
                                                        • FindClose.KERNEL32(00000000), ref: 0040B6D1
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Find$Close$File$FirstNext
                                                        • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                        • API String ID: 3527384056-432212279
                                                        • Opcode ID: a9a1d2a1cd8360742623f5947b655a78589cbc9ba895ac191cc005815f72155e
                                                        • Instruction ID: 007be0ece90fca0e9f39ea1f272cf2b8da877aadfcc1370f70eac597690c30d9
                                                        • Opcode Fuzzy Hash: a9a1d2a1cd8360742623f5947b655a78589cbc9ba895ac191cc005815f72155e
                                                        • Instruction Fuzzy Hash: A7414B319042196ACB14F7A1EC569EE7768EF21318F50017FF801B31E2EF399A45CA9E
                                                        APIs
                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,?,?,00474358), ref: 0040E233
                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00474358), ref: 0040E25E
                                                        • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040E27A
                                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E2FD
                                                        • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E30C
                                                          • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                          • Part of subcall function 004127D5: RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                          • Part of subcall function 004127D5: RegCloseKey.KERNEL32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                        • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E371
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Close$CreateHandleProcess32$FileFirstModuleNameNextSnapshotToolhelp32Value
                                                        • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$BG
                                                        • API String ID: 726551946-3025026198
                                                        • Opcode ID: dc1ad798a35d7444bbbbf078d0d444fc3737f63c90b642ee01f5359e624c1f46
                                                        • Instruction ID: ff5f769c9d2eb9d60ee5c92f3007ac3329fe223f24fa54890becbfeace6a8f7f
                                                        • Opcode Fuzzy Hash: dc1ad798a35d7444bbbbf078d0d444fc3737f63c90b642ee01f5359e624c1f46
                                                        • Instruction Fuzzy Hash: 647182311083019BC714FB61D8519EF77A5BF91358F400D3EF986631E2EF38A919CA9A
                                                        APIs
                                                        • OpenClipboard.USER32 ref: 004159C7
                                                        • EmptyClipboard.USER32 ref: 004159D5
                                                        • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004159F5
                                                        • GlobalLock.KERNEL32(00000000), ref: 004159FE
                                                        • GlobalUnlock.KERNEL32(00000000), ref: 00415A34
                                                        • SetClipboardData.USER32(0000000D,00000000), ref: 00415A3D
                                                        • CloseClipboard.USER32 ref: 00415A5A
                                                        • OpenClipboard.USER32 ref: 00415A61
                                                        • GetClipboardData.USER32(0000000D), ref: 00415A71
                                                        • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                                        • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                                        • CloseClipboard.USER32 ref: 00415A89
                                                          • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                        • String ID:
                                                        • API String ID: 3520204547-0
                                                        • Opcode ID: 115af58ca25ac982801086cc968099495571ae34f6290ed4f1dd44d177635a22
                                                        • Instruction ID: 65deba99f03779ab530566add8b8501f772d12743f07501a5a0e0bdfe921cf26
                                                        • Opcode Fuzzy Hash: 115af58ca25ac982801086cc968099495571ae34f6290ed4f1dd44d177635a22
                                                        • Instruction Fuzzy Hash: 232183712043009BC714BBB1EC5AAAE76A9AF80752F00453EFD06961E2EF38C845D66A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 0$1$2$3$4$5$6$7
                                                        • API String ID: 0-3177665633
                                                        • Opcode ID: 749f6a55d273af1ff276c8e2e6441e457c328e07a3b13567bd2426039e935f4e
                                                        • Instruction ID: 8a7243103da74f60d5bbefacb9012cb64624b509857c51ebf6f1776beea37390
                                                        • Opcode Fuzzy Hash: 749f6a55d273af1ff276c8e2e6441e457c328e07a3b13567bd2426039e935f4e
                                                        • Instruction Fuzzy Hash: EE61B470508301AEDB00EF21C862FEE77E4AF95754F40485EF591672E2DB78AA48C797
                                                        APIs
                                                        • GetForegroundWindow.USER32(?,?,004740F8), ref: 00409B3F
                                                        • GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                                        • GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                                        • GetKeyState.USER32(00000010), ref: 00409B5C
                                                        • GetKeyboardState.USER32(?,?,004740F8), ref: 00409B67
                                                        • ToUnicodeEx.USER32(0047414C,00000000,?,?,00000010,00000000,00000000), ref: 00409B8A
                                                        • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                                        • ToUnicodeEx.USER32(0047414C,?,?,?,00000010,00000000,00000000), ref: 00409C1C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                                        • String ID: X[G
                                                        • API String ID: 1888522110-739899062
                                                        • Opcode ID: 6b40a38aeadb85bfb73805397b44a8e398a18fbf7f02f723f5f91e0a6223020d
                                                        • Instruction ID: b3d75429b008435a5e1dd269aa2dc422b6d7dab2ccd5499d38c457950c038251
                                                        • Opcode Fuzzy Hash: 6b40a38aeadb85bfb73805397b44a8e398a18fbf7f02f723f5f91e0a6223020d
                                                        • Instruction Fuzzy Hash: 7C318F72544308AFE700DF90EC45FDBBBECEB48715F00083ABA45961A1D7B5E948DBA6
                                                        APIs
                                                        • _wcslen.LIBCMT ref: 00406788
                                                        • CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Object_wcslen
                                                        • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                        • API String ID: 240030777-3166923314
                                                        • Opcode ID: fb4b37c01a82ea3e6f4d6ea97501aa73dd573a9fa8d004a292a27325ecfbba87
                                                        • Instruction ID: 8131e8b3f96e11b5c9c7103c6ecb9350ac77814929071503a065d606a7b617cc
                                                        • Opcode Fuzzy Hash: fb4b37c01a82ea3e6f4d6ea97501aa73dd573a9fa8d004a292a27325ecfbba87
                                                        • Instruction Fuzzy Hash: A11170B2901118AEDB10FAA58849A9EB7BCDB48714F55007BE905F3281E77C9A148A7D
                                                        APIs
                                                        • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,00474918), ref: 004198E8
                                                        • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00419937
                                                        • GetLastError.KERNEL32 ref: 00419945
                                                        • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041997D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                        • String ID:
                                                        • API String ID: 3587775597-0
                                                        • Opcode ID: 3890bdb0540eb0e670ed260973a12fdff1d758257f1b422d234bde2ff04c0bf6
                                                        • Instruction ID: 19b9a1677c56063b65225fc9a0f34bb07ffc83518ef4baa2b379b487d5559ddd
                                                        • Opcode Fuzzy Hash: 3890bdb0540eb0e670ed260973a12fdff1d758257f1b422d234bde2ff04c0bf6
                                                        • Instruction Fuzzy Hash: 84813F711083049BC714FB21DC959AFB7A8BF94718F50493EF582521E2EF78EA05CB9A
                                                        APIs
                                                        • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B499
                                                        • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B4CB
                                                        • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B539
                                                        • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B546
                                                          • Part of subcall function 0041B43F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B51C
                                                        • FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B571
                                                        • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B578
                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,004742E0,004742F8), ref: 0041B580
                                                        • FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B593
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                        • String ID:
                                                        • API String ID: 2341273852-0
                                                        • Opcode ID: 0297631c5ee8ecb1d1a4c9aeac50dc6e63fd93f3a2d20230b54752594d88c721
                                                        • Instruction ID: 0b65015344b940e71c8db0708908b2546b6e9c6134e65c3d42cb3d4753665141
                                                        • Opcode Fuzzy Hash: 0297631c5ee8ecb1d1a4c9aeac50dc6e63fd93f3a2d20230b54752594d88c721
                                                        • Instruction Fuzzy Hash: 4D31937180921C6ACB20D771AC49FDA77BCAF08304F4405EBF505D3182EB799AC4CA69
                                                        APIs
                                                        • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 0041301A
                                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 00413026
                                                          • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                        • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004131ED
                                                        • GetProcAddress.KERNEL32(00000000), ref: 004131F4
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AddressCloseCreateLibraryLoadProcsend
                                                        • String ID: SHDeleteKeyW$Shlwapi.dll
                                                        • API String ID: 2127411465-314212984
                                                        • Opcode ID: 18a39fcbd2619a0ad7b15b3ace1fa1aaa8af28e14aabfdf4cb9dcfc1e5c535ab
                                                        • Instruction ID: 77d0e0f665ec2cae06f71cdba8331079b705a8b2343c1238c9795aa136ea70b2
                                                        • Opcode Fuzzy Hash: 18a39fcbd2619a0ad7b15b3ace1fa1aaa8af28e14aabfdf4cb9dcfc1e5c535ab
                                                        • Instruction Fuzzy Hash: 0AB1B571A043006BC614BA75CC979BE76989F94718F40063FF946B31E2EF7C9A4486DB
                                                        APIs
                                                        • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040B257
                                                        • GetLastError.KERNEL32 ref: 0040B261
                                                        Strings
                                                        • [Chrome StoredLogins not found], xrefs: 0040B27B
                                                        • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040B222
                                                        • UserProfile, xrefs: 0040B227
                                                        • [Chrome StoredLogins found, cleared!], xrefs: 0040B287
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: DeleteErrorFileLast
                                                        • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                        • API String ID: 2018770650-1062637481
                                                        • Opcode ID: 6231a6ec8c0bf8e98c8684e8dd9bafedce4a0939dadfa85d19fb30db5e755b14
                                                        • Instruction ID: b4925b9b145212f78872d6bf605c5cdf000d45b1535ad2fa459343da0bf9ff5a
                                                        • Opcode Fuzzy Hash: 6231a6ec8c0bf8e98c8684e8dd9bafedce4a0939dadfa85d19fb30db5e755b14
                                                        • Instruction Fuzzy Hash: 8C01623168410597CA0577B5ED6F8AE3624E921718F50017FF802731E6FF7A9A0586DE
                                                        APIs
                                                        • GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                                        • OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                                        • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                                        • GetLastError.KERNEL32 ref: 00416B02
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                        • String ID: SeShutdownPrivilege
                                                        • API String ID: 3534403312-3733053543
                                                        • Opcode ID: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                                        • Instruction ID: c28276ca820f5d67da4083ad645d4fedab17ddc29f560671af9b7c8b6b4fa774
                                                        • Opcode Fuzzy Hash: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                                        • Instruction Fuzzy Hash: 25F0D4B5805229BBDB10ABA1EC4DEEF7EBCEF05656F100061B805E2192D6748A44CAB5
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: __floor_pentium4
                                                        • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                        • API String ID: 4168288129-2761157908
                                                        • Opcode ID: c9c150e801306c30e3e6fd676bf91ab99d53cd06d8b99a70f0bcb8a83e562639
                                                        • Instruction ID: e307a384b629b95ff6fef94050d5be06a037bb5012f5a6d22b447047531b26ff
                                                        • Opcode Fuzzy Hash: c9c150e801306c30e3e6fd676bf91ab99d53cd06d8b99a70f0bcb8a83e562639
                                                        • Instruction Fuzzy Hash: 1FC27071E046288FDB25CE28CD447EAB3B5EB44346F1441EBD84DE7242E778AE898F45
                                                        APIs
                                                        • __EH_prolog.LIBCMT ref: 004089AE
                                                          • Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212
                                                          • Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5
                                                        • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00408A8D
                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 00408AE0
                                                        • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00408AF7
                                                          • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(00000330,00000000,LAL,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000), ref: 0040450E
                                                          • Part of subcall function 00404468: SetEvent.KERNEL32(00000330,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000,?,?,?,?,?,00414CE9), ref: 0040453C
                                                          • Part of subcall function 004047EB: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 004047FD
                                                          • Part of subcall function 004047EB: SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404808
                                                          • Part of subcall function 004047EB: CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404811
                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00408DA1
                                                          • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Find$CloseEventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsendsocket
                                                        • String ID:
                                                        • API String ID: 4043647387-0
                                                        • Opcode ID: b6d780576700f4933a9aaca3c1beff4f868690156509575001d11b963eafbbf9
                                                        • Instruction ID: 093ddd6807f9b365337d5cb0cb3505b04edbc5c9b0fee964739ae84c01535933
                                                        • Opcode Fuzzy Hash: b6d780576700f4933a9aaca3c1beff4f868690156509575001d11b963eafbbf9
                                                        • Instruction Fuzzy Hash: 50A15C729001089ACB14EBA1DD92AEDB778AF54318F10427FF506B71D2EF385E498B98
                                                        APIs
                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,?,?,0041982A,00000000,00000000), ref: 00419BDD
                                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,0041982A,00000000,00000000), ref: 00419BF2
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,0041982A,00000000,00000000), ref: 00419BFF
                                                        • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,0041982A,00000000,00000000), ref: 00419C0A
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,0041982A,00000000,00000000), ref: 00419C1C
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,0041982A,00000000,00000000), ref: 00419C1F
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Service$CloseHandle$Open$ManagerStart
                                                        • String ID:
                                                        • API String ID: 276877138-0
                                                        • Opcode ID: 6d0f589b7f4ed5c193fffaa70fef351a53496163331b96a9b3d3840ad54bf661
                                                        • Instruction ID: 029754fb73528063a62336f1848e5bb122dc48601db67947cc2268dfcf3d9ab0
                                                        • Opcode Fuzzy Hash: 6d0f589b7f4ed5c193fffaa70fef351a53496163331b96a9b3d3840ad54bf661
                                                        • Instruction Fuzzy Hash: 2EF089755053146FD2115B31FC88DBF2AECEF85BA6B00043AF54193191DB68CD4595F5
                                                        APIs
                                                        • FindFirstFileW.KERNEL32(00000000,?), ref: 00418ECF
                                                        • FindNextFileW.KERNEL32(00000000,?,?), ref: 00418F9B
                                                          • Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B643
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$Find$CreateFirstNext
                                                        • String ID: XCG$p=\$>G
                                                        • API String ID: 341183262-3213395213
                                                        • Opcode ID: bdf19f3600ef3cc3e8fbade951765131cd50cae54f5c0b8e5a05de1674f7c19c
                                                        • Instruction ID: 4fcfe6ad4d4b9cbb37a9178feb6c4e4542e518df657a804f5f9e1d603b628f73
                                                        • Opcode Fuzzy Hash: bdf19f3600ef3cc3e8fbade951765131cd50cae54f5c0b8e5a05de1674f7c19c
                                                        • Instruction Fuzzy Hash: 408153315042405BC314FB61C892EEF73A9AFD1718F50493FF946671E2EF389A49C69A
                                                        APIs
                                                          • Part of subcall function 00416AB7: GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                                          • Part of subcall function 00416AB7: OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                                          • Part of subcall function 00416AB7: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                                          • Part of subcall function 00416AB7: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                                          • Part of subcall function 00416AB7: GetLastError.KERNEL32 ref: 00416B02
                                                        • ExitWindowsEx.USER32(00000000,00000001), ref: 0041595B
                                                        • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00415970
                                                        • GetProcAddress.KERNEL32(00000000), ref: 00415977
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                        • String ID: PowrProf.dll$SetSuspendState
                                                        • API String ID: 1589313981-1420736420
                                                        • Opcode ID: 9a2ea4b760d1687da6394f818f94bf6b74c7e65cca45165fb093390337838f86
                                                        • Instruction ID: a9af72b6b9eaf8561cd509fc4cf8b1c610007ddf0d7e7dc7bbe2947ee761077a
                                                        • Opcode Fuzzy Hash: 9a2ea4b760d1687da6394f818f94bf6b74c7e65cca45165fb093390337838f86
                                                        • Instruction Fuzzy Hash: B22161B0604741E6CA14F7B19856AFF225A9F80748F40883FB402A71D2EF7CDC89865F
                                                        APIs
                                                        • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 0045128C
                                                        • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 004512B5
                                                        • GetACP.KERNEL32 ref: 004512CA
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: InfoLocale
                                                        • String ID: ACP$OCP
                                                        • API String ID: 2299586839-711371036
                                                        • Opcode ID: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                                        • Instruction ID: c7787d6075dc192170befbe1ddc6ff7be643600d5f5c624e054d22ce072cfab5
                                                        • Opcode Fuzzy Hash: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                                        • Instruction Fuzzy Hash: 9621C432A00100A7DB348F55C900B9773A6AF54B66F5685E6FC09F7232E73ADD49C399
                                                        APIs
                                                        • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041A660
                                                        • LoadResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A674
                                                        • LockResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A67B
                                                        • SizeofResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A68A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Resource$FindLoadLockSizeof
                                                        • String ID: SETTINGS
                                                        • API String ID: 3473537107-594951305
                                                        • Opcode ID: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                                        • Instruction ID: 54a99f42213d160abf76577abca5e20a835261b5cb21c96a6540e7550e34f59b
                                                        • Opcode Fuzzy Hash: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                                        • Instruction Fuzzy Hash: F3E09A7A604710ABCB211BA5BC8CD477E39E786763714403AF90592331DA359850DA59
                                                        APIs
                                                          • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,00000000,?,0043B965,00000000,00000000), ref: 00446ED3
                                                          • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                                          • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F47
                                                          • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                                          • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F2E
                                                          • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F3B
                                                        • GetUserDefaultLCID.KERNEL32 ref: 004514D3
                                                        • IsValidCodePage.KERNEL32(00000000), ref: 0045152E
                                                        • IsValidLocale.KERNEL32(?,00000001), ref: 0045153D
                                                        • GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00451585
                                                        • GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 004515A4
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                        • String ID:
                                                        • API String ID: 745075371-0
                                                        • Opcode ID: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                                        • Instruction ID: 411f265c59fe6ea8e7a4a7f389aa671ff947d679512e0c94986e3a05ae8bdf1c
                                                        • Opcode Fuzzy Hash: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                                        • Instruction Fuzzy Hash: 4951B331900205ABDB20EFA5CC41BBF73B8AF05306F14456BFD11DB262D7789948CB69
                                                        APIs
                                                        • __EH_prolog.LIBCMT ref: 00407A91
                                                        • FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                                        • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                                        • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407C76
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Find$File$CloseFirstH_prologNext
                                                        • String ID:
                                                        • API String ID: 1157919129-0
                                                        • Opcode ID: e8fc1aae19a95acc5e5ba4988fa9a3d6b6627a504d1d70c366dbdaaaee21e51e
                                                        • Instruction ID: 8d2d5af9b240bd76912c5a42ed9d01478aca41623b4ca31e05b92188a1ecdcc3
                                                        • Opcode Fuzzy Hash: e8fc1aae19a95acc5e5ba4988fa9a3d6b6627a504d1d70c366dbdaaaee21e51e
                                                        • Instruction Fuzzy Hash: EE5172329041089ACB14FBA5DD969ED7778AF50318F50017EB806B31D2EF3CAB498B99
                                                        APIs
                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406234
                                                        • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 00406318
                                                        Strings
                                                        • C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe, xrefs: 0040627F, 004063A7
                                                        • open, xrefs: 0040622E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: DownloadExecuteFileShell
                                                        • String ID: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe$open
                                                        • API String ID: 2825088817-461077326
                                                        • Opcode ID: b67075259e0bd929e0ab264c94f4d1ca59ca1de50cdaeebcdd70e2622b8f7750
                                                        • Instruction ID: ed092bbb38966d98691ab8c1252c2e533cce500cde7a5ae80e96292b959be8c1
                                                        • Opcode Fuzzy Hash: b67075259e0bd929e0ab264c94f4d1ca59ca1de50cdaeebcdd70e2622b8f7750
                                                        • Instruction Fuzzy Hash: AC61A231604340A7CA14FA76C8569BE77A69F81718F00493FBC46772E6EF3C9A05C69B
                                                        APIs
                                                        • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406ADD
                                                        • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406BA5
                                                          • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: FileFind$FirstNextsend
                                                        • String ID: x@G$x@G
                                                        • API String ID: 4113138495-3390264752
                                                        • Opcode ID: 21733312e49eae253e2bcb47d9c134556802c5ae893f427082e78e5a185c5d5d
                                                        • Instruction ID: 69ed09b71aae528489a15fdfe73527b1f784865601dfee234b785914c9021214
                                                        • Opcode Fuzzy Hash: 21733312e49eae253e2bcb47d9c134556802c5ae893f427082e78e5a185c5d5d
                                                        • Instruction Fuzzy Hash: 4D2147725043015BC714FB61D8959AF77A8AFD1358F40093EF996A31D1EF38AA088A9B
                                                        APIs
                                                        • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC7C
                                                          • Part of subcall function 004126D2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004126E1
                                                          • Part of subcall function 004126D2: RegSetValueExA.KERNEL32(?,HgF,00000000,?,00000000,00000000,004742F8,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412709
                                                          • Part of subcall function 004126D2: RegCloseKey.KERNEL32(?,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412714
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseCreateInfoParametersSystemValue
                                                        • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                        • API String ID: 4127273184-3576401099
                                                        • Opcode ID: 3d360fdf2e78990b0619b3c2804760803c56fcbcebbcac8b827f4f8c51bc1c9b
                                                        • Instruction ID: f939710b15fdea32ddc266fac7b70a3034aa980cea7cdc9a443a85228e3c1b8e
                                                        • Opcode Fuzzy Hash: 3d360fdf2e78990b0619b3c2804760803c56fcbcebbcac8b827f4f8c51bc1c9b
                                                        • Instruction Fuzzy Hash: 69113332B8060433D514343A4E6FBAE1806D756B60FA4015FF6026A7DAFB9E4AE103DF
                                                        APIs
                                                        • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC7C
                                                          • Part of subcall function 004126D2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004126E1
                                                          • Part of subcall function 004126D2: RegSetValueExA.KERNEL32(?,HgF,00000000,?,00000000,00000000,004742F8,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412709
                                                          • Part of subcall function 004126D2: RegCloseKey.KERNEL32(?,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412714
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseCreateInfoParametersSystemValue
                                                        • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                        • API String ID: 4127273184-3576401099
                                                        • Opcode ID: 290b14df9c26221b316741e12bbe5b33507c6e8b124f1908694170e280481710
                                                        • Instruction ID: 2aa0b6b87930d0e8bc36fe4f809622c3d335fadd5e5dd78f891cc162e383a86f
                                                        • Opcode Fuzzy Hash: 290b14df9c26221b316741e12bbe5b33507c6e8b124f1908694170e280481710
                                                        • Instruction Fuzzy Hash: E1F06232B8021422D529357A4E2FBEE1801D796B20F54002FF202A97E6FB8E4AD142DE
                                                        APIs
                                                          • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,00000000,?,0043B965,00000000,00000000), ref: 00446ED3
                                                          • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                                          • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F47
                                                          • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                                        • IsValidCodePage.KERNEL32(00000000), ref: 00450B71
                                                        • _wcschr.LIBVCRUNTIME ref: 00450C01
                                                        • _wcschr.LIBVCRUNTIME ref: 00450C0F
                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 00450CB2
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                        • String ID:
                                                        • API String ID: 4212172061-0
                                                        • Opcode ID: 30824fb3cb19d2287357d207385eed7a408457ce34d3ac4732c67f259351ba65
                                                        • Instruction ID: 5c43a781d12153ba09aec0d98fe41cbdfc67d130b552f984b55d9713d4fa54bc
                                                        • Opcode Fuzzy Hash: 30824fb3cb19d2287357d207385eed7a408457ce34d3ac4732c67f259351ba65
                                                        • Instruction Fuzzy Hash: 8C613C39600306AAD729AB35CC42AAB7398EF05316F14052FFD05D7283E778ED49C769
                                                        APIs
                                                        • __EH_prolog.LIBCMT ref: 00408DAC
                                                        • FindFirstFileW.KERNEL32(00000000,?), ref: 00408E24
                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 00408E4D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: FileFind$FirstH_prologNext
                                                        • String ID:
                                                        • API String ID: 301083792-0
                                                        • Opcode ID: ba71cde6abd387c0af899193430974a98498f8e11ae542d92e598f3d86220441
                                                        • Instruction ID: f05055f275ce1a6697326a6dce2c5e98ec7bccfbf1b509f624b4afbba7a31620
                                                        • Opcode Fuzzy Hash: ba71cde6abd387c0af899193430974a98498f8e11ae542d92e598f3d86220441
                                                        • Instruction Fuzzy Hash: 08714F728001199BCB15EBA1DC919EE7778AF54318F10427FE846B71E2EF386E45CB98
                                                        APIs
                                                        • _free.LIBCMT ref: 00448077
                                                          • Part of subcall function 00446AD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA60,0000000A,00000000,0000000A,00000000,?,0044FD04,0000000A,00000007,0000000A,?,00450215,0000000A), ref: 00446AEB
                                                          • Part of subcall function 00446AD5: GetLastError.KERNEL32(0000000A,?,0044FA60,0000000A,00000000,0000000A,00000000,?,0044FD04,0000000A,00000007,0000000A,?,00450215,0000000A,0000000A), ref: 00446AFD
                                                        • GetTimeZoneInformation.KERNEL32 ref: 00448089
                                                        • WideCharToMultiByte.KERNEL32(00000000,?,0047179C,000000FF,?,0000003F,?,?), ref: 00448101
                                                        • WideCharToMultiByte.KERNEL32(00000000,?,004717F0,000000FF,?,0000003F,?,?,?,0047179C,000000FF,?,0000003F,?,?), ref: 0044812E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
                                                        • String ID:
                                                        • API String ID: 806657224-0
                                                        • Opcode ID: 5e34e117c6e33b8c0844c195e2b7af46f687c91a19e7202acb7e93967a2f0af9
                                                        • Instruction ID: 7f7bbd1fe339d2c51afc51fb5ca91abc0e6e8a710e1dc4bf18eddf40c0258009
                                                        • Opcode Fuzzy Hash: 5e34e117c6e33b8c0844c195e2b7af46f687c91a19e7202acb7e93967a2f0af9
                                                        • Instruction Fuzzy Hash: B231BA70904205DFEB159F69CC8287EBBB8FF0576072541AFE054AB2B1DB348D46DB58
                                                        APIs
                                                          • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,00000000,?,0043B965,00000000,00000000), ref: 00446ED3
                                                          • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                                          • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F47
                                                          • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                                          • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F2E
                                                          • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F3B
                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450ECE
                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450F1F
                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450FDF
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorInfoLastLocale$_free$_abort
                                                        • String ID:
                                                        • API String ID: 2829624132-0
                                                        • Opcode ID: 0004d795c3ddcb7d717e2e5c50f1122ee861edcca01c339632c8702d630a2b0e
                                                        • Instruction ID: f4db154689a757c669ee29d9ad80dc5f2d25de97e2fa36f56d0a3b4566e2e889
                                                        • Opcode Fuzzy Hash: 0004d795c3ddcb7d717e2e5c50f1122ee861edcca01c339632c8702d630a2b0e
                                                        • Instruction Fuzzy Hash: 5261B3359002079BEB289F24CC82B7A77A8EF04706F1041BBED05C6696E77CD989DB58
                                                        APIs
                                                        • IsDebuggerPresent.KERNEL32(?,?,?,?,?,0000000A), ref: 0043A765
                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0000000A), ref: 0043A76F
                                                        • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,0000000A), ref: 0043A77C
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                        • String ID:
                                                        • API String ID: 3906539128-0
                                                        • Opcode ID: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                                        • Instruction ID: 91e5dab5071ea2c3d468f992cf6309450941867bc48944ec1b7f80ed58ec6f75
                                                        • Opcode Fuzzy Hash: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                                        • Instruction Fuzzy Hash: 4A31D27494132CABCB21DF24D98979DBBB8AF08310F5051EAE80CA7261E7349F81CF49
                                                        APIs
                                                        • GetCurrentProcess.KERNEL32(?,?,0044253A,?,0046DAE0,0000000C,00442691,?,00000002,00000000), ref: 00442585
                                                        • TerminateProcess.KERNEL32(00000000,?,0044253A,?,0046DAE0,0000000C,00442691,?,00000002,00000000), ref: 0044258C
                                                        • ExitProcess.KERNEL32 ref: 0044259E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Process$CurrentExitTerminate
                                                        • String ID:
                                                        • API String ID: 1703294689-0
                                                        • Opcode ID: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                                        • Instruction ID: c44577b837509f0b32c3b0b508549cfe19acceb0599f6adc3fd698849a85d96e
                                                        • Opcode Fuzzy Hash: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                                        • Instruction Fuzzy Hash: 68E08C31004208BFEF016F10EE19A8D3F29EF14382F448475F8098A232CB79DD82CB88
                                                        APIs
                                                        • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,004150C3,00000000), ref: 0041ACDC
                                                        • NtSuspendProcess.NTDLL(00000000), ref: 0041ACE9
                                                        • CloseHandle.KERNEL32(00000000,?,?,004150C3,00000000), ref: 0041ACF2
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Process$CloseHandleOpenSuspend
                                                        • String ID:
                                                        • API String ID: 1999457699-0
                                                        • Opcode ID: 25604720b1c4003eaa4d94084830c6d0564ffd887a8d5c6f711170065f3891c4
                                                        • Instruction ID: 2f9544719979d624048292b5ab27ab43be47c8216fe5e38c5e6db7c07fdef43b
                                                        • Opcode Fuzzy Hash: 25604720b1c4003eaa4d94084830c6d0564ffd887a8d5c6f711170065f3891c4
                                                        • Instruction Fuzzy Hash: 36D0A733505132638221176A7C0CC87EE6CDFC1EB37024136F805C3220DE30C88186F4
                                                        APIs
                                                        • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,004150E8,00000000), ref: 0041AD08
                                                        • NtResumeProcess.NTDLL(00000000), ref: 0041AD15
                                                        • CloseHandle.KERNEL32(00000000,?,?,004150E8,00000000), ref: 0041AD1E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Process$CloseHandleOpenResume
                                                        • String ID:
                                                        • API String ID: 3614150671-0
                                                        • Opcode ID: ac01971c7a5820b8bc970b7b2339e0980474906f6b9316b65cb607f099f400ad
                                                        • Instruction ID: 37c2ac379339410306f7c92c5038f8fbeac8a1766455cc2515cdfea107740f35
                                                        • Opcode Fuzzy Hash: ac01971c7a5820b8bc970b7b2339e0980474906f6b9316b65cb607f099f400ad
                                                        • Instruction Fuzzy Hash: 3AD05E32504121638220176A7C0C887EEA9DBC5AB37024236F804C26219A24C841C6A4
                                                        APIs
                                                        • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004475FA
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: InfoLocale
                                                        • String ID: GetLocaleInfoEx
                                                        • API String ID: 2299586839-2904428671
                                                        • Opcode ID: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                                                        • Instruction ID: 2e67eb2aa2785e7236de0a8104ca96919387e7076f6eaa21777fcb5c897bf932
                                                        • Opcode Fuzzy Hash: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                                                        • Instruction Fuzzy Hash: F8F0F031A44308BBDB11AF61DC06F6E7B25EF04722F10016AFC042A292CF399E11969E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5fe4b2cb4502993dbea9aed901accaaf97bf6201a09a40e91719f5fde44f0d4f
                                                        • Instruction ID: 147a43d4a8953c0e587c79f7e81ca7cf09075d603a4ca368f499ea5921ccbf25
                                                        • Opcode Fuzzy Hash: 5fe4b2cb4502993dbea9aed901accaaf97bf6201a09a40e91719f5fde44f0d4f
                                                        • Instruction Fuzzy Hash: DB026D71E002199FEF14CFA9C8806AEBBF1FF88314F25826AD919E7354D774A941CB84
                                                        APIs
                                                        • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,004520DD,?,?,00000008,?,?,00455422,00000000), ref: 0045230F
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ExceptionRaise
                                                        • String ID:
                                                        • API String ID: 3997070919-0
                                                        • Opcode ID: 10c23660bdf4a559c67b3dd21211c83afc8534fe451efaff8b0d30b37073b707
                                                        • Instruction ID: 977e517564c3c3d0049d1222f3e9a6889a5c410b4df8a0f985261284c0187219
                                                        • Opcode Fuzzy Hash: 10c23660bdf4a559c67b3dd21211c83afc8534fe451efaff8b0d30b37073b707
                                                        • Instruction Fuzzy Hash: D2B18E311106088FD715CF28C586B567BE0FF06325F25869AEC99CF2A2C379E986CB44
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 0
                                                        • API String ID: 0-4108050209
                                                        • Opcode ID: d7e2f1edd223cd44d70c9618c0c5ab444609e4c73f269a0cd31c5ec718f0b721
                                                        • Instruction ID: 7b48c7cdb8adeeef677579d9f9868b7c31ff68b1fdc55a4cfb84755b90803176
                                                        • Opcode Fuzzy Hash: d7e2f1edd223cd44d70c9618c0c5ab444609e4c73f269a0cd31c5ec718f0b721
                                                        • Instruction Fuzzy Hash: 7F02B3727083014BD714DF29D95272EF3E2BFCC718F19592EF4859B381DA78A9058B86
                                                        APIs
                                                          • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,00000000,?,0043B965,00000000,00000000), ref: 00446ED3
                                                          • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                                          • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F47
                                                          • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                                          • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F2E
                                                          • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F3B
                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0045111E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorLast$_free$InfoLocale_abort
                                                        • String ID:
                                                        • API String ID: 1663032902-0
                                                        • Opcode ID: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                                        • Instruction ID: ffb89f5268d48ef7d96d62573a9e7ee2f0935f0833e1875b56c64ac51f5bdf94
                                                        • Opcode Fuzzy Hash: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                                        • Instruction Fuzzy Hash: BB21B332500606ABEB249E25DC42B7B73A8EF49316F1041BBFE01D6252EB7C9D49C759
                                                        APIs
                                                          • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,00000000,?,0043B965,00000000,00000000), ref: 00446ED3
                                                          • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                                          • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F47
                                                          • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                                        • EnumSystemLocalesW.KERNEL32(00450E7A,00000001), ref: 00450DC4
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                        • String ID:
                                                        • API String ID: 1084509184-0
                                                        • Opcode ID: 7b25a473866e755be9e0678553a2658a3eea11fb5f40ef7cfa4196b50ecc0277
                                                        • Instruction ID: a560303710cbb7e2025c6fde9de160b8e713eede11b464f6c41b4ad7cf2026db
                                                        • Opcode Fuzzy Hash: 7b25a473866e755be9e0678553a2658a3eea11fb5f40ef7cfa4196b50ecc0277
                                                        • Instruction Fuzzy Hash: 0311063A2003055FDB189F79C8916BAB7A2FF8035AB14442DE94647741D375B846C744
                                                        APIs
                                                          • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,00000000,?,0043B965,00000000,00000000), ref: 00446ED3
                                                          • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                                          • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F47
                                                          • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                                        • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00451098,00000000,00000000,?), ref: 00451326
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorLast$InfoLocale_abort_free
                                                        • String ID:
                                                        • API String ID: 2692324296-0
                                                        • Opcode ID: de3708e636430d7d6226d88625fb8e837b1d84cd9ebb77ae463e34ca348812de
                                                        • Instruction ID: 4a7b2d8eee9e9bf1806ba2ca5426cfe5ee0bfa5d6ba01d855eb6d5500f899482
                                                        • Opcode Fuzzy Hash: de3708e636430d7d6226d88625fb8e837b1d84cd9ebb77ae463e34ca348812de
                                                        • Instruction Fuzzy Hash: F8F07D32900211BBEF245B25CC16BFB7758EF40316F14046BEC05A3651EA78FD45C6D8
                                                        APIs
                                                          • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,00000000,?,0043B965,00000000,00000000), ref: 00446ED3
                                                          • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                                          • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F47
                                                          • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                                        • EnumSystemLocalesW.KERNEL32(004510CA,00000001), ref: 00450E39
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                        • String ID:
                                                        • API String ID: 1084509184-0
                                                        • Opcode ID: 7e65307bcba768225932e1b9f22076d55968ca759e379ed0ac358a887faacdb1
                                                        • Instruction ID: d200f6f198282f27697ffa375fc43d462b62b5ac62e6196a1a4f0d3fe89d4a8d
                                                        • Opcode Fuzzy Hash: 7e65307bcba768225932e1b9f22076d55968ca759e379ed0ac358a887faacdb1
                                                        • Instruction Fuzzy Hash: 6FF0223A2003055FDB145F3ADC92A7B7BD1EF81329B25883EFD458B681D2759C428604
                                                        APIs
                                                          • Part of subcall function 00444ADC: EnterCriticalSection.KERNEL32(-00471558,?,0044226B,00000000,0046DAC0,0000000C,00442226,0000000A,?,?,00448749,0000000A,?,00446F84,00000001,00000364), ref: 00444AEB
                                                        • EnumSystemLocalesW.KERNEL32(Function_00047078,00000001,0046DC48,0000000C), ref: 004470F6
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CriticalEnterEnumLocalesSectionSystem
                                                        • String ID:
                                                        • API String ID: 1272433827-0
                                                        • Opcode ID: d6288f75061eb918828b1d19c4fc55d59e88b5aa2809351af96f283ddca40410
                                                        • Instruction ID: 950dafe7846e52006e44ffeb80a247b0be4aa16561b4e62d8165e672452c2196
                                                        • Opcode Fuzzy Hash: d6288f75061eb918828b1d19c4fc55d59e88b5aa2809351af96f283ddca40410
                                                        • Instruction Fuzzy Hash: 86F04932A50200DFE714EF68EC06B5D37B0EB44729F10856AF414DB2A1CBB88941CB49
                                                        APIs
                                                          • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,00000000,?,0043B965,00000000,00000000), ref: 00446ED3
                                                          • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                                          • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F47
                                                          • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                                        • EnumSystemLocalesW.KERNEL32(00450C5E,00000001), ref: 00450D3E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                        • String ID:
                                                        • API String ID: 1084509184-0
                                                        • Opcode ID: 7c1b61f81489e07a7731e6ad51784a2f83adb3e1c219b5a3241bb94100a853af
                                                        • Instruction ID: 864766c87332746f2956c71e591744750bfae77d4df159f99123e8476a767ca9
                                                        • Opcode Fuzzy Hash: 7c1b61f81489e07a7731e6ad51784a2f83adb3e1c219b5a3241bb94100a853af
                                                        • Instruction Fuzzy Hash: 94F05C3D30020557CB159F75D8057667F90EFC2711B164059FE098B242C675D846C754
                                                        APIs
                                                        • SetUnhandledExceptionFilter.KERNEL32(Function_00033CF3,004339C1), ref: 00433CEC
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ExceptionFilterUnhandled
                                                        • String ID:
                                                        • API String ID: 3192549508-0
                                                        • Opcode ID: 551eff1786ed7eea90e54ff57207cf7fab7a3a56cebbc38fe8a2595e13bdd047
                                                        • Instruction ID: 7ebf6c7408a73aa63663f0c3c7f2b2a2f8c8f4297a3c6ea18d4629481275dad6
                                                        • Opcode Fuzzy Hash: 551eff1786ed7eea90e54ff57207cf7fab7a3a56cebbc38fe8a2595e13bdd047
                                                        • Instruction Fuzzy Hash:
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: BG3i@
                                                        • API String ID: 0-2407888476
                                                        • Opcode ID: da6bc0b681a35a8a8cd82b5b62752965acc1f5aabf11132faead2372da36057a
                                                        • Instruction ID: 1d57165ebf75e2395586178747a5147ed71ba924114eacc5dbe4d8b8235841a2
                                                        • Opcode Fuzzy Hash: da6bc0b681a35a8a8cd82b5b62752965acc1f5aabf11132faead2372da36057a
                                                        • Instruction Fuzzy Hash: CF615771600605AADB386A2898D6BBF63A6EB4D718F10391BE543FB3C1D71DDD42831E
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 0
                                                        • API String ID: 0-4108050209
                                                        • Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                                        • Instruction ID: b96fbfb60640764a27c773ebaff073e85ef5750e910638ac9767c22e4461be8a
                                                        • Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                                        • Instruction Fuzzy Hash: 485168716006045BDB34466885DA7BF6B959B0E704F18352FE48AFB382C61EEE02975E
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: @
                                                        • API String ID: 0-2766056989
                                                        • Opcode ID: 277f5b14ebfb31d9acdfcb19b599133ffeee57438103c682c3dacb2c81b16d7f
                                                        • Instruction ID: 2dad8dda13a96ac29719e0110185aa8107b7b917685da963ee6e6edef41cb95d
                                                        • Opcode Fuzzy Hash: 277f5b14ebfb31d9acdfcb19b599133ffeee57438103c682c3dacb2c81b16d7f
                                                        • Instruction Fuzzy Hash: C3416576A183158FC314CF29D18061BFBE1FBC8314F568A2EF99693350D679E980CB86
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: >G
                                                        • API String ID: 0-1296849874
                                                        • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                        • Instruction ID: aab5066b8351c21b9abf1b6184216a89ccb323a2d5e30b0bcb97f0d730efd77d
                                                        • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                        • Instruction Fuzzy Hash: 08112BF724808243DE74863DC8B46B7A795EBCD321F2C637BD0C14BB58D32A99459908
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: HeapProcess
                                                        • String ID:
                                                        • API String ID: 54951025-0
                                                        • Opcode ID: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
                                                        • Instruction ID: 9504a653bcf427532d5064532c05f1d04939bb5561e35e6535c2a7eba45b7a60
                                                        • Opcode Fuzzy Hash: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
                                                        • Instruction Fuzzy Hash: 84A00270506201CB57404F756F0525937D9654559170580755409C5571D62585905615
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b5ca945c73f96586680b794a2cfc8b55e8f7bc2f58380cec5295694457d85c5e
                                                        • Instruction ID: ab2fb9cf530b2f7fc05e48a1b2542d0b548931935014995ce621e12a70c45bd8
                                                        • Opcode Fuzzy Hash: b5ca945c73f96586680b794a2cfc8b55e8f7bc2f58380cec5295694457d85c5e
                                                        • Instruction Fuzzy Hash: D6324621D29F414DE7639634C862336A649AFB73C5F18D737E81AB5AAAEF2CC4C34105
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 56ea352148e3c774f87dcc4cf0de5d49bee8f4798448973f894b3d9cfc24b1ba
                                                        • Instruction ID: 00ae404e09403cbabe28ca0a0a4d3aceb2ea5bd9e999d2a250848967357f0a7a
                                                        • Opcode Fuzzy Hash: 56ea352148e3c774f87dcc4cf0de5d49bee8f4798448973f894b3d9cfc24b1ba
                                                        • Instruction Fuzzy Hash: E532E3796083469BD714CF2AC4807ABB7E1BF84304F444A2EFC958B381D778DD858B8A
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 63c6752c91fa09a59911cbec739b695d928ea4d41f79e3f210d04f564ca51bf4
                                                        • Instruction ID: 9583adf114605d02d5e2e19679ce9bf42d3b47f395d82ba1fcfe18c7509b5e77
                                                        • Opcode Fuzzy Hash: 63c6752c91fa09a59911cbec739b695d928ea4d41f79e3f210d04f564ca51bf4
                                                        • Instruction Fuzzy Hash: 59028E717046518FD318CF2EE880536B7E1AF8E301B46867EE586C7391EB34E922CB95
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5fde6092dbaeb595df6386206e95cc36bec498aab372ae6033ef90cb0bf67f56
                                                        • Instruction ID: 08c65c0034c77f162a5e2f762c8ff88aaa906a6fc17fd64b80a7c511c0c0ca56
                                                        • Opcode Fuzzy Hash: 5fde6092dbaeb595df6386206e95cc36bec498aab372ae6033ef90cb0bf67f56
                                                        • Instruction Fuzzy Hash: A3F14B716142548FC314DF1DE89187B73E0BB8A301B460A2EF5C2D7392DB78EA1ADB56
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 60a407b7035b458234a1b4ae8876206eb8531d1806f2b32c6b298a9738e91288
                                                        • Instruction ID: 6072d2ab819a24c58290f472cacd0ace346509952e007a1e49c4d5c76d6a9cd3
                                                        • Opcode Fuzzy Hash: 60a407b7035b458234a1b4ae8876206eb8531d1806f2b32c6b298a9738e91288
                                                        • Instruction Fuzzy Hash: 90D1BF71A083558BC724DE29C88096FB7E4FF88354F442A2EF89597320EB38DD05CB86
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e7326b31f45d4e50c8c50174bee11f9882207dfed74e31d12f4697374e1987de
                                                        • Instruction ID: b3ed2c0ab3c8a1cf02cd55a458d72155988f8fbc7d55d27d708debdf014431d3
                                                        • Opcode Fuzzy Hash: e7326b31f45d4e50c8c50174bee11f9882207dfed74e31d12f4697374e1987de
                                                        • Instruction Fuzzy Hash: AEB1A17951429A8ACB01EF68C4913F63BA1EF6A300F4850B9EC9CCF757D3398506EB24
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                        • Instruction ID: 74e2ef470e0f7eaec2bbcc97644f24ba1b58e581bc817aa34aafa8545d81d3a7
                                                        • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                        • Instruction Fuzzy Hash: D791A8722080A319D72D423E847403FFFE19A563A1B1BA79FD4F2CB2C5EE18D565DA24
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                                        • Instruction ID: 8d8b5119396e2834e670033089963a3e86919695436a47c170bc2bcb8e078ffc
                                                        • Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                                        • Instruction Fuzzy Hash: A691A7762080E35DDB294639843403FFFE15A563A1B1B67AFE4F2CB2C5EE18C568D624
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                        • Instruction ID: eaa300f4f162f1acbdde4decff541324e593f013a6a572b7afaac19ec25842a6
                                                        • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                        • Instruction Fuzzy Hash: F99195722090A319DB2D4239843403FFFE15E5A3A1B1BA79FD4F2CB2C5EE28C564D624
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: dcaaf3a538fb6447e3283ddd15f45a67438a23807e0f4513107e056d33e47a72
                                                        • Instruction ID: 9b9e3495b2600b5bb57a0f881f66ff577775c96cdfa749367535f2d08535ee8a
                                                        • Opcode Fuzzy Hash: dcaaf3a538fb6447e3283ddd15f45a67438a23807e0f4513107e056d33e47a72
                                                        • Instruction Fuzzy Hash: A3615871E0060867DE386928BC56BBF63A9EB4D304F14395BE883DB381C65DDD42835E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                        • Instruction ID: 82e4230dd5615ab793e8164ae3cdd09518d68db03ee48e672ae2bd39712f48c3
                                                        • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                        • Instruction Fuzzy Hash: FF81EA722080A31DDB2D4239853803FFFE15A563A5B1BA7AFD4F2CB2C5EE18C564D624
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                                        • Instruction ID: 1ecc17c6f396bdcf1bd7e257d91ac660bf1aa2674e3e23ad4d3769e79eae6022
                                                        • Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                                        • Instruction Fuzzy Hash: 9751647160460D4BDB34EA6895E77BFA3899B0E344F18350BE582F7782C61DAD02939E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: aab2813c665c480545fef87c0c14cb93031e59ded8cfa1b4e39f94410d0708d9
                                                        • Instruction ID: 630ecb88457be3648657eb57e3c78cf78304789516621443522bf01dd35d6fbf
                                                        • Opcode Fuzzy Hash: aab2813c665c480545fef87c0c14cb93031e59ded8cfa1b4e39f94410d0708d9
                                                        • Instruction Fuzzy Hash: 81616F32A083159FC308DF75E581A5BB7E5BFCC718F450E1EF489DA151E634EA088B86
                                                        APIs
                                                        • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00417FC9
                                                        • CreateCompatibleDC.GDI32(00000000), ref: 00417FD4
                                                          • Part of subcall function 00418462: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00418492
                                                        • CreateCompatibleBitmap.GDI32(?,00000000), ref: 00418055
                                                        • DeleteDC.GDI32(?), ref: 0041806D
                                                        • DeleteDC.GDI32(00000000), ref: 00418070
                                                        • SelectObject.GDI32(00000000,00000000), ref: 0041807B
                                                        • StretchBlt.GDI32(00000000,00000000,00000000,00000000,?,?,?,?,00000000,?,00CC0020), ref: 004180A3
                                                        • GetCursorInfo.USER32(?), ref: 004180C5
                                                        • GetIconInfo.USER32(?,?), ref: 004180DB
                                                        • DeleteObject.GDI32(?), ref: 0041810A
                                                        • DeleteObject.GDI32(?), ref: 00418117
                                                        • DrawIcon.USER32(00000000,?,?,?), ref: 00418124
                                                        • BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00660046), ref: 00418154
                                                        • GetObjectA.GDI32(?,00000018,?), ref: 00418183
                                                        • LocalAlloc.KERNEL32(00000040,00000028), ref: 004181CC
                                                        • LocalAlloc.KERNEL32(00000040,00000001), ref: 004181EF
                                                        • GlobalAlloc.KERNEL32(00000000,?), ref: 00418258
                                                        • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041827B
                                                        • DeleteDC.GDI32(?), ref: 0041828F
                                                        • DeleteDC.GDI32(00000000), ref: 00418292
                                                        • DeleteObject.GDI32(00000000), ref: 00418295
                                                        • GlobalFree.KERNEL32(00CC0020), ref: 004182A0
                                                        • DeleteObject.GDI32(00000000), ref: 00418354
                                                        • GlobalFree.KERNEL32(?), ref: 0041835B
                                                        • DeleteDC.GDI32(?), ref: 0041836B
                                                        • DeleteDC.GDI32(00000000), ref: 00418376
                                                        • DeleteDC.GDI32(?), ref: 004183A8
                                                        • DeleteDC.GDI32(00000000), ref: 004183AB
                                                        • DeleteObject.GDI32(?), ref: 004183B1
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Delete$Object$AllocCreateGlobal$CompatibleFreeIconInfoLocal$BitmapBitsCursorDisplayDrawEnumSelectSettingsStretch
                                                        • String ID: DISPLAY
                                                        • API String ID: 1352755160-865373369
                                                        • Opcode ID: 4332875b330b260fe317f73885a67b787bcc9eef3312130aa5211c7270dddff5
                                                        • Instruction ID: 6b2ada92df8522405a2cca839f58df11a8e30ba3d3d74bda048dad66fb1953bf
                                                        • Opcode Fuzzy Hash: 4332875b330b260fe317f73885a67b787bcc9eef3312130aa5211c7270dddff5
                                                        • Instruction Fuzzy Hash: 39C17C71508344AFD3209F25DC44BABBBE9FF88751F04092EF989932A1DB34E945CB5A
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 0041728C
                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041728F
                                                        • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 004172A0
                                                        • GetProcAddress.KERNEL32(00000000), ref: 004172A3
                                                        • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 004172B4
                                                        • GetProcAddress.KERNEL32(00000000), ref: 004172B7
                                                        • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004172C8
                                                        • GetProcAddress.KERNEL32(00000000), ref: 004172CB
                                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 0041736C
                                                        • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 00417384
                                                        • GetThreadContext.KERNEL32(?,00000000), ref: 0041739A
                                                        • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004173C0
                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00417440
                                                        • TerminateProcess.KERNEL32(?,00000000), ref: 00417454
                                                        • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041748B
                                                        • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00417558
                                                        • SetThreadContext.KERNEL32(?,00000000), ref: 00417575
                                                        • ResumeThread.KERNEL32(?), ref: 00417582
                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041759A
                                                        • GetCurrentProcess.KERNEL32(?), ref: 004175A5
                                                        • TerminateProcess.KERNEL32(?,00000000), ref: 004175BF
                                                        • GetLastError.KERNEL32 ref: 004175C7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                                        • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                                        • API String ID: 4188446516-3035715614
                                                        • Opcode ID: 0508007fc5a19f335f37bc9d6881170284180ec94406780ecb3836aa2a2a6048
                                                        • Instruction ID: 2a1bc7bdc729258c18c32f0bb95ec7660c06bfb5025054df3919bc75ccc59624
                                                        • Opcode Fuzzy Hash: 0508007fc5a19f335f37bc9d6881170284180ec94406780ecb3836aa2a2a6048
                                                        • Instruction Fuzzy Hash: DFA17CB1508304AFD7209F65DC45B6B7BF9FF48345F00082AF689C2661E779E984CB6A
                                                        APIs
                                                        • CreateMutexA.KERNEL32(00000000,00000001,00000000,004742F8,?,00000000), ref: 004112D4
                                                        • ExitProcess.KERNEL32 ref: 0041151D
                                                          • Part of subcall function 0041265D: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                                          • Part of subcall function 0041265D: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                          • Part of subcall function 0041265D: RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                                          • Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B643
                                                        • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000), ref: 0041135B
                                                        • OpenProcess.KERNEL32(00100000,00000000,T@,?,?,?,?,00000000), ref: 0041136A
                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 00411375
                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 0041137C
                                                        • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 00411382
                                                          • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                          • Part of subcall function 004127D5: RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                          • Part of subcall function 004127D5: RegCloseKey.KERNEL32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                        • PathFileExistsW.SHLWAPI(?,?,?,?,?,00000000), ref: 004113B3
                                                        • GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000000), ref: 0041140F
                                                        • GetTempFileNameW.KERNEL32(?,temp_,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00411429
                                                        • lstrcatW.KERNEL32(?,.exe,?,?,?,?,?,?,?,00000000), ref: 0041143B
                                                          • Part of subcall function 0041B59F: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,0040A009,?,00000000,00000000), ref: 0041B5FB
                                                          • Part of subcall function 0041B59F: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040A009,?,00000000,00000000), ref: 0041B60F
                                                          • Part of subcall function 0041B59F: CloseHandle.KERNEL32(00000000,?,0040A009,?,00000000,00000000), ref: 0041B61C
                                                        • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00411483
                                                        • Sleep.KERNEL32(000001F4,?,?,?,?,00000000), ref: 004114C4
                                                        • OpenProcess.KERNEL32(00100000,00000000,?,?,?,?,?,00000000), ref: 004114D9
                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 004114E4
                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 004114EB
                                                        • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 004114F1
                                                          • Part of subcall function 0041B59F: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041B6B5,00000000,00000000,?), ref: 0041B5DE
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$CloseCreateProcess$HandleOpen$CurrentObjectPathSingleTempValueWait$ExecuteExistsExitMutexNamePointerQueryShellSleepWritelstrcat
                                                        • String ID: .exe$0DG$T@$WDH$exepath$open$p=\$temp_
                                                        • API String ID: 4250697656-713063157
                                                        • Opcode ID: 5dbcded7602185ea070b480d70fb33acaad7b421ae312c9c840d883bd3e5244d
                                                        • Instruction ID: e3cce03e36166c77d6950284f165d3805ee2b23d785f43ba83868d4dcf2b0e5d
                                                        • Opcode Fuzzy Hash: 5dbcded7602185ea070b480d70fb33acaad7b421ae312c9c840d883bd3e5244d
                                                        • Instruction Fuzzy Hash: 1651B671A043156BDB00A7A0AC49EFE736D9B44715F1041BBF905A72D2EF7C8E828A9D
                                                        APIs
                                                        • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041A2C2
                                                        • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041A2D6
                                                        • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00465554), ref: 0041A2FE
                                                        • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00473EE8,00000000), ref: 0041A30F
                                                        • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041A350
                                                        • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041A368
                                                        • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041A37D
                                                        • SetEvent.KERNEL32 ref: 0041A39A
                                                        • WaitForSingleObject.KERNEL32(000001F4), ref: 0041A3AB
                                                        • CloseHandle.KERNEL32 ref: 0041A3BB
                                                        • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041A3DD
                                                        • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041A3E7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                        • String ID: alias audio$" type $TUF$close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$>G
                                                        • API String ID: 738084811-2745919808
                                                        • Opcode ID: 366dc257e76a7d89ff517ca85c94e996c3be762cdb00e461543f6a6bce535d75
                                                        • Instruction ID: 916def08b3adcafa46b043c64cdff30cc67d21214e861a912cda69be872b019d
                                                        • Opcode Fuzzy Hash: 366dc257e76a7d89ff517ca85c94e996c3be762cdb00e461543f6a6bce535d75
                                                        • Instruction Fuzzy Hash: B951C1712442056AD214BB31DC86EBF3B9CDB91758F10043FF456A21E2EF389D9986AF
                                                        APIs
                                                          • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                                          • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C013
                                                        • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C026
                                                        • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C056
                                                        • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C065
                                                          • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(Function_000099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                                                          • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                                          • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(Function_00009993,00000000,?,pth_unenc), ref: 0040AFE3
                                                          • Part of subcall function 0041AB48: GetCurrentProcessId.KERNEL32(00000000,74DF3530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB6F
                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C280
                                                        • ExitProcess.KERNEL32 ref: 0040C287
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                        • String ID: ")$.vbs$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$p=\$pth_unenc$wend$while fso.FileExists("
                                                        • API String ID: 3797177996-746442866
                                                        • Opcode ID: 172039706f693072dc9d04bdfcccb933a902077c78e676d0b750a38b29d640e1
                                                        • Instruction ID: f1dcdd4a9e546d4cb200c8239a9b7392f8c22d31b5939825df829b517cfed74e
                                                        • Opcode Fuzzy Hash: 172039706f693072dc9d04bdfcccb933a902077c78e676d0b750a38b29d640e1
                                                        • Instruction Fuzzy Hash: 088190316042005BC315FB21D852ABF77A9ABD1308F10453FF986A71E2EF7CAD49869E
                                                        APIs
                                                        • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                                        • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401C7E
                                                        • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401C8E
                                                        • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401C9E
                                                        • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401CAE
                                                        • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401CBE
                                                        • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401CCF
                                                        • WriteFile.KERNEL32(00000000,00471B02,00000002,00000000,00000000), ref: 00401CE0
                                                        • WriteFile.KERNEL32(00000000,00471B04,00000004,00000000,00000000), ref: 00401CF0
                                                        • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401D00
                                                        • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401D11
                                                        • WriteFile.KERNEL32(00000000,00471B0E,00000002,00000000,00000000), ref: 00401D22
                                                        • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401D32
                                                        • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401D42
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$Write$Create
                                                        • String ID: RIFF$WAVE$data$fmt
                                                        • API String ID: 1602526932-4212202414
                                                        • Opcode ID: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                                        • Instruction ID: 129ba3454a43ec42bedb537cb07bfa8f9eb5569c2d2d4c431363fc199bcfbd5c
                                                        • Opcode Fuzzy Hash: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                                        • Instruction Fuzzy Hash: 66416F726443187AE210DB51DD86FBB7EECEB85F54F40081AFA44D6090E7A4E909DBB3
                                                        APIs
                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe,00000001,004068B2,C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe,00000003,004068DA,004742E0,00406933), ref: 004064F4
                                                        • GetProcAddress.KERNEL32(00000000), ref: 004064FD
                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 0040650E
                                                        • GetProcAddress.KERNEL32(00000000), ref: 00406511
                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 00406522
                                                        • GetProcAddress.KERNEL32(00000000), ref: 00406525
                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00406536
                                                        • GetProcAddress.KERNEL32(00000000), ref: 00406539
                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 0040654A
                                                        • GetProcAddress.KERNEL32(00000000), ref: 0040654D
                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040655E
                                                        • GetProcAddress.KERNEL32(00000000), ref: 00406561
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AddressHandleModuleProc
                                                        • String ID: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                                        • API String ID: 1646373207-2064742459
                                                        • Opcode ID: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                                        • Instruction ID: b313d74494c875c8407327c43f2905d2eb3972c2d2e01a1e2b33da4df8ba43a1
                                                        • Opcode Fuzzy Hash: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                                        • Instruction Fuzzy Hash: 1F011EA4E40B1675DB21677A7C54D176EAC9E502917190433B40AF22B1FEBCD410CD7D
                                                        APIs
                                                        • _wcslen.LIBCMT ref: 0040BC75
                                                        • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040BC8E
                                                        • CopyFileW.KERNEL32(C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe,00000000,00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040BD3E
                                                        • _wcslen.LIBCMT ref: 0040BD54
                                                        • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040BDDC
                                                        • CopyFileW.KERNEL32(C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe,00000000,00000000), ref: 0040BDF2
                                                        • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE31
                                                        • _wcslen.LIBCMT ref: 0040BE34
                                                        • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE4B
                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00474358,0000000E), ref: 0040BE9B
                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000001), ref: 0040BEB9
                                                        • ExitProcess.KERNEL32 ref: 0040BED0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                                        • String ID: 6$C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe$del$open$BG$BG
                                                        • API String ID: 1579085052-899921245
                                                        • Opcode ID: 4d244095d4847cbae713d45db5f80276bba3783f73a4fe09937fc6169b27dde8
                                                        • Instruction ID: 2f106158a8217a69bc194f5c9bf89c81f007fa4859a00edafeef48886470f02c
                                                        • Opcode Fuzzy Hash: 4d244095d4847cbae713d45db5f80276bba3783f73a4fe09937fc6169b27dde8
                                                        • Instruction Fuzzy Hash: DC51B1212082006BD609B722EC52E7F77999F81719F10443FF985A66E2DF3CAD4582EE
                                                        APIs
                                                        • lstrlenW.KERNEL32(?), ref: 0041B1E6
                                                        • _memcmp.LIBVCRUNTIME ref: 0041B1FE
                                                        • lstrlenW.KERNEL32(?), ref: 0041B217
                                                        • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041B252
                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041B265
                                                        • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041B2A9
                                                        • lstrcmpW.KERNEL32(?,?), ref: 0041B2C4
                                                        • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041B2DC
                                                        • _wcslen.LIBCMT ref: 0041B2EB
                                                        • FindVolumeClose.KERNEL32(?), ref: 0041B30B
                                                        • GetLastError.KERNEL32 ref: 0041B323
                                                        • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041B350
                                                        • lstrcatW.KERNEL32(?,?), ref: 0041B369
                                                        • lstrcpyW.KERNEL32(?,?), ref: 0041B378
                                                        • GetLastError.KERNEL32 ref: 0041B380
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                        • String ID: ?
                                                        • API String ID: 3941738427-1684325040
                                                        • Opcode ID: 253fbf654c2f5cfaca5092a796830cee54c98e46980e450b9e065df1a1912948
                                                        • Instruction ID: cf02e0f6f7b7a0e02f5bf76754478950043962dc0518326da89db1c5b002f683
                                                        • Opcode Fuzzy Hash: 253fbf654c2f5cfaca5092a796830cee54c98e46980e450b9e065df1a1912948
                                                        • Instruction Fuzzy Hash: CC4163715087099BD7209FA0EC889EBB7E8EF44755F00093BF951C2261E778C998C7D6
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _free$EnvironmentVariable$_wcschr
                                                        • String ID:
                                                        • API String ID: 3899193279-0
                                                        • Opcode ID: 4dff80f9f2e6418a47ef4f1e3ec22160d27dda194db1b92759e52112f0dcc884
                                                        • Instruction ID: 310171947c9992e3776b826429fe42b14e002c37e8c837d056816c81c4ebeb3e
                                                        • Opcode Fuzzy Hash: 4dff80f9f2e6418a47ef4f1e3ec22160d27dda194db1b92759e52112f0dcc884
                                                        • Instruction Fuzzy Hash: A7D13A71900310AFFB35AF7B888266E77A4BF06328F05416FF905A7381E6799D418B99
                                                        APIs
                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00411C9A
                                                          • Part of subcall function 0041AB48: GetCurrentProcessId.KERNEL32(00000000,74DF3530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB6F
                                                          • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                                          • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                                                        • Sleep.KERNEL32(0000000A,00465324), ref: 00411DEC
                                                        • Sleep.KERNEL32(0000000A,00465324,00465324), ref: 00411E8E
                                                        • Sleep.KERNEL32(0000000A,00465324,00465324,00465324), ref: 00411F30
                                                        • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411F91
                                                        • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411FC8
                                                        • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00412004
                                                        • Sleep.KERNEL32(000001F4,00465324,00465324,00465324), ref: 0041201E
                                                        • Sleep.KERNEL32(00000064), ref: 00412060
                                                          • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                        • String ID: /stext "$HDG$HDG$>G$>G
                                                        • API String ID: 1223786279-3931108886
                                                        • Opcode ID: dd84fb7e7cdabf2e47e208a23127d8f86efb5b2e25be2ef0fbb16d0b89917122
                                                        • Instruction ID: 0ab8a3329a483972d05e881652f5f37e7f84d863b53285be69f93207c3ffadf7
                                                        • Opcode Fuzzy Hash: dd84fb7e7cdabf2e47e208a23127d8f86efb5b2e25be2ef0fbb16d0b89917122
                                                        • Instruction Fuzzy Hash: 890243311083414AC325FB61D891AEFB7D5AFD4308F50493FF98A931E2EF785A49C69A
                                                        APIs
                                                        • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041CAF9
                                                        • GetCursorPos.USER32(?), ref: 0041CB08
                                                        • SetForegroundWindow.USER32(?), ref: 0041CB11
                                                        • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041CB2B
                                                        • Shell_NotifyIconA.SHELL32(00000002,00473B50), ref: 0041CB7C
                                                        • ExitProcess.KERNEL32 ref: 0041CB84
                                                        • CreatePopupMenu.USER32 ref: 0041CB8A
                                                        • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041CB9F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                        • String ID: Close
                                                        • API String ID: 1657328048-3535843008
                                                        • Opcode ID: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                                        • Instruction ID: 3771bb7a8ff115e6e52fbd1847cd0ce42a02f589590b945df095e749b0e49bf2
                                                        • Opcode Fuzzy Hash: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                                        • Instruction Fuzzy Hash: FF212A31148205FFDB064F64FD4EEAA3F25EB04712F004035B906E41B2D7B9EAA1EB18
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _free$Info
                                                        • String ID:
                                                        • API String ID: 2509303402-0
                                                        • Opcode ID: 92603ff5876a01059927d2e021ea2dcfde124e6bc6800bb968541682ce1897e5
                                                        • Instruction ID: 94cb3ffe265cc5bcc4c1ad3ae65ec97d3e38ea61109583f3198c5827e9e35c68
                                                        • Opcode Fuzzy Hash: 92603ff5876a01059927d2e021ea2dcfde124e6bc6800bb968541682ce1897e5
                                                        • Instruction Fuzzy Hash: 22B19D71900A05AFEF11DFA9C881BEEBBB5FF09304F14416EE855B7342DA799C418B64
                                                        APIs
                                                        • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00407F4C
                                                        • GetFileSizeEx.KERNEL32(00000000,00000000), ref: 00407FC2
                                                        • __aulldiv.LIBCMT ref: 00407FE9
                                                        • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 0040810D
                                                        • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408128
                                                        • CloseHandle.KERNEL32(00000000), ref: 00408200
                                                        • CloseHandle.KERNEL32(00000000,00000052,00000000,?), ref: 0040821A
                                                        • CloseHandle.KERNEL32(00000000), ref: 00408256
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$CloseHandle$CreatePointerReadSize__aulldiv
                                                        • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $>G
                                                        • API String ID: 1884690901-3066803209
                                                        • Opcode ID: b4bf83234e7876ad0386de0079e022938b9164f4f2de2980decd81bcee1f3e40
                                                        • Instruction ID: 4837f293f8898be8956b4197083d1ab2d903a2927be0ecc228378ed3697c5d3b
                                                        • Opcode Fuzzy Hash: b4bf83234e7876ad0386de0079e022938b9164f4f2de2980decd81bcee1f3e40
                                                        • Instruction Fuzzy Hash: 01B191715083409BC214FB25C892BAFB7E5ABD4314F40493EF889632D2EF789945CB9B
                                                        APIs
                                                        • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413E86
                                                        • LoadLibraryA.KERNEL32(?), ref: 00413EC8
                                                        • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413EE8
                                                        • FreeLibrary.KERNEL32(00000000), ref: 00413EEF
                                                        • LoadLibraryA.KERNEL32(?), ref: 00413F27
                                                        • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413F39
                                                        • FreeLibrary.KERNEL32(00000000), ref: 00413F40
                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 00413F4F
                                                        • FreeLibrary.KERNEL32(00000000), ref: 00413F66
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                        • String ID: \ws2_32$\wship6$getaddrinfo
                                                        • API String ID: 2490988753-3078833738
                                                        • Opcode ID: 7f25833e8af2b845701e4bccc7340468b757da4176a2c43d0743638068d0b7b5
                                                        • Instruction ID: f97e29e5006070a0e8b03c0efb597ee3aef86c3529fe4be05370ae17daaf5a45
                                                        • Opcode Fuzzy Hash: 7f25833e8af2b845701e4bccc7340468b757da4176a2c43d0743638068d0b7b5
                                                        • Instruction Fuzzy Hash: C331C4B1906315ABD320AF65DC44ACBB7ECEF44745F400A2AF844D7201D778DA858AEE
                                                        APIs
                                                        • ___free_lconv_mon.LIBCMT ref: 004500C1
                                                          • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F310
                                                          • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F322
                                                          • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F334
                                                          • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F346
                                                          • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F358
                                                          • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F36A
                                                          • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F37C
                                                          • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F38E
                                                          • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3A0
                                                          • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3B2
                                                          • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3C4
                                                          • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3D6
                                                          • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3E8
                                                        • _free.LIBCMT ref: 004500B6
                                                          • Part of subcall function 00446AD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA60,0000000A,00000000,0000000A,00000000,?,0044FD04,0000000A,00000007,0000000A,?,00450215,0000000A), ref: 00446AEB
                                                          • Part of subcall function 00446AD5: GetLastError.KERNEL32(0000000A,?,0044FA60,0000000A,00000000,0000000A,00000000,?,0044FD04,0000000A,00000007,0000000A,?,00450215,0000000A,0000000A), ref: 00446AFD
                                                        • _free.LIBCMT ref: 004500D8
                                                        • _free.LIBCMT ref: 004500ED
                                                        • _free.LIBCMT ref: 004500F8
                                                        • _free.LIBCMT ref: 0045011A
                                                        • _free.LIBCMT ref: 0045012D
                                                        • _free.LIBCMT ref: 0045013B
                                                        • _free.LIBCMT ref: 00450146
                                                        • _free.LIBCMT ref: 0045017E
                                                        • _free.LIBCMT ref: 00450185
                                                        • _free.LIBCMT ref: 004501A2
                                                        • _free.LIBCMT ref: 004501BA
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                        • String ID:
                                                        • API String ID: 161543041-0
                                                        • Opcode ID: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                                        • Instruction ID: 71386be3831ae4e36ed8ba8c0666741f952bc44bbd11cc85bbb3aa2ad55dcdb0
                                                        • Opcode Fuzzy Hash: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                                        • Instruction Fuzzy Hash: D5318135600B009FEB30AA39D845B5773E9EF02325F11842FE849E7692DF79AD88C719
                                                        APIs
                                                        • __EH_prolog.LIBCMT ref: 0041913D
                                                        • GdiplusStartup.GDIPLUS(00473AF0,?,00000000), ref: 0041916F
                                                        • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 004191FB
                                                        • Sleep.KERNEL32(000003E8), ref: 0041927D
                                                        • GetLocalTime.KERNEL32(?), ref: 0041928C
                                                        • Sleep.KERNEL32(00000000,00000018,00000000), ref: 00419375
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                                        • String ID: XCG$XCG$XCG$time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                                        • API String ID: 489098229-65789007
                                                        • Opcode ID: 9197c4a2a1c1e5ce950a89398449fe3ef2bf9bb46c4814cba73f7eb8f52c582d
                                                        • Instruction ID: 451d4021779863bb8065bd5e36f4a774b326d3833db1a6038cb7dac0f018a91b
                                                        • Opcode Fuzzy Hash: 9197c4a2a1c1e5ce950a89398449fe3ef2bf9bb46c4814cba73f7eb8f52c582d
                                                        • Instruction Fuzzy Hash: 56519071A002449ACB14BBB5D866AFE7BA9AB45304F00407FF849B71D2EF3C5D85C799
                                                        APIs
                                                          • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                                          • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                                          • Part of subcall function 0041265D: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                                          • Part of subcall function 0041265D: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                          • Part of subcall function 0041265D: RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C6C7
                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C826
                                                        • ExitProcess.KERNEL32 ref: 0040C832
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                        • String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open$p=\
                                                        • API String ID: 1913171305-2781974748
                                                        • Opcode ID: 9d9593f7d2fff8419b7a4165c874335f1e1c4ca55b8004b043af397299dbfd4c
                                                        • Instruction ID: 3122975e65398275e0c1a8e950e5c558235310b29c64ef4ed93c25b66c9664dc
                                                        • Opcode Fuzzy Hash: 9d9593f7d2fff8419b7a4165c874335f1e1c4ca55b8004b043af397299dbfd4c
                                                        • Instruction Fuzzy Hash: A6414C329001185ACB14F761DC56DFE7779AF50718F50417FF906B30E2EE386A8ACA99
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _free
                                                        • String ID:
                                                        • API String ID: 269201875-0
                                                        • Opcode ID: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
                                                        • Instruction ID: d73775b2238990a9214358b8270f61d1b8324a28925b392a315ea9bfa7ac6158
                                                        • Opcode Fuzzy Hash: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
                                                        • Instruction Fuzzy Hash: 89C16672D40204AFEB20DBA8CC82FEF77F8AB05714F15446AFA44FB282D6749D458768
                                                        APIs
                                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 004047FD
                                                        • SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404808
                                                        • CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404811
                                                        • closesocket.WS2_32(000000FF), ref: 0040481F
                                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404856
                                                        • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404867
                                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040486E
                                                        • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404880
                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404885
                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040488A
                                                        • SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404895
                                                        • CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 0040489A
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                        • String ID:
                                                        • API String ID: 3658366068-0
                                                        • Opcode ID: 8839b1e3ce5f0ca92630ed3addc8668ddbef0a342dde1beb3290f4e349eef524
                                                        • Instruction ID: 6857b948c75ecf5e4d11b49f17ebd09eceef1c2fbc6fc14a1e153603fddcf20a
                                                        • Opcode Fuzzy Hash: 8839b1e3ce5f0ca92630ed3addc8668ddbef0a342dde1beb3290f4e349eef524
                                                        • Instruction Fuzzy Hash: 7A212C71144B149FDB216B26EC45A27BBE1EF40325F104A7EF2E212AF1CB76E851DB48
                                                        APIs
                                                          • Part of subcall function 00454660: CreateFileW.KERNEL32(00000000,?,?,;JE,?,?,00000000,?,00454A3B,00000000,0000000C), ref: 0045467D
                                                        • GetLastError.KERNEL32 ref: 00454AA6
                                                        • __dosmaperr.LIBCMT ref: 00454AAD
                                                        • GetFileType.KERNEL32(00000000), ref: 00454AB9
                                                        • GetLastError.KERNEL32 ref: 00454AC3
                                                        • __dosmaperr.LIBCMT ref: 00454ACC
                                                        • CloseHandle.KERNEL32(00000000), ref: 00454AEC
                                                        • CloseHandle.KERNEL32(?), ref: 00454C36
                                                        • GetLastError.KERNEL32 ref: 00454C68
                                                        • __dosmaperr.LIBCMT ref: 00454C6F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                        • String ID: H
                                                        • API String ID: 4237864984-2852464175
                                                        • Opcode ID: 43154248a50fd66e96ac6d70bada307b7577a7ac671062952f04f408382b00d8
                                                        • Instruction ID: 2939135f81ce6efcdbf1290aa78a9ad6619f21b9340f77aa2193fadd435c2af6
                                                        • Opcode Fuzzy Hash: 43154248a50fd66e96ac6d70bada307b7577a7ac671062952f04f408382b00d8
                                                        • Instruction Fuzzy Hash: 9FA13732A041448FDF19DF68D8527AE7BA0EB46329F14015EFC019F392DB399C96C75A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 65535$udp
                                                        • API String ID: 0-1267037602
                                                        • Opcode ID: ed3283d9ee94cadc099f5c83048f767ee72ed986ddea0764ae1f3250d10f5e6e
                                                        • Instruction ID: 18155c1335c00501c0bec8b6c43ed7e13bdec9a75575f631fadbade58ebc7fa9
                                                        • Opcode Fuzzy Hash: ed3283d9ee94cadc099f5c83048f767ee72ed986ddea0764ae1f3250d10f5e6e
                                                        • Instruction Fuzzy Hash: 5C411971604301ABD7209F29E9057AB77D8EF85706F04082FF84597391D76DCEC1866E
                                                        APIs
                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00465554), ref: 00416F24
                                                        • CloseHandle.KERNEL32(00000000), ref: 00416F2D
                                                        • DeleteFileA.KERNEL32(00000000), ref: 00416F3C
                                                        • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00416EF0
                                                          • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
                                                        • String ID: <$@$@FG$@FG$TUF$Temp
                                                        • API String ID: 1107811701-4124992407
                                                        • Opcode ID: 2ef96a9cb1d95fb64f0202d71f3a89862d1029e439683586224ce07dc8cb56e9
                                                        • Instruction ID: 31b483d39f6b5d6935d3c54cd29663daa4ef68f058b88688fc76c4b473729b01
                                                        • Opcode Fuzzy Hash: 2ef96a9cb1d95fb64f0202d71f3a89862d1029e439683586224ce07dc8cb56e9
                                                        • Instruction Fuzzy Hash: 3C318B319002099BCB04FBA1DC56AFE7775AF50308F00417EF906760E2EF785A8ACB99
                                                        APIs
                                                        • GetCurrentProcess.KERNEL32(00474A48,00000000,BG3i@,00003000,00000004,00000000,00000001), ref: 00406647
                                                        • GetCurrentProcess.KERNEL32(00474A48,00000000,00008000,?,00000000,00000001,00000000,004068BB,C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe), ref: 00406705
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CurrentProcess
                                                        • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$pUF$windir$BG3i@
                                                        • API String ID: 2050909247-1144799832
                                                        • Opcode ID: df9848ee821d52fd5067d4fed09af5d5a7b0c3927120527d7347017cd794abcf
                                                        • Instruction ID: 85e9bb49d37c82d50cc0a876bfe2e9cbcca00efa80d213bdcfc81b1d75d5651e
                                                        • Opcode Fuzzy Hash: df9848ee821d52fd5067d4fed09af5d5a7b0c3927120527d7347017cd794abcf
                                                        • Instruction Fuzzy Hash: FF31CA75240300AFC310AB6DEC49F6A7768EB44705F11443EF50AA76E1EB7998508B6D
                                                        APIs
                                                        • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393C9
                                                        • GetLastError.KERNEL32(?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393D6
                                                        • __dosmaperr.LIBCMT ref: 004393DD
                                                        • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439409
                                                        • GetLastError.KERNEL32(?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439413
                                                        • __dosmaperr.LIBCMT ref: 0043941A
                                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401AD8,?), ref: 0043945D
                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439467
                                                        • __dosmaperr.LIBCMT ref: 0043946E
                                                        • _free.LIBCMT ref: 0043947A
                                                        • _free.LIBCMT ref: 00439481
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                        • String ID:
                                                        • API String ID: 2441525078-0
                                                        • Opcode ID: 4e21fbd1580d6ff2ce7530065813a89ea1a3ca3d3e91b16b88e7fcb0346c66d6
                                                        • Instruction ID: 6a201652548b5938c51769f65cd316b483991bd1e06270b2389e89ad89b884a4
                                                        • Opcode Fuzzy Hash: 4e21fbd1580d6ff2ce7530065813a89ea1a3ca3d3e91b16b88e7fcb0346c66d6
                                                        • Instruction Fuzzy Hash: AA31007280860ABFDF11AFA5DC45CAF3B78EF09364F10416AF81096291DB79CC11DBA9
                                                        APIs
                                                        • SetEvent.KERNEL32(?,?), ref: 00404E71
                                                        • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00404F21
                                                        • TranslateMessage.USER32(?), ref: 00404F30
                                                        • DispatchMessageA.USER32(?), ref: 00404F3B
                                                        • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00473F80), ref: 00404FF3
                                                        • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 0040502B
                                                          • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                        • String ID: CloseChat$DisplayMessage$GetMessage
                                                        • API String ID: 2956720200-749203953
                                                        • Opcode ID: ed276ae60632ddb1123add7be1ccbfba2608c39a5df5d2a815a288664d31e13e
                                                        • Instruction ID: 321c3fbec734f1f8b9fff4e8d6f05c27936dabaea61c0bf38d797d3438e015d2
                                                        • Opcode Fuzzy Hash: ed276ae60632ddb1123add7be1ccbfba2608c39a5df5d2a815a288664d31e13e
                                                        • Instruction Fuzzy Hash: F641BEB16043016BC614FB75D85A8AE77A8ABC1714F00093EF906A31E6EF38DA04C79A
                                                        APIs
                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CA4
                                                        • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CBB
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CC8
                                                        • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CD7
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CE8
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CEB
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Service$CloseHandle$Open$ControlManager
                                                        • String ID:
                                                        • API String ID: 221034970-0
                                                        • Opcode ID: 83979f30ba13052199b290374f4e897ff0c223aa30bace9cb26b013bf86a6d8f
                                                        • Instruction ID: 64b7f8b9d702139b787b45b2ac21df1fde646642379ff803e7b0347eb9faadae
                                                        • Opcode Fuzzy Hash: 83979f30ba13052199b290374f4e897ff0c223aa30bace9cb26b013bf86a6d8f
                                                        • Instruction Fuzzy Hash: 8711C631901218AFD7116B64EC85DFF3BECDB46BA1B000036F942921D1DB64CD46AAF5
                                                        APIs
                                                        • _free.LIBCMT ref: 00446DEF
                                                          • Part of subcall function 00446AD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA60,0000000A,00000000,0000000A,00000000,?,0044FD04,0000000A,00000007,0000000A,?,00450215,0000000A), ref: 00446AEB
                                                          • Part of subcall function 00446AD5: GetLastError.KERNEL32(0000000A,?,0044FA60,0000000A,00000000,0000000A,00000000,?,0044FD04,0000000A,00000007,0000000A,?,00450215,0000000A,0000000A), ref: 00446AFD
                                                        • _free.LIBCMT ref: 00446DFB
                                                        • _free.LIBCMT ref: 00446E06
                                                        • _free.LIBCMT ref: 00446E11
                                                        • _free.LIBCMT ref: 00446E1C
                                                        • _free.LIBCMT ref: 00446E27
                                                        • _free.LIBCMT ref: 00446E32
                                                        • _free.LIBCMT ref: 00446E3D
                                                        • _free.LIBCMT ref: 00446E48
                                                        • _free.LIBCMT ref: 00446E56
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _free$ErrorFreeHeapLast
                                                        • String ID:
                                                        • API String ID: 776569668-0
                                                        • Opcode ID: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                                        • Instruction ID: 4059f081e6094245f9dcb18e84e070fbb06f55adf0c09f86c969ccb3ae0415ae
                                                        • Opcode Fuzzy Hash: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                                        • Instruction Fuzzy Hash: 0E11CB7550051CBFDB05EF55C842CDD3B76EF06364B42C0AAF9086F222DA75DE509B85
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Eventinet_ntoa
                                                        • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$>G
                                                        • API String ID: 3578746661-4192532303
                                                        • Opcode ID: 8131232ea4e110a78cbbe142682e0b221beec53302878eaae0296b789d50c990
                                                        • Instruction ID: 5385bfc655a789aeb426c9546597e5e9554731b695d1c34d5ebe0a8eef4996cc
                                                        • Opcode Fuzzy Hash: 8131232ea4e110a78cbbe142682e0b221beec53302878eaae0296b789d50c990
                                                        • Instruction Fuzzy Hash: AA517371A042009BC714F779D85AAAE36A59B80318F40453FF849972E2DF7CADC5CB9E
                                                        APIs
                                                        • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 0041665C
                                                          • Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B643
                                                        • Sleep.KERNEL32(00000064), ref: 00416688
                                                        • DeleteFileW.KERNEL32(00000000), ref: 004166BC
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$CreateDeleteExecuteShellSleep
                                                        • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                        • API String ID: 1462127192-2001430897
                                                        • Opcode ID: b9a5cb25ade68b6fe2589745dbe0be08f51fb2d4aea0f2061956a18dd9341e5a
                                                        • Instruction ID: c19d1c6df4eaf99de932d1d3e2b79d277c3c3ae54bcdefde962c91a872100eda
                                                        • Opcode Fuzzy Hash: b9a5cb25ade68b6fe2589745dbe0be08f51fb2d4aea0f2061956a18dd9341e5a
                                                        • Instruction Fuzzy Hash: 5B313E719001085ADB14FBA1DC96EEE7764AF50708F00017FF906730E2EF786A8ACA9D
                                                        APIs
                                                        • _strftime.LIBCMT ref: 00401AD3
                                                          • Part of subcall function 00401BE8: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                                        • waveInUnprepareHeader.WINMM(00471AC0,00000020,00000000,?), ref: 00401B85
                                                        • waveInPrepareHeader.WINMM(00471AC0,00000020), ref: 00401BC3
                                                        • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401BD2
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                        • String ID: %Y-%m-%d %H.%M$.wav$`=G$x=G
                                                        • API String ID: 3809562944-3643129801
                                                        • Opcode ID: f816f63c6ac9835ee23b06cccc8d3180f7f4d1f3f2885b8dfbf4a592b63f2106
                                                        • Instruction ID: 71dc54c49c3278552d12686eedaa48b86947864de512bb92fe626abde6f710f1
                                                        • Opcode Fuzzy Hash: f816f63c6ac9835ee23b06cccc8d3180f7f4d1f3f2885b8dfbf4a592b63f2106
                                                        • Instruction Fuzzy Hash: 98317E315053009BC314EF25DC56A9E77E8BB94314F40883EF559A21F1EF78AA49CB9A
                                                        APIs
                                                        • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040197B
                                                        • waveInOpen.WINMM(00471AF8,000000FF,00471B00,Function_00001A8E,00000000,00000000,00000024), ref: 00401A11
                                                        • waveInPrepareHeader.WINMM(00471AC0,00000020,00000000), ref: 00401A66
                                                        • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401A75
                                                        • waveInStart.WINMM ref: 00401A81
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                        • String ID: XCG$`=G$x=G
                                                        • API String ID: 1356121797-903574159
                                                        • Opcode ID: 2fa2782d5286cb6b946f29ce45bec9f2347d723f1f3b5a78e95a6039d4b8a833
                                                        • Instruction ID: eaefd7a1fab34284b98bc4f49641b1dd71ce781583fbb4b877c049bb372049a4
                                                        • Opcode Fuzzy Hash: 2fa2782d5286cb6b946f29ce45bec9f2347d723f1f3b5a78e95a6039d4b8a833
                                                        • Instruction Fuzzy Hash: 1A215C316012409BC704DF7EFD1696A7BA9FB85742B00843AF50DE76B0EBB89880CB4C
                                                        APIs
                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041C998
                                                          • Part of subcall function 0041CA2F: RegisterClassExA.USER32(00000030), ref: 0041CA7C
                                                          • Part of subcall function 0041CA2F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA97
                                                          • Part of subcall function 0041CA2F: GetLastError.KERNEL32 ref: 0041CAA1
                                                        • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041C9CF
                                                        • lstrcpynA.KERNEL32(00473B68,Remcos,00000080), ref: 0041C9E9
                                                        • Shell_NotifyIconA.SHELL32(00000000,00473B50), ref: 0041C9FF
                                                        • TranslateMessage.USER32(?), ref: 0041CA0B
                                                        • DispatchMessageA.USER32(?), ref: 0041CA15
                                                        • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041CA22
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                        • String ID: Remcos
                                                        • API String ID: 1970332568-165870891
                                                        • Opcode ID: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                                        • Instruction ID: a3c1d7bf95fc3ae1ab8e5dc1b7104b29b221ef3087a45b83961503d05de66f2d
                                                        • Opcode Fuzzy Hash: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                                        • Instruction Fuzzy Hash: 620121B1944348ABD7109FA5FC4CEDA7BBCAB45B16F004035F605E2162D7B8A285DB2D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c66e7b394ba3cedc2256576aca990ac76a61b28af5954af531c93a6943a32a1c
                                                        • Instruction ID: eb32e44420a9d0dd2d5c4453ebfd120c933f738a1b2f21936dd04ad6d98d905f
                                                        • Opcode Fuzzy Hash: c66e7b394ba3cedc2256576aca990ac76a61b28af5954af531c93a6943a32a1c
                                                        • Instruction Fuzzy Hash: 6FC1E670D042499FEF11DFADD8417AEBBB4EF4A304F08405AE814A7392C778D941CBA9
                                                        APIs
                                                        • GetCPInfo.KERNEL32(?,?), ref: 00452BE6
                                                        • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00452C69
                                                        • __alloca_probe_16.LIBCMT ref: 00452CA1
                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00452CFC
                                                        • __alloca_probe_16.LIBCMT ref: 00452D4B
                                                        • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00452D13
                                                          • Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,00434413,?,?,00437237,?,?,?,?,?,0040CC87,00434413,?,?,?,?), ref: 00446B41
                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00452D8F
                                                        • __freea.LIBCMT ref: 00452DBA
                                                        • __freea.LIBCMT ref: 00452DC6
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                                        • String ID:
                                                        • API String ID: 201697637-0
                                                        • Opcode ID: 9bbe35462230cfd41bb5c244eb617c21ab0dbbd99226abfb5f91c2ba7bf60e7b
                                                        • Instruction ID: 924e7ddfc51c8ace49a4e982202af340d06b3b5a9b96f94d8290dca04e209d32
                                                        • Opcode Fuzzy Hash: 9bbe35462230cfd41bb5c244eb617c21ab0dbbd99226abfb5f91c2ba7bf60e7b
                                                        • Instruction Fuzzy Hash: E691C572E002169BDF218E64CA41AEF7BB5AF0A311F14456BEC01E7243D7ADDC49C7A8
                                                        APIs
                                                          • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,00000000,?,0043B965,00000000,00000000), ref: 00446ED3
                                                          • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                                          • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F47
                                                          • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                                        • _memcmp.LIBVCRUNTIME ref: 004446B3
                                                        • _free.LIBCMT ref: 00444724
                                                        • _free.LIBCMT ref: 0044473D
                                                        • _free.LIBCMT ref: 0044476F
                                                        • _free.LIBCMT ref: 00444778
                                                        • _free.LIBCMT ref: 00444784
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _free$ErrorLast$_abort_memcmp
                                                        • String ID: C
                                                        • API String ID: 1679612858-1037565863
                                                        • Opcode ID: eb7ad68443f1844e844de8e5443f327502456b0f86996943e633107ca9740756
                                                        • Instruction ID: 096df170494440478aae843429242aea5750b14c08813bebb9acd843c79e49b1
                                                        • Opcode Fuzzy Hash: eb7ad68443f1844e844de8e5443f327502456b0f86996943e633107ca9740756
                                                        • Instruction Fuzzy Hash: E8B14A75A012199FEB24DF18C884BAEB7B4FF49314F1085AEE909A7351D739AE90CF44
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: tcp$udp
                                                        • API String ID: 0-3725065008
                                                        • Opcode ID: 3317bb7e427a09276a98136aacea04ff7717d48f4dd4b8ff28f9b5a2aba46388
                                                        • Instruction ID: e5bb8fef491b59a621f975c33c92e719a9e773eef76f1c958f584ffae729cd60
                                                        • Opcode Fuzzy Hash: 3317bb7e427a09276a98136aacea04ff7717d48f4dd4b8ff28f9b5a2aba46388
                                                        • Instruction Fuzzy Hash: 9171AB716083028FDB24CE5584847ABB6E4AF84746F10043FF885A7352E778DE85CB9A
                                                        APIs
                                                        • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00412CC1
                                                          • Part of subcall function 004129AA: RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                                          • Part of subcall function 004129AA: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                                                          • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                        • RegCloseKey.ADVAPI32(TUFTUF,00465554,00465554,00465900,00465900,00000071), ref: 00412E31
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseEnumInfoOpenQuerysend
                                                        • String ID: TUF$TUFTUF$>G$DG$DG
                                                        • API String ID: 3114080316-72097156
                                                        • Opcode ID: 08034cecb19fcd7980957ebfa6e18f25f8bbd9987c681b47e78dc83fc42bb37e
                                                        • Instruction ID: 977689a643a5ec5a4c60f988ad8168500f8ba0dfdc14b2429fd77a11b5167535
                                                        • Opcode Fuzzy Hash: 08034cecb19fcd7980957ebfa6e18f25f8bbd9987c681b47e78dc83fc42bb37e
                                                        • Instruction Fuzzy Hash: 9041A2316042009BC224F635D8A2AEF7394AFD0708F50843FF94A671E2EF7C5D4986AE
                                                        APIs
                                                        • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                                        • WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                                          • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                        • CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                                        • MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                                        • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D08
                                                        • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D18
                                                          • Part of subcall function 0040455B: WaitForSingleObject.KERNEL32(?,000000FF,?,?,0040460E,00000000,?,?), ref: 0040456A
                                                          • Part of subcall function 0040455B: SetEvent.KERNEL32(?,?,?,0040460E,00000000,?,?), ref: 00404588
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                        • String ID: .part
                                                        • API String ID: 1303771098-3499674018
                                                        • Opcode ID: 124c633532e8600691c4108089ff1e2e84c33ce980c006a8ee94900b53e6ed61
                                                        • Instruction ID: 92ff4720e6a7c249f3c3ae71a82c25b1888123647972eaae8327678ea1ca1cb3
                                                        • Opcode Fuzzy Hash: 124c633532e8600691c4108089ff1e2e84c33ce980c006a8ee94900b53e6ed61
                                                        • Instruction Fuzzy Hash: 2131C4715083009FD210EF21DD459AFB7A8FB84315F40093FF9C6A21A1DB38AA48CB9A
                                                        APIs
                                                          • Part of subcall function 00412584: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 004125A6
                                                          • Part of subcall function 00412584: RegQueryValueExW.ADVAPI32(?,0040E0BA,00000000,00000000,?,00000400), ref: 004125C5
                                                          • Part of subcall function 00412584: RegCloseKey.ADVAPI32(?), ref: 004125CE
                                                          • Part of subcall function 0041B16B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B17C
                                                          • Part of subcall function 0041B16B: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B183
                                                        • _wcslen.LIBCMT ref: 0041A906
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
                                                        • String ID: .exe$:@$XCG$http\shell\open\command$program files (x86)\$program files\
                                                        • API String ID: 3286818993-703403762
                                                        • Opcode ID: f6ea33bfe9aeb7d2f24a1418d8181db5ac7c03ccdcffe2a82dcde258621e9c28
                                                        • Instruction ID: 668df6a2f2e8443cbe55da1b88d556a36153785c12b7582e9a7b6ce06fc50c8b
                                                        • Opcode Fuzzy Hash: f6ea33bfe9aeb7d2f24a1418d8181db5ac7c03ccdcffe2a82dcde258621e9c28
                                                        • Instruction Fuzzy Hash: 4C217472B001046BDB04BAB58C96DEE366D9B85358F14093FF412B72D3EE3C9D9942A9
                                                        APIs
                                                          • Part of subcall function 00412513: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                          • Part of subcall function 00412513: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                          • Part of subcall function 00412513: RegCloseKey.KERNEL32(?), ref: 0041255F
                                                        • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040B76C
                                                        • PathFileExistsA.SHLWAPI(?), ref: 0040B779
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                        • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders$TUF
                                                        • API String ID: 1133728706-1738023494
                                                        • Opcode ID: bb986ea289b59e8881aae87098969c6da156300248b9d043587579c05a1b425d
                                                        • Instruction ID: c183ecd3189b8021203cc80da109e2de7a31ac9d6a13988019f9cddb43f3bc3e
                                                        • Opcode Fuzzy Hash: bb986ea289b59e8881aae87098969c6da156300248b9d043587579c05a1b425d
                                                        • Instruction Fuzzy Hash: 84216D71900219A6CB04F7B2DCA69EE7764AE95318F40013FA902771D2EB7C9A49C6DE
                                                        APIs
                                                        • AllocConsole.KERNEL32(00474358), ref: 0041BEC9
                                                        • GetConsoleWindow.KERNEL32 ref: 0041BECF
                                                        • ShowWindow.USER32(00000000,00000000), ref: 0041BEE2
                                                        • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041BF07
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Console$Window$AllocOutputShow
                                                        • String ID: Remcos v$5.3.0 Pro$CONOUT$
                                                        • API String ID: 4067487056-2527699604
                                                        • Opcode ID: 0969bb2dc50103f751eab8b76b07649baec71243ec5d0269df0f19859633e99b
                                                        • Instruction ID: 29466b5f89b818b32aee09a22b3208d506810ef61d6e100b210d0f7536d9046d
                                                        • Opcode Fuzzy Hash: 0969bb2dc50103f751eab8b76b07649baec71243ec5d0269df0f19859633e99b
                                                        • Instruction Fuzzy Hash: 3F0121B1980304BAD600FBF29D4BFDD37AC9B14705F5004277648EB193E6BCA554466D
                                                        APIs
                                                        • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0043D574,0043D574,?,?,?,00449BB1,00000001,00000001,1AE85006), ref: 004499BA
                                                        • __alloca_probe_16.LIBCMT ref: 004499F2
                                                        • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00449BB1,00000001,00000001,1AE85006,?,?,?), ref: 00449A40
                                                        • __alloca_probe_16.LIBCMT ref: 00449AD7
                                                        • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,1AE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00449B3A
                                                        • __freea.LIBCMT ref: 00449B47
                                                          • Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,00434413,?,?,00437237,?,?,?,?,?,0040CC87,00434413,?,?,?,?), ref: 00446B41
                                                        • __freea.LIBCMT ref: 00449B50
                                                        • __freea.LIBCMT ref: 00449B75
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                        • String ID:
                                                        • API String ID: 3864826663-0
                                                        • Opcode ID: 4f32ff11c9a2c5bbe2f4738f39354e42457cdb7b2d04467834f9366f6cd65cf7
                                                        • Instruction ID: 2fc013a73a1c4821613f4f7d6933c77eebbc764427e3f4eacb424f728eff0283
                                                        • Opcode Fuzzy Hash: 4f32ff11c9a2c5bbe2f4738f39354e42457cdb7b2d04467834f9366f6cd65cf7
                                                        • Instruction Fuzzy Hash: 0951F772610256AFFB259F61DC42EBBB7A9EB44714F14462EFD04D7240EB38EC40E668
                                                        APIs
                                                        • SendInput.USER32 ref: 00418B18
                                                        • SendInput.USER32(00000001,?,0000001C), ref: 00418B40
                                                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B67
                                                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B85
                                                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BA5
                                                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BCA
                                                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BEC
                                                        • SendInput.USER32(00000001,?,0000001C), ref: 00418C0F
                                                          • Part of subcall function 00418AC1: MapVirtualKeyA.USER32(00000000,00000000), ref: 00418AC7
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: InputSend$Virtual
                                                        • String ID:
                                                        • API String ID: 1167301434-0
                                                        • Opcode ID: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                                        • Instruction ID: 9e9d03405de643faf883966fb0167173931b0bf8c68e8067c58721a0feba7ae1
                                                        • Opcode Fuzzy Hash: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                                        • Instruction Fuzzy Hash: 10318071248349AAE210DF65D841FDBFBECAFD9B44F04080FB98457191DBA4998C876B
                                                        APIs
                                                        • OpenClipboard.USER32 ref: 00415A46
                                                        • EmptyClipboard.USER32 ref: 00415A54
                                                        • CloseClipboard.USER32 ref: 00415A5A
                                                        • OpenClipboard.USER32 ref: 00415A61
                                                        • GetClipboardData.USER32(0000000D), ref: 00415A71
                                                        • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                                        • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                                        • CloseClipboard.USER32 ref: 00415A89
                                                          • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                        • String ID:
                                                        • API String ID: 2172192267-0
                                                        • Opcode ID: d9c410470e1138b8a4c9be85fd81145319fac6db587be0b527b00daa86c960c7
                                                        • Instruction ID: 21d753e14671b68e74bb0dc0c2a05280281c3050cfaacb3e005a94eaf945824a
                                                        • Opcode Fuzzy Hash: d9c410470e1138b8a4c9be85fd81145319fac6db587be0b527b00daa86c960c7
                                                        • Instruction Fuzzy Hash: 1D0152312083009FC314BB75EC5AAEE77A5AFC0752F41457EFD06861A2DF38C845D65A
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: __freea$__alloca_probe_16
                                                        • String ID: a/p$am/pm$fD
                                                        • API String ID: 3509577899-1143445303
                                                        • Opcode ID: 3e928ede4659587d97ed5dfbbe89dc282e212a9f54712889c1654def3b5faaeb
                                                        • Instruction ID: b3ac1812908cceb8a5e393dcdb4c984f4f77018dd86d4d200126c6f407000a93
                                                        • Opcode Fuzzy Hash: 3e928ede4659587d97ed5dfbbe89dc282e212a9f54712889c1654def3b5faaeb
                                                        • Instruction Fuzzy Hash: 45D10171900205EAFB289F68D9456BBB7B0FF06700F26415BE9019B349D37D9D81CB6B
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _free
                                                        • String ID:
                                                        • API String ID: 269201875-0
                                                        • Opcode ID: 5969c94153c7b7bc47658fb7421fb2dc5c6178a12c9a66a46f54a64434edbe96
                                                        • Instruction ID: 4bbe003d1bf73c874d2a573eb0f11032bb863b1283a960f175a06077317d427c
                                                        • Opcode Fuzzy Hash: 5969c94153c7b7bc47658fb7421fb2dc5c6178a12c9a66a46f54a64434edbe96
                                                        • Instruction Fuzzy Hash: 9D61CE71D00205AFEB20DF69C842BAABBF5EB45320F14407BE844EB281E7759D45CB59
                                                        APIs
                                                          • Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,00434413,?,?,00437237,?,?,?,?,?,0040CC87,00434413,?,?,?,?), ref: 00446B41
                                                        • _free.LIBCMT ref: 00444096
                                                        • _free.LIBCMT ref: 004440AD
                                                        • _free.LIBCMT ref: 004440CC
                                                        • _free.LIBCMT ref: 004440E7
                                                        • _free.LIBCMT ref: 004440FE
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _free$AllocateHeap
                                                        • String ID: Z7D
                                                        • API String ID: 3033488037-2145146825
                                                        • Opcode ID: e789079c2bca6bbabae9b3291a6a7c0d52dcd5a72fb4a21e852c8be1410d12d6
                                                        • Instruction ID: 35b293ba1399b13e66314f32d3a1361244e269274da5e60bce22b88c1773d583
                                                        • Opcode Fuzzy Hash: e789079c2bca6bbabae9b3291a6a7c0d52dcd5a72fb4a21e852c8be1410d12d6
                                                        • Instruction Fuzzy Hash: 1451D131A00604AFEB20DF66C841B6A77F4EF99724B14456EE909D7251E739EE118B88
                                                        APIs
                                                        • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0044A848,?,00000000,00000000,00000000,00000000,0000000C), ref: 0044A115
                                                        • __fassign.LIBCMT ref: 0044A190
                                                        • __fassign.LIBCMT ref: 0044A1AB
                                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0044A1D1
                                                        • WriteFile.KERNEL32(?,00000000,00000000,0044A848,00000000,?,?,?,?,?,?,?,?,?,0044A848,?), ref: 0044A1F0
                                                        • WriteFile.KERNEL32(?,?,00000001,0044A848,00000000,?,?,?,?,?,?,?,?,?,0044A848,?), ref: 0044A229
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                        • String ID:
                                                        • API String ID: 1324828854-0
                                                        • Opcode ID: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                                        • Instruction ID: e447b7b613fb78ded26f6ec2e5332222395caf0b7731ddcd5a4cfd0c244b89ef
                                                        • Opcode Fuzzy Hash: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                                        • Instruction Fuzzy Hash: FB51C270E002499FEB10CFA8D881AEEBBF8FF09310F14416BE955E7351D6749A51CB6A
                                                        APIs
                                                        • ExitThread.KERNEL32 ref: 004017F4
                                                          • Part of subcall function 00433529: EnterCriticalSection.KERNEL32(00470D18,?,00475D4C,?,0040AE8B,00475D4C,?,00000000,00000000), ref: 00433534
                                                          • Part of subcall function 00433529: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D4C,?,00000000,00000000), ref: 00433571
                                                        • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00473EE8,00000000), ref: 00401902
                                                          • Part of subcall function 004338B5: __onexit.LIBCMT ref: 004338BB
                                                        • __Init_thread_footer.LIBCMT ref: 004017BC
                                                          • Part of subcall function 004334DF: EnterCriticalSection.KERNEL32(00470D18,00475D4C,?,0040AEAC,00475D4C,00456DA7,?,00000000,00000000), ref: 004334E9
                                                          • Part of subcall function 004334DF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D4C,00456DA7,?,00000000,00000000), ref: 0043351C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CriticalSection$EnterLeave$ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                                        • String ID: T=G$>G$>G
                                                        • API String ID: 1596592924-1617985637
                                                        • Opcode ID: 7fea690cd5114764ac3b3016db8b19bc4d1365cb468e8419b76e50a1049d06b2
                                                        • Instruction ID: 0943ace0b6a80c7a2dd7ea0048a529cdefdd5a29547fab9333b46e46416e0a54
                                                        • Opcode Fuzzy Hash: 7fea690cd5114764ac3b3016db8b19bc4d1365cb468e8419b76e50a1049d06b2
                                                        • Instruction Fuzzy Hash: D941F0716042008BC325FB75DDA6AAE73A4EB90318F00453FF50AAB1F2DF789985C65E
                                                        APIs
                                                          • Part of subcall function 0041B16B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B17C
                                                          • Part of subcall function 0041B16B: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B183
                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E6C1
                                                        • Process32FirstW.KERNEL32(00000000,?), ref: 0040E6E5
                                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E6F4
                                                        • CloseHandle.KERNEL32(00000000), ref: 0040E8AB
                                                          • Part of subcall function 0041B197: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040E4D0,00000000,?,?,00474358), ref: 0041B1AC
                                                          • Part of subcall function 0041B197: IsWow64Process.KERNEL32(00000000,?,?,?,00474358), ref: 0041B1B7
                                                          • Part of subcall function 0041B38D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B3A5
                                                          • Part of subcall function 0041B38D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3B8
                                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E89C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                        • String ID: PgF
                                                        • API String ID: 2180151492-654241383
                                                        • Opcode ID: d45e152db1594e52a28c92c812a6bfc09764fa0d060a7e5a38ae0a426294ee6f
                                                        • Instruction ID: d2ffcfca6af8ede7debefd7e7f3e1a30d02436113b149e9281f59cd47d6ae75e
                                                        • Opcode Fuzzy Hash: d45e152db1594e52a28c92c812a6bfc09764fa0d060a7e5a38ae0a426294ee6f
                                                        • Instruction Fuzzy Hash: FE41E0311083415BC325F761D8A1AEFB7E9AFA4305F50453EF449931E1EF389949C65A
                                                        APIs
                                                        • _ValidateLocalCookies.LIBCMT ref: 00437ABB
                                                        • ___except_validate_context_record.LIBVCRUNTIME ref: 00437AC3
                                                        • _ValidateLocalCookies.LIBCMT ref: 00437B51
                                                        • __IsNonwritableInCurrentImage.LIBCMT ref: 00437B7C
                                                        • _ValidateLocalCookies.LIBCMT ref: 00437BD1
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                        • String ID: csm
                                                        • API String ID: 1170836740-1018135373
                                                        • Opcode ID: a717e1e029c36c18052b78818950a58a3847fd0af0d72a643a188b4f53f37093
                                                        • Instruction ID: 71a827b8039fc8fef17eb0172cb9efd804432aff4b2936af944e1c8a38ed202f
                                                        • Opcode Fuzzy Hash: a717e1e029c36c18052b78818950a58a3847fd0af0d72a643a188b4f53f37093
                                                        • Instruction Fuzzy Hash: 07410870A04209DBCF20EF29C884A9FBBB4AF08328F149156E8556B352D739EE01CF95
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 02717eb42979939780aa55e78abd64da983f54570bcab5d4a33c232e0763f4b4
                                                        • Instruction ID: c456bd3af877b6cafd4b53f13a87e342c7fa5de46f767ee01c057a6e18c8cad8
                                                        • Opcode Fuzzy Hash: 02717eb42979939780aa55e78abd64da983f54570bcab5d4a33c232e0763f4b4
                                                        • Instruction Fuzzy Hash: 401102B1508615FBDB206F729C4593B7BACEF82772B20016FFC05C6242DA3CC801D669
                                                        APIs
                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0040FBFC
                                                        • int.LIBCPMT ref: 0040FC0F
                                                          • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                                          • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                                        • std::_Facet_Register.LIBCPMT ref: 0040FC4B
                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FC71
                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FC8D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                        • String ID: p[G
                                                        • API String ID: 2536120697-440918510
                                                        • Opcode ID: 90cee4c0c16813870b1da6ceaa83cd64951b4a88db33a7eee00d1c8ab7d48ea7
                                                        • Instruction ID: 57388c14a05e53b5f50c1e79e3c37d993a50775a9f2b0ccff9e8b1bf96635e0f
                                                        • Opcode Fuzzy Hash: 90cee4c0c16813870b1da6ceaa83cd64951b4a88db33a7eee00d1c8ab7d48ea7
                                                        • Instruction Fuzzy Hash: BD110232904519A7CB10FBA5D8469EEB7289E84358F20007BF805B72C1EB7CAF45C78D
                                                        APIs
                                                          • Part of subcall function 0044FA32: _free.LIBCMT ref: 0044FA5B
                                                        • _free.LIBCMT ref: 0044FD39
                                                          • Part of subcall function 00446AD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA60,0000000A,00000000,0000000A,00000000,?,0044FD04,0000000A,00000007,0000000A,?,00450215,0000000A), ref: 00446AEB
                                                          • Part of subcall function 00446AD5: GetLastError.KERNEL32(0000000A,?,0044FA60,0000000A,00000000,0000000A,00000000,?,0044FD04,0000000A,00000007,0000000A,?,00450215,0000000A,0000000A), ref: 00446AFD
                                                        • _free.LIBCMT ref: 0044FD44
                                                        • _free.LIBCMT ref: 0044FD4F
                                                        • _free.LIBCMT ref: 0044FDA3
                                                        • _free.LIBCMT ref: 0044FDAE
                                                        • _free.LIBCMT ref: 0044FDB9
                                                        • _free.LIBCMT ref: 0044FDC4
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _free$ErrorFreeHeapLast
                                                        • String ID:
                                                        • API String ID: 776569668-0
                                                        • Opcode ID: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                        • Instruction ID: b610107d28af63220697d29f7fc6270dd0ec529a0d2d9973413717ad3690abbb
                                                        • Opcode Fuzzy Hash: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                        • Instruction Fuzzy Hash: B5116071581B44ABE520F7B2CC07FCB77DDDF02708F404C2EB29E76052EA68B90A4655
                                                        APIs
                                                        • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe), ref: 00406835
                                                          • Part of subcall function 00406764: _wcslen.LIBCMT ref: 00406788
                                                          • Part of subcall function 00406764: CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                                        • CoUninitialize.OLE32 ref: 0040688E
                                                        Strings
                                                        • C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe, xrefs: 00406815, 00406818, 0040686A
                                                        • [+] ucmCMLuaUtilShellExecMethod, xrefs: 0040681A
                                                        • [+] ShellExec success, xrefs: 00406873
                                                        • [+] before ShellExec, xrefs: 00406856
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: InitializeObjectUninitialize_wcslen
                                                        • String ID: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                                        • API String ID: 3851391207-3167074629
                                                        • Opcode ID: 37e49e74ace5e8c7de8c35aba96b6244217e4573d21f95b04fe8e6107b657e82
                                                        • Instruction ID: 622c6236034ee416db36617ed9a374104512909f75adacabffe0517dc70a223e
                                                        • Opcode Fuzzy Hash: 37e49e74ace5e8c7de8c35aba96b6244217e4573d21f95b04fe8e6107b657e82
                                                        • Instruction Fuzzy Hash: A501C0722013106FE2287B11DC0EF3B2658DB4176AF22413FF946A71C1EAA9AC104669
                                                        APIs
                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0040FEDF
                                                        • int.LIBCPMT ref: 0040FEF2
                                                          • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                                          • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                                        • std::_Facet_Register.LIBCPMT ref: 0040FF2E
                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FF54
                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FF70
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                        • String ID: h]G
                                                        • API String ID: 2536120697-1579725984
                                                        • Opcode ID: d8f58f918af87aba8139413509f4a2dec583dfadb59aca9c2e42155b8cc16817
                                                        • Instruction ID: faa6495482ffb760010bfa20be6f485864068761b5f97391b19e5f0bde606c56
                                                        • Opcode Fuzzy Hash: d8f58f918af87aba8139413509f4a2dec583dfadb59aca9c2e42155b8cc16817
                                                        • Instruction Fuzzy Hash: 10119D3190041AABCB24FBA5C8468DDB7699E85718B20057FF505B72C1EB78AE09C789
                                                        APIs
                                                        • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040B2E4
                                                        • GetLastError.KERNEL32 ref: 0040B2EE
                                                        Strings
                                                        • [Chrome Cookies found, cleared!], xrefs: 0040B314
                                                        • [Chrome Cookies not found], xrefs: 0040B308
                                                        • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040B2AF
                                                        • UserProfile, xrefs: 0040B2B4
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: DeleteErrorFileLast
                                                        • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                        • API String ID: 2018770650-304995407
                                                        • Opcode ID: 30e5fcbe14093218a38d76bda61cf748b30cc159a0567d7ee95bef924cd16ffd
                                                        • Instruction ID: 57831ae66bbe87b328e3caf482cfdb9a18bfb77b2c204d956758bc207329a0f7
                                                        • Opcode Fuzzy Hash: 30e5fcbe14093218a38d76bda61cf748b30cc159a0567d7ee95bef924cd16ffd
                                                        • Instruction Fuzzy Hash: ED01A23164410557CB0477B5DD6B8AF3624ED50708F60013FF802B22E2FE3A9A0586CE
                                                        Strings
                                                        • C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe, xrefs: 00406927
                                                        • BG, xrefs: 00406909
                                                        • Rmc-MH2R80, xrefs: 0040693F
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe$Rmc-MH2R80$BG
                                                        • API String ID: 0-2138360849
                                                        • Opcode ID: d50a95e135f0bfdaf236d1bb78b8391e43d4b57b805b0d92c2bf5032378cfc05
                                                        • Instruction ID: a0817f974ad937f6cb5b9dd001e5131ae01746641b95ac10126ddf8aadfa6e31
                                                        • Opcode Fuzzy Hash: d50a95e135f0bfdaf236d1bb78b8391e43d4b57b805b0d92c2bf5032378cfc05
                                                        • Instruction Fuzzy Hash: 05F096B17022109BDB103774BC1967A3645A780356F01847BF94BFA6E5DB3C8851869C
                                                        APIs
                                                        • __allrem.LIBCMT ref: 00439799
                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397B5
                                                        • __allrem.LIBCMT ref: 004397CC
                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397EA
                                                        • __allrem.LIBCMT ref: 00439801
                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043981F
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                        • String ID:
                                                        • API String ID: 1992179935-0
                                                        • Opcode ID: e717a979b06a6d59714d5f6060216880ad0b40e6851c78038ac3081c6fc0778a
                                                        • Instruction ID: 580a0d75dc01f3f4b0c8d364acae3af6b21ca74026922d198920ae34195595c3
                                                        • Opcode Fuzzy Hash: e717a979b06a6d59714d5f6060216880ad0b40e6851c78038ac3081c6fc0778a
                                                        • Instruction Fuzzy Hash: 8581FC71A01B069BE724AE69CC82B5F73A8AF89368F24512FF411D7381E7B8DD018758
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: __cftoe
                                                        • String ID:
                                                        • API String ID: 4189289331-0
                                                        • Opcode ID: 07fcb3c060a749777e725642930ed18157a1f5019e1f3146b4d3bc33616e3b2a
                                                        • Instruction ID: 51d3defa9bee42a6449c1cbae1767e96f335fc55d8793b788aa7c8c1dec457a3
                                                        • Opcode Fuzzy Hash: 07fcb3c060a749777e725642930ed18157a1f5019e1f3146b4d3bc33616e3b2a
                                                        • Instruction Fuzzy Hash: DE510A72900205ABFB249F598C81FAF77A9EFC9324F25421FF814A6291DB3DDD01866D
                                                        APIs
                                                        • Sleep.KERNEL32(00000000), ref: 00403E8A
                                                          • Part of subcall function 00403FCD: __EH_prolog.LIBCMT ref: 00403FD2
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: H_prologSleep
                                                        • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera$P>G
                                                        • API String ID: 3469354165-462540288
                                                        • Opcode ID: a5279992c9b5f01cab381193b3706a68732ec19cee183b4c459e27e130619d80
                                                        • Instruction ID: a615deab89d52a04eef9df102bd8b4982dd8b49b1eab8c4ad016fc0191aaad38
                                                        • Opcode Fuzzy Hash: a5279992c9b5f01cab381193b3706a68732ec19cee183b4c459e27e130619d80
                                                        • Instruction Fuzzy Hash: E941A330A0420196CA14FB79C816AAD3A655B45704F00413FF809A73E2EF7C9A85C7CF
                                                        APIs
                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E0C
                                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E20
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E2D
                                                        • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00419517), ref: 00419E62
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E74
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E77
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                        • String ID:
                                                        • API String ID: 493672254-0
                                                        • Opcode ID: 8d0c32570e89dd068500cd90fe1776a703b3a192111dc2e8c1051611ff5d3692
                                                        • Instruction ID: 40159264159f5a90cd52f9b689d0e8cb5e0ea154c732c405bcbf7063391161e0
                                                        • Opcode Fuzzy Hash: 8d0c32570e89dd068500cd90fe1776a703b3a192111dc2e8c1051611ff5d3692
                                                        • Instruction Fuzzy Hash: 09016D311083107AE3118B34EC1EFBF3B5CDB41B70F00023BF626922D1DA68CE8581A9
                                                        APIs
                                                        • GetLastError.KERNEL32(?,?,00437E0D,004377C1), ref: 00437E24
                                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00437E32
                                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00437E4B
                                                        • SetLastError.KERNEL32(00000000,?,00437E0D,004377C1), ref: 00437E9D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorLastValue___vcrt_
                                                        • String ID:
                                                        • API String ID: 3852720340-0
                                                        • Opcode ID: 621d246bd99772174e6328e27007d7fc44d2e9bedb07ae0db1c9b20682e519a8
                                                        • Instruction ID: 127a8aaeb23cc4eddae083ca6fcd73be4c6f1963697d6e79a1959115bdf772ac
                                                        • Opcode Fuzzy Hash: 621d246bd99772174e6328e27007d7fc44d2e9bedb07ae0db1c9b20682e519a8
                                                        • Instruction Fuzzy Hash: 6701B57211D3159EE63427757C87A272B99EB0A779F20127FF228851E2EF2D4C41914C
                                                        APIs
                                                        • GetLastError.KERNEL32(?,?,0043932C,?,00000000,?,0043B965,00000000,00000000), ref: 00446ED3
                                                        • _free.LIBCMT ref: 00446F06
                                                        • _free.LIBCMT ref: 00446F2E
                                                        • SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F3B
                                                        • SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F47
                                                        • _abort.LIBCMT ref: 00446F4D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorLast$_free$_abort
                                                        • String ID:
                                                        • API String ID: 3160817290-0
                                                        • Opcode ID: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                                                        • Instruction ID: 1b4467ed9408e6c3233579f8e1b56ac98d0768551ab8ff32c5b7efb0424b8365
                                                        • Opcode Fuzzy Hash: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                                                        • Instruction Fuzzy Hash: B1F0F93560870027F61273797D46A6F15669BC37B6B26013FF909A2292EE2D8C06411F
                                                        APIs
                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C3F
                                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C53
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C60
                                                        • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C6F
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C81
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C84
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Service$CloseHandle$Open$ControlManager
                                                        • String ID:
                                                        • API String ID: 221034970-0
                                                        • Opcode ID: e0442b8656df40b354effc29a53afdc585f42babe91f9aeac9dec78915b16ffb
                                                        • Instruction ID: 508c6a04514e5737773cd2f196b8466aacbf0489f3ca208dfe1df169d6e4b917
                                                        • Opcode Fuzzy Hash: e0442b8656df40b354effc29a53afdc585f42babe91f9aeac9dec78915b16ffb
                                                        • Instruction Fuzzy Hash: 93F0F6325403147BD3116B25EC89EFF3BACDB85BA1F000036F941921D2DB68CD4685F5
                                                        APIs
                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D41
                                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D55
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D62
                                                        • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D71
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D83
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D86
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Service$CloseHandle$Open$ControlManager
                                                        • String ID:
                                                        • API String ID: 221034970-0
                                                        • Opcode ID: 197637b26bbdd00f03ff7db36be43807083bab4a770c68d4e23c4aa016e90e1f
                                                        • Instruction ID: e3947c2d1caeee04707242a29777fdfa1156a9fa4bc9e6dc5536219c00a7af20
                                                        • Opcode Fuzzy Hash: 197637b26bbdd00f03ff7db36be43807083bab4a770c68d4e23c4aa016e90e1f
                                                        • Instruction Fuzzy Hash: 88F0C2325002146BD2116B25FC49EBF3AACDB85BA1B00003AFA06A21D2DB38CD4685F9
                                                        APIs
                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DA6
                                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DBA
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DC7
                                                        • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DD6
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DE8
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DEB
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Service$CloseHandle$Open$ControlManager
                                                        • String ID:
                                                        • API String ID: 221034970-0
                                                        • Opcode ID: e355818817006b765bc9d302ee5cf97eebc986756fff16413e45bff3808d062c
                                                        • Instruction ID: 9f0c2abda8e07195e4bf0f321f31a82c7612ecaf5c8047990b3e76cea93c5393
                                                        • Opcode Fuzzy Hash: e355818817006b765bc9d302ee5cf97eebc986756fff16413e45bff3808d062c
                                                        • Instruction Fuzzy Hash: FAF0C2325002146BD2116B24FC89EFF3AACDB85BA1B00003AFA05A21D2DB28CE4685F8
                                                        APIs
                                                        • RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                                        • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                                                        • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,?,00002710,?,?,?,00000000,?,?,?,?), ref: 00412AED
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Enum$InfoQueryValue
                                                        • String ID: [regsplt]$DG
                                                        • API String ID: 3554306468-1089238109
                                                        • Opcode ID: bdfd4bea99a2a56e0bf69a035c0c9d08caa5f3d1df37628ba4533c7e0d6d2cae
                                                        • Instruction ID: a28855c8467dc88eaaa14c2ad720c73ed52e1c745f0e0c0b8cf84a63aeea62c1
                                                        • Opcode Fuzzy Hash: bdfd4bea99a2a56e0bf69a035c0c9d08caa5f3d1df37628ba4533c7e0d6d2cae
                                                        • Instruction Fuzzy Hash: 99512E72108345AFD310EF61D995DEBB7ECEF84744F00493EB585D2191EB74EA088B6A
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _free
                                                        • String ID: wKE
                                                        • API String ID: 269201875-3150218262
                                                        • Opcode ID: fc29a47a32afb3350fc3e3c96543f328580f9b5143c0f3ce58bfce5294a38304
                                                        • Instruction ID: 20fe87377ae66d6b83c96c89e5a9e0461ad99f2e5d6db859ec29947640f8945c
                                                        • Opcode Fuzzy Hash: fc29a47a32afb3350fc3e3c96543f328580f9b5143c0f3ce58bfce5294a38304
                                                        • Instruction Fuzzy Hash: CB412D31A00E005BEF24AAB94CD567F37A4EF05775F18031FFC1496293D67C8C05869A
                                                        APIs
                                                          • Part of subcall function 00433529: EnterCriticalSection.KERNEL32(00470D18,?,00475D4C,?,0040AE8B,00475D4C,?,00000000,00000000), ref: 00433534
                                                          • Part of subcall function 00433529: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D4C,?,00000000,00000000), ref: 00433571
                                                          • Part of subcall function 004338B5: __onexit.LIBCMT ref: 004338BB
                                                        • __Init_thread_footer.LIBCMT ref: 0040AEA7
                                                          • Part of subcall function 004334DF: EnterCriticalSection.KERNEL32(00470D18,00475D4C,?,0040AEAC,00475D4C,00456DA7,?,00000000,00000000), ref: 004334E9
                                                          • Part of subcall function 004334DF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D4C,00456DA7,?,00000000,00000000), ref: 0043351C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit
                                                        • String ID: [End of clipboard]$[Text copied to clipboard]$L]G$P]G
                                                        • API String ID: 2974294136-4018440003
                                                        • Opcode ID: b82003dba18b260b6b367d1d56eee30e8a04c9e681fd49378d646ec93357fd77
                                                        • Instruction ID: f936e1d100a0b91fb3cd099947d4fcefdabc4258effb679c9043d151633dcd27
                                                        • Opcode Fuzzy Hash: b82003dba18b260b6b367d1d56eee30e8a04c9e681fd49378d646ec93357fd77
                                                        • Instruction Fuzzy Hash: EF21B131A002158ACB14FB75D8969EE7374AF54318F50403FF902771E2EF386E5A8A8D
                                                        APIs
                                                        • RegisterClassExA.USER32(00000030), ref: 0041CA7C
                                                        • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA97
                                                        • GetLastError.KERNEL32 ref: 0041CAA1
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ClassCreateErrorLastRegisterWindow
                                                        • String ID: 0$MsgWindowClass
                                                        • API String ID: 2877667751-2410386613
                                                        • Opcode ID: c0911dd88a02fcfaa539e9866612e91b1c0db8d522a7ddfb79423dd2815842ef
                                                        • Instruction ID: 4bfad48e3247df46523b3088673b608286a28c5fe91561ad906263ccd1e0ab35
                                                        • Opcode Fuzzy Hash: c0911dd88a02fcfaa539e9866612e91b1c0db8d522a7ddfb79423dd2815842ef
                                                        • Instruction Fuzzy Hash: 7501E5B1D1421DAB8B01DFEADCC49EFBBBDBE49295B50452AE415B2200E7708A458BA4
                                                        APIs
                                                        • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00406A00
                                                        • CloseHandle.KERNEL32(?), ref: 00406A0F
                                                        • CloseHandle.KERNEL32(?), ref: 00406A14
                                                        Strings
                                                        • C:\Windows\System32\cmd.exe, xrefs: 004069FB
                                                        • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004069F6
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseHandle$CreateProcess
                                                        • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                        • API String ID: 2922976086-4183131282
                                                        • Opcode ID: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                                        • Instruction ID: df89934bb1b0a8a8050eda01f74e4a29103dee5852f25f58c468be6e25eb4aa4
                                                        • Opcode Fuzzy Hash: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                                        • Instruction Fuzzy Hash: 22F090B69402ADBACB30ABD69C0EFCF7F3CEBC5B10F00042AB605A6051D6705144CAB8
                                                        APIs
                                                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044259A,?,?,0044253A,?,0046DAE0,0000000C,00442691,?,00000002), ref: 00442609
                                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044261C
                                                        • FreeLibrary.KERNEL32(00000000,?,?,?,0044259A,?,?,0044253A,?,0046DAE0,0000000C,00442691,?,00000002,00000000), ref: 0044263F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                        • String ID: CorExitProcess$mscoree.dll
                                                        • API String ID: 4061214504-1276376045
                                                        • Opcode ID: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                                        • Instruction ID: e7b95c4573467c94f6f12cd45ce5b447d53bb0dab0bc43500ba4ddd7032d9ec5
                                                        • Opcode Fuzzy Hash: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                                        • Instruction Fuzzy Hash: 99F04430A04209FBDB119F95ED09B9EBFB5EB08756F4140B9F805A2251DF749D41CA9C
                                                        APIs
                                                        • RegCreateKeyW.ADVAPI32(80000001,00000000,BG), ref: 0041277F
                                                        • RegSetValueExW.ADVAPI32(BG,?,00000000,00000001,00000000,00000000,004742F8,?,0040E5CB,pth_unenc,004742E0), ref: 004127AD
                                                        • RegCloseKey.ADVAPI32(?,?,0040E5CB,pth_unenc,004742E0), ref: 004127B8
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseCreateValue
                                                        • String ID: pth_unenc$BG
                                                        • API String ID: 1818849710-2233081382
                                                        • Opcode ID: 2b0b83c385fe9b11323970af50dff3bb0d924dce91bf1d9d78cbef32cf6cf5ea
                                                        • Instruction ID: fff2d7bcc465bc574364a4979b4b77ba115ffea085319746951fe37a0eeb78e5
                                                        • Opcode Fuzzy Hash: 2b0b83c385fe9b11323970af50dff3bb0d924dce91bf1d9d78cbef32cf6cf5ea
                                                        • Instruction Fuzzy Hash: 9FF0CD31500218BBDF109FA0ED46EEF37ACAB40B50F104539F902A60A1E675DB14DAA4
                                                        APIs
                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,004745A8,00414DB5,00000000,00000000,00000001), ref: 00404AED
                                                        • SetEvent.KERNEL32(00000304), ref: 00404AF9
                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00404B04
                                                        • CloseHandle.KERNEL32(00000000), ref: 00404B0D
                                                          • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                        • String ID: KeepAlive | Disabled
                                                        • API String ID: 2993684571-305739064
                                                        • Opcode ID: 706b613343be8dae912c097df07bb168f2a932249c2424fe80eb320cd199b408
                                                        • Instruction ID: 6d19fc1829a92c7d53a4a1495ceb054f41c43dbe57a1f104861afa743dff4d10
                                                        • Opcode Fuzzy Hash: 706b613343be8dae912c097df07bb168f2a932249c2424fe80eb320cd199b408
                                                        • Instruction Fuzzy Hash: CDF0BBB19043007FDB1137759D0E66B7F58AB46325F00457FF892926F1DA38D890C75A
                                                        APIs
                                                          • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                        • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00419F74
                                                        • PlaySoundW.WINMM(00000000,00000000), ref: 00419F82
                                                        • Sleep.KERNEL32(00002710), ref: 00419F89
                                                        • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00419F92
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: PlaySound$HandleLocalModuleSleepTime
                                                        • String ID: Alarm triggered
                                                        • API String ID: 614609389-2816303416
                                                        • Opcode ID: 639ba6f34a921cef31bf8efcaa9c44f722cdb1a3cf49c6cc12d230aeec66adff
                                                        • Instruction ID: 9f384250976fc0018356f16acd63f039c2840ecbd7916ddbe948a6dbceb933d3
                                                        • Opcode Fuzzy Hash: 639ba6f34a921cef31bf8efcaa9c44f722cdb1a3cf49c6cc12d230aeec66adff
                                                        • Instruction Fuzzy Hash: 0AE09A22A0422037862033BA7C0FC2F3E28DAC6B71B4000BFF905A61A2AE540810C6FB
                                                        APIs
                                                        • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041BF12), ref: 0041BE89
                                                        • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF12), ref: 0041BE96
                                                        • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041BF12), ref: 0041BEA3
                                                        • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF12), ref: 0041BEB6
                                                        Strings
                                                        • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041BEA9
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                        • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                                        • API String ID: 3024135584-2418719853
                                                        • Opcode ID: b49fb2298264b14de8b5a7e9b756d7938e22e1a5816d236ca91e9d4b7b0725d3
                                                        • Instruction ID: 2ebb83c1e7e70c4501562f07591cf8b091918c9767bda4cb27a2f29097fd03e7
                                                        • Opcode Fuzzy Hash: b49fb2298264b14de8b5a7e9b756d7938e22e1a5816d236ca91e9d4b7b0725d3
                                                        • Instruction Fuzzy Hash: C7E04F62104348ABD31437F5BC8ECAB3B7CE784613B100536F612903D3EA7484448A79
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5145828a6066f50cf31ff859ee0e23af4d85e603a01b225214a849b1d7000abc
                                                        • Instruction ID: 7508e0c950cfb5c07cf094bbf9e96825b82cecf32722f8b1b9d99ff1c2b3a0ae
                                                        • Opcode Fuzzy Hash: 5145828a6066f50cf31ff859ee0e23af4d85e603a01b225214a849b1d7000abc
                                                        • Instruction Fuzzy Hash: 0171C5319043169BEB21CF55C884ABFBB75FF51360F14426BEE50A7281C7B89C61CBA9
                                                        APIs
                                                          • Part of subcall function 004105B9: SetLastError.KERNEL32(0000000D,00410B38,?,00000000), ref: 004105BF
                                                        • GetNativeSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410BC4
                                                        • GetProcessHeap.KERNEL32(00000008,00000040,?,?,00000000), ref: 00410C2A
                                                        • HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410C31
                                                        • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00410D3F
                                                        • SetLastError.KERNEL32(000000C1,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410D69
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorLast$Heap$AllocInfoNativeProcessSystem
                                                        • String ID:
                                                        • API String ID: 3525466593-0
                                                        • Opcode ID: d29f1b7113f080e4870f36b8e837f1b4da9fc16b6a23fadf89bc0212f3888b6d
                                                        • Instruction ID: 8d6069787765cd8089b920b9a1774e70d04059e2b0db351aafb66b48fc3d0dee
                                                        • Opcode Fuzzy Hash: d29f1b7113f080e4870f36b8e837f1b4da9fc16b6a23fadf89bc0212f3888b6d
                                                        • Instruction Fuzzy Hash: 3161C370200301ABD720DF66C981BA77BA6BF44744F04411AF9058B786EBF8E8C5CB99
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _free
                                                        • String ID:
                                                        • API String ID: 269201875-0
                                                        • Opcode ID: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                                        • Instruction ID: 83c4e6e90d702b2f07d890eb74d666dbf881ebcc09a41958ef300e35f10bd01d
                                                        • Opcode Fuzzy Hash: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                                        • Instruction Fuzzy Hash: 6041F732A002049FEB24DF79C881A5EB7B5EF89718F1585AEE515EB341DB35EE01CB84
                                                        APIs
                                                        • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0043E3FD,?,00000000,?,00000001,?,?,00000001,0043E3FD,?), ref: 0044FF30
                                                        • __alloca_probe_16.LIBCMT ref: 0044FF68
                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0044FFB9
                                                        • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,004399CF,?), ref: 0044FFCB
                                                        • __freea.LIBCMT ref: 0044FFD4
                                                          • Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,00434413,?,?,00437237,?,?,?,?,?,0040CC87,00434413,?,?,?,?), ref: 00446B41
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                        • String ID:
                                                        • API String ID: 313313983-0
                                                        • Opcode ID: 32ac3bd373e466217b4644ebee2ff76607fe703c26dcd28c1e1d2c5ecdebf3ce
                                                        • Instruction ID: e1bca46ef404bc628c8ce9314a93e43560c5f9fd50e6ec62d56fad3e85d1de09
                                                        • Opcode Fuzzy Hash: 32ac3bd373e466217b4644ebee2ff76607fe703c26dcd28c1e1d2c5ecdebf3ce
                                                        • Instruction Fuzzy Hash: B731DC32A0020AABEB248F65DC81EAF7BA5EB01314F04417AFC05D7251E739DD59CBA8
                                                        APIs
                                                        • GetEnvironmentStringsW.KERNEL32 ref: 0044E154
                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044E177
                                                          • Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,00434413,?,?,00437237,?,?,?,?,?,0040CC87,00434413,?,?,?,?), ref: 00446B41
                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044E19D
                                                        • _free.LIBCMT ref: 0044E1B0
                                                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044E1BF
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                        • String ID:
                                                        • API String ID: 336800556-0
                                                        • Opcode ID: 4bdc18aade4f5afa9f676aa8b8aa9a2318643a84ce2148a0478020116eae0cde
                                                        • Instruction ID: 6461b62384d036c2086eeacc55d57ac9fa1e09cc40192d7ba399f745acfb761f
                                                        • Opcode Fuzzy Hash: 4bdc18aade4f5afa9f676aa8b8aa9a2318643a84ce2148a0478020116eae0cde
                                                        • Instruction Fuzzy Hash: 7301D4726417117F33215AB76C8CC7B7A6DEAC6FA5319013AFC04D2241DA788C0291B9
                                                        APIs
                                                        • GetLastError.KERNEL32(0000000A,0000000B,0000000A,00445369,00440AAB,00000000,?,?,?,?,00440C8E,00000000,0000000A,000000FF,0000000A,00000000), ref: 00446F58
                                                        • _free.LIBCMT ref: 00446F8D
                                                        • _free.LIBCMT ref: 00446FB4
                                                        • SetLastError.KERNEL32(00000000,0000000A,00000000), ref: 00446FC1
                                                        • SetLastError.KERNEL32(00000000,0000000A,00000000), ref: 00446FCA
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorLast$_free
                                                        • String ID:
                                                        • API String ID: 3170660625-0
                                                        • Opcode ID: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                                                        • Instruction ID: 63179894ab579f9662c65df04eda1c4e2cfad31ee62bae45dd706db9c2735e37
                                                        • Opcode Fuzzy Hash: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                                                        • Instruction Fuzzy Hash: 4F01D67620C7006BF61227757C85D2B1669EBC3776727013FF859A2292EE6CCC0A415F
                                                        APIs
                                                        • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B3A5
                                                        • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3B8
                                                        • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0041B3D8
                                                        • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3E3
                                                        • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3EB
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Process$CloseHandleOpen$FileImageName
                                                        • String ID:
                                                        • API String ID: 2951400881-0
                                                        • Opcode ID: db4a41822c85b6549257f18fa46790b7e5e5d5e6a524df97c50e7420b53bdc77
                                                        • Instruction ID: d8943217945b3e3bc9c1dbf33fc4ac7f726da2cd485b5cd5dbfa96192dfeb6c9
                                                        • Opcode Fuzzy Hash: db4a41822c85b6549257f18fa46790b7e5e5d5e6a524df97c50e7420b53bdc77
                                                        • Instruction Fuzzy Hash: 67F04971204209ABD3026794AC4AFEBB26CDF44B96F000037FA11D22A2FF74CCC146A9
                                                        APIs
                                                        • _free.LIBCMT ref: 0044F7C5
                                                          • Part of subcall function 00446AD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA60,0000000A,00000000,0000000A,00000000,?,0044FD04,0000000A,00000007,0000000A,?,00450215,0000000A), ref: 00446AEB
                                                          • Part of subcall function 00446AD5: GetLastError.KERNEL32(0000000A,?,0044FA60,0000000A,00000000,0000000A,00000000,?,0044FD04,0000000A,00000007,0000000A,?,00450215,0000000A,0000000A), ref: 00446AFD
                                                        • _free.LIBCMT ref: 0044F7D7
                                                        • _free.LIBCMT ref: 0044F7E9
                                                        • _free.LIBCMT ref: 0044F7FB
                                                        • _free.LIBCMT ref: 0044F80D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _free$ErrorFreeHeapLast
                                                        • String ID:
                                                        • API String ID: 776569668-0
                                                        • Opcode ID: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                                        • Instruction ID: 070623068f58a673a03bb4c9f7ddd8597c716d05cca38f31fa25b5a97b2bc473
                                                        • Opcode Fuzzy Hash: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                                        • Instruction Fuzzy Hash: CBF01232505610ABA620EB59F9C1C1773EAEA427247A5882BF048F7A41C77DFCC0866C
                                                        APIs
                                                        • _free.LIBCMT ref: 00443315
                                                          • Part of subcall function 00446AD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA60,0000000A,00000000,0000000A,00000000,?,0044FD04,0000000A,00000007,0000000A,?,00450215,0000000A), ref: 00446AEB
                                                          • Part of subcall function 00446AD5: GetLastError.KERNEL32(0000000A,?,0044FA60,0000000A,00000000,0000000A,00000000,?,0044FD04,0000000A,00000007,0000000A,?,00450215,0000000A,0000000A), ref: 00446AFD
                                                        • _free.LIBCMT ref: 00443327
                                                        • _free.LIBCMT ref: 0044333A
                                                        • _free.LIBCMT ref: 0044334B
                                                        • _free.LIBCMT ref: 0044335C
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _free$ErrorFreeHeapLast
                                                        • String ID:
                                                        • API String ID: 776569668-0
                                                        • Opcode ID: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                                                        • Instruction ID: ba617ab3bec5ed021708e8d9793ec2f19a393bb4d037fa002b455214101d6763
                                                        • Opcode Fuzzy Hash: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                                                        • Instruction Fuzzy Hash: E1F03AB08075208FA712AF6DBD014493BA1F706764342513BF41AB2A71EB780D81DA8E
                                                        APIs
                                                        • GetWindowThreadProcessId.USER32(?,?), ref: 00416768
                                                        • GetWindowTextW.USER32(?,?,0000012C), ref: 0041679A
                                                        • IsWindowVisible.USER32(?), ref: 004167A1
                                                          • Part of subcall function 0041B38D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B3A5
                                                          • Part of subcall function 0041B38D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3B8
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ProcessWindow$Open$TextThreadVisible
                                                        • String ID: (FG
                                                        • API String ID: 3142014140-2273637114
                                                        • Opcode ID: 9c79950384effebaea9bf5315d724d682c4e552b57ef82da1617336c4fbf6aa3
                                                        • Instruction ID: 0f4eca603db080fccf2d1fd4ef2663101a063c6717372172f7cb8e83fece0a9a
                                                        • Opcode Fuzzy Hash: 9c79950384effebaea9bf5315d724d682c4e552b57ef82da1617336c4fbf6aa3
                                                        • Instruction Fuzzy Hash: 4871E5321082454AC325FB61D8A5ADFB3E4AFE4308F50453EF58A530E1EF746A49CB9A
                                                        APIs
                                                        • GetKeyboardLayoutNameA.USER32(?), ref: 00409601
                                                          • Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212
                                                          • Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5
                                                          • Part of subcall function 0041B6BA: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409689,00473EE8,?,00473EE8,00000000,00473EE8,00000000), ref: 0041B6CF
                                                          • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateFileKeyboardLayoutNameconnectsendsocket
                                                        • String ID: XCG$`AG$>G
                                                        • API String ID: 2334542088-2372832151
                                                        • Opcode ID: 00ea031b35fe0dcf3e6aee1b05692aa2f53a6727008682770bd88c291a01c214
                                                        • Instruction ID: 51992e77998e29381c1adf086b38d2340c1e01042c89ae8fe5bc0f900910b53e
                                                        • Opcode Fuzzy Hash: 00ea031b35fe0dcf3e6aee1b05692aa2f53a6727008682770bd88c291a01c214
                                                        • Instruction Fuzzy Hash: 5E5132321042405AC325F775D8A2AEF73E5ABE4308F50493FF94A631E2EE785949C69E
                                                        APIs
                                                        • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe,00000104), ref: 00442724
                                                        • _free.LIBCMT ref: 004427EF
                                                        • _free.LIBCMT ref: 004427F9
                                                        Strings
                                                        • C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe, xrefs: 0044271B, 00442722, 00442751, 00442789
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _free$FileModuleName
                                                        • String ID: C:\Users\user\Desktop\1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe
                                                        • API String ID: 2506810119-326502840
                                                        • Opcode ID: 517ef8501d39ed80bd5d3989cd54e6cd38b7eb486680de81052e85c6479d25b4
                                                        • Instruction ID: a09326ba0634f9fc59332e3a0850bb80beab61cea56b0999b5ec2e0ea5ed553b
                                                        • Opcode Fuzzy Hash: 517ef8501d39ed80bd5d3989cd54e6cd38b7eb486680de81052e85c6479d25b4
                                                        • Instruction Fuzzy Hash: 04318075A00218AFEB21DF999D8199EBBFCEB85354B50406BF80497311D6B88E81CB59
                                                        APIs
                                                        • send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                        • WaitForSingleObject.KERNEL32(00000330,00000000,LAL,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000), ref: 0040450E
                                                        • SetEvent.KERNEL32(00000330,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000,?,?,?,?,?,00414CE9), ref: 0040453C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: EventObjectSingleWaitsend
                                                        • String ID: LAL
                                                        • API String ID: 3963590051-3302426157
                                                        • Opcode ID: 889e258d40d688e8ee903db4c56f8f2297e8d08d484f71769d69523f674e6bf6
                                                        • Instruction ID: 8f6f307dcfa5e25975ae7096dc57d747427bb4b25c3784bf73346896dbb4b4c1
                                                        • Opcode Fuzzy Hash: 889e258d40d688e8ee903db4c56f8f2297e8d08d484f71769d69523f674e6bf6
                                                        • Instruction Fuzzy Hash: B82123B29001196BCF04ABA5DC96DEE777CBF54358B00413EF916B21E1EA78AA04D6A4
                                                        APIs
                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00403A2A
                                                          • Part of subcall function 0041AB48: GetCurrentProcessId.KERNEL32(00000000,74DF3530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB6F
                                                          • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                                          • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                                                          • Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B643
                                                        • Sleep.KERNEL32(000000FA,00465324), ref: 00403AFC
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                        • String ID: /sort "Visit Time" /stext "$8>G
                                                        • API String ID: 368326130-2663660666
                                                        • Opcode ID: 247849771554e330f4c56d3a549adbf02a50afc28c9a0bb45716f413473523db
                                                        • Instruction ID: 14a2de6876ab63adfaf4c6869ac5cc0218acab93288f76d9a5f97452818968e4
                                                        • Opcode Fuzzy Hash: 247849771554e330f4c56d3a549adbf02a50afc28c9a0bb45716f413473523db
                                                        • Instruction Fuzzy Hash: 36317331A0021556CB14FBB6DC969EE7775AF90318F40007FF906B71D2EF385A8ACA99
                                                        APIs
                                                          • Part of subcall function 0041B59F: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041B6B5,00000000,00000000,?), ref: 0041B5DE
                                                        • ShellExecuteW.SHELL32(?,open,00000000), ref: 0040C632
                                                        • ExitProcess.KERNEL32 ref: 0040C63E
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateExecuteExitFileProcessShell
                                                        • String ID: fso.DeleteFile(Wscript.ScriptFullName)$open
                                                        • API String ID: 2309964880-3562070623
                                                        • Opcode ID: 355b2c8b4db0139162816cdc4a3c049ca7e0b3ef8aa2afc8d6a7588b112dea38
                                                        • Instruction ID: ace0f40cc0655528612a0b5402a09b3609fe8f046c2334cef27d09c8f481fd79
                                                        • Opcode Fuzzy Hash: 355b2c8b4db0139162816cdc4a3c049ca7e0b3ef8aa2afc8d6a7588b112dea38
                                                        • Instruction Fuzzy Hash: D42145315042405AC324FB25E8969BF77E4AFD1318F50453FF482620F2EF38AA49C69A
                                                        APIs
                                                        • GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
                                                        • wsprintfW.USER32 ref: 0040A905
                                                          • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,?,0040AF3F,?,?,?,?,?,00000000), ref: 00409D84
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: EventLocalTimewsprintf
                                                        • String ID: [%04i/%02i/%02i %02i:%02i:%02i $]
                                                        • API String ID: 1497725170-1359877963
                                                        • Opcode ID: f1131f2c5aa9efe0aa35bfe1aadc190762ac6710f9a6fccd412707abd6ba0ca2
                                                        • Instruction ID: fc972a95d23854bc9b4bbea89c8e615d9b1bb69bfa4db415bad433d1ad0b57c3
                                                        • Opcode Fuzzy Hash: f1131f2c5aa9efe0aa35bfe1aadc190762ac6710f9a6fccd412707abd6ba0ca2
                                                        • Instruction Fuzzy Hash: 5A118172400118AACB18FB56EC55CFE77B8AE48325F00013FF842620D1EF7C5A86C6E8
                                                        APIs
                                                          • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
                                                          • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                          • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                        • CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040A691
                                                        • CreateThread.KERNEL32(00000000,00000000,Function_000099B5,?,00000000,00000000), ref: 0040A69D
                                                        • CreateThread.KERNEL32(00000000,00000000,004099C1,?,00000000,00000000), ref: 0040A6A9
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateThread$LocalTime$wsprintf
                                                        • String ID: Online Keylogger Started
                                                        • API String ID: 112202259-1258561607
                                                        • Opcode ID: 35bc90d2576dbeac95018a630539701253067ab5c51327a8f4703c5e34731f69
                                                        • Instruction ID: 11da804b7f4806bc819379157d14523832a74cbdaa40f75774c11a3885c9476d
                                                        • Opcode Fuzzy Hash: 35bc90d2576dbeac95018a630539701253067ab5c51327a8f4703c5e34731f69
                                                        • Instruction Fuzzy Hash: 8A01C4916003093AE62076368C8BDBF3A6DCA813A8F40043EF541362C3E97D5D5582FB
                                                        APIs
                                                        • CloseHandle.KERNEL32(00000000,00000000,`@,?,0044A9A1,`@,0046DD28,0000000C), ref: 0044AAD9
                                                        • GetLastError.KERNEL32(?,0044A9A1,`@,0046DD28,0000000C), ref: 0044AAE3
                                                        • __dosmaperr.LIBCMT ref: 0044AB0E
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseErrorHandleLast__dosmaperr
                                                        • String ID: `@
                                                        • API String ID: 2583163307-951712118
                                                        • Opcode ID: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                                        • Instruction ID: 27d3a2ced18f85a81fd98b99658ced531467de2cab5132fdd739c317d4e1371d
                                                        • Opcode Fuzzy Hash: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                                        • Instruction Fuzzy Hash: 56016F3664452016F7215274694977F774D8B42738F25036FF904972D2DD6D8CC5C19F
                                                        APIs
                                                        • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00404B26), ref: 00404B40
                                                        • CloseHandle.KERNEL32(?,?,?,?,00404B26), ref: 00404B98
                                                        • SetEvent.KERNEL32(?,?,?,?,00404B26), ref: 00404BA7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseEventHandleObjectSingleWait
                                                        • String ID: Connection Timeout
                                                        • API String ID: 2055531096-499159329
                                                        • Opcode ID: f305bfd07311d1c13337a4e5318bcab9ce6904fe2946ae268386a72c1b1384b4
                                                        • Instruction ID: 87453c7fdf87cbb5f51522b6001dca4eac29197b42c1cd59420238f874304a49
                                                        • Opcode Fuzzy Hash: f305bfd07311d1c13337a4e5318bcab9ce6904fe2946ae268386a72c1b1384b4
                                                        • Instruction Fuzzy Hash: 5F01F5B1900B41AFD325BB3A9C4655ABBE0AB45315700053FF6D396BB1DA38E840CB5A
                                                        APIs
                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0040CDC9
                                                        • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CE08
                                                          • Part of subcall function 004347CD: _Yarn.LIBCPMT ref: 004347EC
                                                          • Part of subcall function 004347CD: _Yarn.LIBCPMT ref: 00434810
                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0040CE2C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                        • String ID: bad locale name
                                                        • API String ID: 3628047217-1405518554
                                                        • Opcode ID: ea2ce83f6b871e45ddc414103f177035841d2320bb142f548fd828e1a6c8a0e7
                                                        • Instruction ID: 10a02b8eb17e148bebaf39200f5874f6183f8458c9cdff10c330f193d408b506
                                                        • Opcode Fuzzy Hash: ea2ce83f6b871e45ddc414103f177035841d2320bb142f548fd828e1a6c8a0e7
                                                        • Instruction Fuzzy Hash: 3FF0A471400204EAC324FB23D853ACA73649F54748F90497FB446214D2FF3CB618CA8C
                                                        APIs
                                                        • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 004151F4
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ExecuteShell
                                                        • String ID: /C $cmd.exe$open
                                                        • API String ID: 587946157-3896048727
                                                        • Opcode ID: ee6d09c7a5be61fc2c77f0fe381f15b1933766d643093560b744fac4f5f657b7
                                                        • Instruction ID: 3ae8c2b06d9b1922b9065f49b1512f2a4b1b87a12dccb2265ed1bd098505db2c
                                                        • Opcode Fuzzy Hash: ee6d09c7a5be61fc2c77f0fe381f15b1933766d643093560b744fac4f5f657b7
                                                        • Instruction Fuzzy Hash: D8E030701043006AC708FB61DC95C7F77AC9A80708F10083EB542A21E2EF3CA949C65E
                                                        APIs
                                                        • TerminateThread.KERNEL32(Function_000099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                                                        • UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                                        • TerminateThread.KERNEL32(Function_00009993,00000000,?,pth_unenc), ref: 0040AFE3
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: TerminateThread$HookUnhookWindows
                                                        • String ID: pth_unenc
                                                        • API String ID: 3123878439-4028850238
                                                        • Opcode ID: 46dff24612c1799e978f47a7720dcdfa0824c6f48cf00f8dbc5bb460590095c7
                                                        • Instruction ID: c35477c7b81069fed5c639b3d306817a7c517f63bcb5e1090982200d4e51bed9
                                                        • Opcode Fuzzy Hash: 46dff24612c1799e978f47a7720dcdfa0824c6f48cf00f8dbc5bb460590095c7
                                                        • Instruction Fuzzy Hash: 32E01DB1209317DFD3101F546C84825B799EB44356324047FF6C155252C5798C54C759
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: __alldvrm$_strrchr
                                                        • String ID:
                                                        • API String ID: 1036877536-0
                                                        • Opcode ID: 63f75d4c6ddf9dfadee5a9a28b1451e266bcc439c32975fae3941ae33d1a5297
                                                        • Instruction ID: 44e25d054e292963cfc005d68317528f4d38ac36d82b99eb29904231438c363e
                                                        • Opcode Fuzzy Hash: 63f75d4c6ddf9dfadee5a9a28b1451e266bcc439c32975fae3941ae33d1a5297
                                                        • Instruction Fuzzy Hash: C5A14671A042469FFB218F58C8817AFBBA1EF25354F28416FE5859B382CA3C8D45C759
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d2c3ac181d975cfacaee5c3ec40136b8bdf5b2422b9dd14ab5655829a2308330
                                                        • Instruction ID: 06af4f468b8ce8c690b0d071e5f1d97fd8a921e774867ed9179d92c0916ed768
                                                        • Opcode Fuzzy Hash: d2c3ac181d975cfacaee5c3ec40136b8bdf5b2422b9dd14ab5655829a2308330
                                                        • Instruction Fuzzy Hash: 3A412971A00744AFE724AF79CC41BAABBE8EB88714F10452FF511DB291E779A9818784
                                                        APIs
                                                        Strings
                                                        • Cleared browsers logins and cookies., xrefs: 0040B8EF
                                                        • [Cleared browsers logins and cookies.], xrefs: 0040B8DE
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Sleep
                                                        • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                        • API String ID: 3472027048-1236744412
                                                        • Opcode ID: d2a0294277962853990a195d18ad75d93c5fb84cb6733bcbd89099a09a5abd0a
                                                        • Instruction ID: 79c0b3a62e4074401f8092341c6d65849921352ddae30cadc40705057ad9e0e2
                                                        • Opcode Fuzzy Hash: d2a0294277962853990a195d18ad75d93c5fb84cb6733bcbd89099a09a5abd0a
                                                        • Instruction Fuzzy Hash: FC31891564C3816ACA11777514167EB6F958A93754F0884BFF8C42B3E3DB7A480893EF
                                                        APIs
                                                          • Part of subcall function 0041265D: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                                          • Part of subcall function 0041265D: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                          • Part of subcall function 0041265D: RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                                        • Sleep.KERNEL32(00000BB8), ref: 004115C3
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseOpenQuerySleepValue
                                                        • String ID: exepath$p=\$BG
                                                        • API String ID: 4119054056-3209205868
                                                        • Opcode ID: efcd0af1208699037f09edad500f6ec840cfbf7b9737e1f52f1688804d5b7727
                                                        • Instruction ID: 3bb97b322c4281cea59bb4e220ac43bd532ded5f68553a77fc2ada00b9ce30da
                                                        • Opcode Fuzzy Hash: efcd0af1208699037f09edad500f6ec840cfbf7b9737e1f52f1688804d5b7727
                                                        • Instruction Fuzzy Hash: EC21F4A0B002042BD614B77A6C06ABF724E8BD1308F00457FBD4AA72D3DF7D9D4581AD
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: SystemTimes$Sleep__aulldiv
                                                        • String ID:
                                                        • API String ID: 188215759-0
                                                        • Opcode ID: a7aecd4cc0fde8f7b051f4ea324c4733a42c71902c3a125d4e8e0ff6e46eea08
                                                        • Instruction ID: a679ad691b1e431344cd65e278b90b5c6278f623fb05ceb41248f345421e7781
                                                        • Opcode Fuzzy Hash: a7aecd4cc0fde8f7b051f4ea324c4733a42c71902c3a125d4e8e0ff6e46eea08
                                                        • Instruction Fuzzy Hash: 30215E725093009BC304DFA5D98589FB7E8EFC8754F044A2EF585D3251EA35EA49CBA3
                                                        APIs
                                                          • Part of subcall function 0041B6F6: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041B706
                                                          • Part of subcall function 0041B6F6: GetWindowTextLengthW.USER32(00000000), ref: 0041B70F
                                                          • Part of subcall function 0041B6F6: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041B739
                                                        • Sleep.KERNEL32(000001F4), ref: 00409C95
                                                        • Sleep.KERNEL32(00000064), ref: 00409D1F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Window$SleepText$ForegroundLength
                                                        • String ID: [ $ ]
                                                        • API String ID: 3309952895-93608704
                                                        • Opcode ID: d9bb369aee4f6e2201f2c860cf6756c16528595133d71e2ae5baff2000eb7cae
                                                        • Instruction ID: 884b77faaa60fb736012887943be30d2742787962025037229812ea18f618e82
                                                        • Opcode Fuzzy Hash: d9bb369aee4f6e2201f2c860cf6756c16528595133d71e2ae5baff2000eb7cae
                                                        • Instruction Fuzzy Hash: 2E119F325042005BD218BB26DD17AAEB7A8AF50708F40047FF542221D3EF39AE1986DF
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
                                                        • Instruction ID: dab0b0a7df633c5b48e856b81aae527c8b914588f9bdc990e5f583acd93a84b2
                                                        • Opcode Fuzzy Hash: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
                                                        • Instruction Fuzzy Hash: 5701F2F2A097163EF62116792CC0F6B670DDF413B9B31073BB921622E1EAE8CC42506C
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
                                                        • Instruction ID: 297bbf4b6e7cb62aad9c1df2c980cfc74e2a715ef03096c7e716b38b90e38ed5
                                                        • Opcode Fuzzy Hash: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
                                                        • Instruction Fuzzy Hash: 5401D1F2A096167EB7201A7A7DC0D67624EDF823B9371033BF421612D5EAA88C408179
                                                        APIs
                                                        • ___BuildCatchObject.LIBVCRUNTIME ref: 0043811F
                                                          • Part of subcall function 0043806C: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0043809B
                                                          • Part of subcall function 0043806C: ___AdjustPointer.LIBCMT ref: 004380B6
                                                        • _UnwindNestedFrames.LIBCMT ref: 00438134
                                                        • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00438145
                                                        • CallCatchBlock.LIBVCRUNTIME ref: 0043816D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                        • String ID:
                                                        • API String ID: 737400349-0
                                                        • Opcode ID: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                                        • Instruction ID: b756294ed3ea81ca49fa364012696409ae819ba0eb544c37e892c8a1feda9a6f
                                                        • Opcode Fuzzy Hash: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                                        • Instruction Fuzzy Hash: D7012D72100208BBDF126E96CC45DEB7B69EF4C758F04501DFE4866121C73AE862DBA4
                                                        APIs
                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,004471C7,00000000,00000000,00000000,00000000,?,004474F3,00000006,FlsSetValue), ref: 00447252
                                                        • GetLastError.KERNEL32(?,004471C7,00000000,00000000,00000000,00000000,?,004474F3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000,00000364,?,00446FA1), ref: 0044725E
                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004471C7,00000000,00000000,00000000,00000000,?,004474F3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000), ref: 0044726C
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: LibraryLoad$ErrorLast
                                                        • String ID:
                                                        • API String ID: 3177248105-0
                                                        • Opcode ID: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                                        • Instruction ID: b3fe555fe56df17639c4036f58dc3a809bdc468a9df6621700516029eed46faf
                                                        • Opcode Fuzzy Hash: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                                        • Instruction Fuzzy Hash: 0D01D432649323ABD7214B79BC44A5737D8BB05BA2B2506B1F906E3241D768D802CAE8
                                                        APIs
                                                        • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B643
                                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 0041B657
                                                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041B67C
                                                        • CloseHandle.KERNEL32(00000000), ref: 0041B68A
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$CloseCreateHandleReadSize
                                                        • String ID:
                                                        • API String ID: 3919263394-0
                                                        • Opcode ID: 5b639659936e0bf80293aa969ecd5facc1abbd81689efef7b5bf737102e1771e
                                                        • Instruction ID: 3f34627ebf18732c46889562bde790f52735f321db32931f0b6625c87776b378
                                                        • Opcode Fuzzy Hash: 5b639659936e0bf80293aa969ecd5facc1abbd81689efef7b5bf737102e1771e
                                                        • Instruction Fuzzy Hash: 81F0F6B12053047FE6101B21BC85FBF375CDB967A5F00027EFC01A22D1DA658C4591BA
                                                        APIs
                                                        • GetSystemMetrics.USER32(0000004C), ref: 00418529
                                                        • GetSystemMetrics.USER32(0000004D), ref: 0041852F
                                                        • GetSystemMetrics.USER32(0000004E), ref: 00418535
                                                        • GetSystemMetrics.USER32(0000004F), ref: 0041853B
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: MetricsSystem
                                                        • String ID:
                                                        • API String ID: 4116985748-0
                                                        • Opcode ID: a3bedc3d93ee6e0b45313aeec5082688588fe46082e633aeec829f05b9632c7f
                                                        • Instruction ID: f480d68fafb364c29fc67a5f666d93eee18e0abee54110dfc95006384cbaadd6
                                                        • Opcode Fuzzy Hash: a3bedc3d93ee6e0b45313aeec5082688588fe46082e633aeec829f05b9632c7f
                                                        • Instruction Fuzzy Hash: 72F0D672B043256BCA00EA7A4C4156FAB97DFC46A4F25083FE6059B341DE78EC4647D9
                                                        APIs
                                                        • __startOneArgErrorHandling.LIBCMT ref: 00441F7D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorHandling__start
                                                        • String ID: pow
                                                        • API String ID: 3213639722-2276729525
                                                        • Opcode ID: c11d7b0c0eb8e10153fe90c38a808d625a788e1790705f3c08302100bb714254
                                                        • Instruction ID: b0758be5652a64c1ac5d647a76b92dde9bac1040a8da8be5e5c84d6172790ea5
                                                        • Opcode Fuzzy Hash: c11d7b0c0eb8e10153fe90c38a808d625a788e1790705f3c08302100bb714254
                                                        • Instruction Fuzzy Hash: E6515A61A0A20296F7117B14C98136F6B949B50741F288D6BF085823F9EF3DCCDB9A4E
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _memcmp
                                                        • String ID: 4[G$4[G
                                                        • API String ID: 2931989736-4028565467
                                                        • Opcode ID: 499d9a999da2a443c979618ec85ef4d06b5b2aab7498d5870cc08a11d2f7c627
                                                        • Instruction ID: 33b36a833443cc607bae0a2c4f054eab59dd7b99d1d8389eb50a0704093c1055
                                                        • Opcode Fuzzy Hash: 499d9a999da2a443c979618ec85ef4d06b5b2aab7498d5870cc08a11d2f7c627
                                                        • Instruction Fuzzy Hash: E56110716047069AC714DF28D8406B3B7A8FF98304F44063EEC5D8F656E778AA25CBAD
                                                        APIs
                                                        • GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 0044DB69
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Info
                                                        • String ID: $vD
                                                        • API String ID: 1807457897-3636070802
                                                        • Opcode ID: af305b060504fe74110eba1b75a066a7b29ec04ef294ab3684049637f65bd75b
                                                        • Instruction ID: 639e137743dbd1cdb094e6b6e994140176401b7572b89e22c1ac552797110b95
                                                        • Opcode Fuzzy Hash: af305b060504fe74110eba1b75a066a7b29ec04ef294ab3684049637f65bd75b
                                                        • Instruction Fuzzy Hash: 6A411C709043889AEF218F24CCC4AF6BBF9DF45308F1404EEE58A87242D279AA45DF65
                                                        APIs
                                                        • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00417C18
                                                          • Part of subcall function 004177A2: GdipLoadImageFromStream.GDIPLUS(?,?,?,00417C2B,00000000,?,?,?,?,00000000), ref: 004177B6
                                                        • SHCreateMemStream.SHLWAPI(00000000), ref: 00417C65
                                                          • Part of subcall function 00417815: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00417C81,00000000,?,?), ref: 00417827
                                                          • Part of subcall function 004177C5: GdipDisposeImage.GDIPLUS(?,00417CDC), ref: 004177CE
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                                        • String ID: image/jpeg
                                                        • API String ID: 1291196975-3785015651
                                                        • Opcode ID: d4376d3aa41ba41f336d454eb71a79e6a36b8bd1c58ceebdc91cf2e64db4f38d
                                                        • Instruction ID: 3c33996df4896106dd3ee16a81609d02114e1f450a3ece369daacccd15328daf
                                                        • Opcode Fuzzy Hash: d4376d3aa41ba41f336d454eb71a79e6a36b8bd1c58ceebdc91cf2e64db4f38d
                                                        • Instruction Fuzzy Hash: 72315C75508300AFC301AF65C884DAFBBF9FF8A704F000A2EF94597251DB79A905CBA6
                                                        APIs
                                                        • GetACP.KERNEL32(?,20001004,?,00000002), ref: 004509C9
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: ACP$OCP
                                                        • API String ID: 0-711371036
                                                        • Opcode ID: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                                        • Instruction ID: 0ee4350655218b6c75cd3052c0190142cf4d5733969cac988e1a0851f3347a37
                                                        • Opcode Fuzzy Hash: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                                        • Instruction Fuzzy Hash: 832148EBA00100A6F7308F55C801B9773AAAB90B23F564426EC49D730BF73ADE08C358
                                                        APIs
                                                        • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00417D04
                                                          • Part of subcall function 004177A2: GdipLoadImageFromStream.GDIPLUS(?,?,?,00417C2B,00000000,?,?,?,?,00000000), ref: 004177B6
                                                        • SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,?,?,?,?,00000000), ref: 00417D29
                                                          • Part of subcall function 00417815: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00417C81,00000000,?,?), ref: 00417827
                                                          • Part of subcall function 004177C5: GdipDisposeImage.GDIPLUS(?,00417CDC), ref: 004177CE
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                                        • String ID: image/png
                                                        • API String ID: 1291196975-2966254431
                                                        • Opcode ID: 157e3c84acb298c00b8a811f8dbb714bd95cc3abe4333fe7ddc149ff661122fd
                                                        • Instruction ID: 1f40aeda14031b83fd9eea2ddee5e82f5a36372f8d90ac1696f7ac499827f772
                                                        • Opcode Fuzzy Hash: 157e3c84acb298c00b8a811f8dbb714bd95cc3abe4333fe7ddc149ff661122fd
                                                        • Instruction Fuzzy Hash: 4621A135204211AFC300AF61CC88CAFBBBDEFCA755F10052EF90693151DB399945CBA6
                                                        APIs
                                                        • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 004049F1
                                                          • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                        • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 00404A4E
                                                        Strings
                                                        • KeepAlive | Enabled | Timeout: , xrefs: 004049E5
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: LocalTime
                                                        • String ID: KeepAlive | Enabled | Timeout:
                                                        • API String ID: 481472006-1507639952
                                                        • Opcode ID: 9629856601c2ade6b9171a8da2872b59cbc4edb5dc9735de265d34bbd197e3ce
                                                        • Instruction ID: 8fc2066b5dd234cef981570443e677007340a491061b3c72667858eadfbc0999
                                                        • Opcode Fuzzy Hash: 9629856601c2ade6b9171a8da2872b59cbc4edb5dc9735de265d34bbd197e3ce
                                                        • Instruction Fuzzy Hash: EF2129A1A042806BC310FB6A980676B7B9457D1315F48417EF948532E2EB3C5999CB9F
                                                        APIs
                                                        • GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: LocalTime
                                                        • String ID: | $%02i:%02i:%02i:%03i
                                                        • API String ID: 481472006-2430845779
                                                        • Opcode ID: 7c541b1fe11d74047bf4de15ff6413637149af1765b06644cf8be9994c192f8f
                                                        • Instruction ID: f196d4ed1927782274832919bda13c77b2b6189c6c06a517aeeeb96a95a688aa
                                                        • Opcode Fuzzy Hash: 7c541b1fe11d74047bf4de15ff6413637149af1765b06644cf8be9994c192f8f
                                                        • Instruction Fuzzy Hash: 81114C725082045AC704EBA5D8568AF73E8EB94708F10053FFC85931E1EF38DA84C69E
                                                        APIs
                                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00412612
                                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00412648
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: QueryValue
                                                        • String ID: TUF
                                                        • API String ID: 3660427363-3431404234
                                                        • Opcode ID: ea05bdfc88d730103140c1813835b768b0c4990d0bb52d9cb4e5ffcfc942b32d
                                                        • Instruction ID: c735b93b908d9d71aa6a4d05a3740b5a2597980304af3aa5722c76a25f50973a
                                                        • Opcode Fuzzy Hash: ea05bdfc88d730103140c1813835b768b0c4990d0bb52d9cb4e5ffcfc942b32d
                                                        • Instruction Fuzzy Hash: B201A2B6A00108BFEB04EB95DD46EFFBABDEF44240F10007AF901E2251E6B4AF009664
                                                        APIs
                                                        • PathFileExistsW.SHLWAPI(00000000), ref: 00419EBE
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ExistsFilePath
                                                        • String ID: TUF$alarm.wav
                                                        • API String ID: 1174141254-147985980
                                                        • Opcode ID: bb35db19ecf725e66f50cc2985e16286bdf7f8f1df2ddcf995444714096ddcfa
                                                        • Instruction ID: dd13df65ec224498850e23f6f848d4e774319f78d5db457f3497a795ed38963e
                                                        • Opcode Fuzzy Hash: bb35db19ecf725e66f50cc2985e16286bdf7f8f1df2ddcf995444714096ddcfa
                                                        • Instruction Fuzzy Hash: F301927060420166C604B676D866AEE77418BC1719F50413FF88A966E2EF7C9EC6C2CF
                                                        APIs
                                                          • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
                                                          • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                          • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                        • CloseHandle.KERNEL32(?), ref: 0040A7CA
                                                        • UnhookWindowsHookEx.USER32 ref: 0040A7DD
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                        • String ID: Online Keylogger Stopped
                                                        • API String ID: 1623830855-1496645233
                                                        • Opcode ID: aa2cc70d391a599e14960110e5ba635763145c369873a0ecd25f92c1668795cb
                                                        • Instruction ID: 9ca866747e1af720c58b6b078daeda0145c7b5fd7bd766bf2ea1503866da158c
                                                        • Opcode Fuzzy Hash: aa2cc70d391a599e14960110e5ba635763145c369873a0ecd25f92c1668795cb
                                                        • Instruction Fuzzy Hash: 8101D431A043019BDB25BB35C80B7AEBBB19B45315F40407FE481275D2EB7999A6C3DB
                                                        APIs
                                                        • waveInPrepareHeader.WINMM(005CDBF8,00000020,?,?,00000000,00475B90,00473EE8,?,00000000,00401913), ref: 00401747
                                                        • waveInAddBuffer.WINMM(005CDBF8,00000020,?,00000000,00401913), ref: 0040175D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: wave$BufferHeaderPrepare
                                                        • String ID: T=G
                                                        • API String ID: 2315374483-379896819
                                                        • Opcode ID: 0ff4070462d876ba9a0314f854ca9e5b2f4718fb39603aa566027c6b2d74496f
                                                        • Instruction ID: f8644d152c35c587af506687758c025c54344a6e575747702fe1289d7b8da532
                                                        • Opcode Fuzzy Hash: 0ff4070462d876ba9a0314f854ca9e5b2f4718fb39603aa566027c6b2d74496f
                                                        • Instruction Fuzzy Hash: 65018B71301300AFD7209F39EC45A69BBA9EB4931AF01413EB808D32B1EB34A8509B98
                                                        APIs
                                                        • IsValidLocale.KERNEL32(00000000,z=D,00000000,00000001,?,?,00443D7A,?,?,?,?,00000004), ref: 004477EC
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: LocaleValid
                                                        • String ID: IsValidLocaleName$z=D
                                                        • API String ID: 1901932003-2791046955
                                                        • Opcode ID: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                                                        • Instruction ID: b87742f2873dd73c0a7d5aade023b210d3410e3306d67f57874115e62e910f2b
                                                        • Opcode Fuzzy Hash: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                                                        • Instruction Fuzzy Hash: 72F0E930A45318F7DA106B659C06F5E7B54CF05711F50807BFD046A283CE796D0285DC
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: H_prolog
                                                        • String ID: T=G$T=G
                                                        • API String ID: 3519838083-3732185208
                                                        • Opcode ID: 138b4589fff14f79146b4c81e53a501c98e6cc4b2bf129928705b8782f8e57ab
                                                        • Instruction ID: f0e76400c825ed045590d0aed9209fb7c3a86c2d0af9b05bbbbea7315d156e8c
                                                        • Opcode Fuzzy Hash: 138b4589fff14f79146b4c81e53a501c98e6cc4b2bf129928705b8782f8e57ab
                                                        • Instruction Fuzzy Hash: 77F0E971A00221ABC714BB65C80569EB774EF4136DF10827FB416B72E1CBBD5D04D65D
                                                        APIs
                                                        • GetKeyState.USER32(00000011), ref: 0040AD5B
                                                          • Part of subcall function 00409B10: GetForegroundWindow.USER32(?,?,004740F8), ref: 00409B3F
                                                          • Part of subcall function 00409B10: GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                                          • Part of subcall function 00409B10: GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                                          • Part of subcall function 00409B10: GetKeyState.USER32(00000010), ref: 00409B5C
                                                          • Part of subcall function 00409B10: GetKeyboardState.USER32(?,?,004740F8), ref: 00409B67
                                                          • Part of subcall function 00409B10: ToUnicodeEx.USER32(0047414C,00000000,?,?,00000010,00000000,00000000), ref: 00409B8A
                                                          • Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                                          • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,?,0040AF3F,?,?,?,?,?,00000000), ref: 00409D84
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                                        • String ID: [AltL]$[AltR]
                                                        • API String ID: 2738857842-2658077756
                                                        • Opcode ID: 0fd097a0a4b99d70b02a08e9004214b89ee8ccd3163f9cf7526c1a47b2b50f16
                                                        • Instruction ID: d2c0c429c9fe13b3c6c970781ecfc4970ab7400740a1dec538c1fc9fef0a0b20
                                                        • Opcode Fuzzy Hash: 0fd097a0a4b99d70b02a08e9004214b89ee8ccd3163f9cf7526c1a47b2b50f16
                                                        • Instruction Fuzzy Hash: 47E0652134072117C898323EA91E6EE3A228F82B65B80416FF8866BAD6DD6D4D5053CB
                                                        APIs
                                                        • _free.LIBCMT ref: 00448835
                                                          • Part of subcall function 00446AD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA60,0000000A,00000000,0000000A,00000000,?,0044FD04,0000000A,00000007,0000000A,?,00450215,0000000A), ref: 00446AEB
                                                          • Part of subcall function 00446AD5: GetLastError.KERNEL32(0000000A,?,0044FA60,0000000A,00000000,0000000A,00000000,?,0044FD04,0000000A,00000007,0000000A,?,00450215,0000000A,0000000A), ref: 00446AFD
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorFreeHeapLast_free
                                                        • String ID: `@$`@
                                                        • API String ID: 1353095263-20545824
                                                        • Opcode ID: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                                        • Instruction ID: fd413ccac38a9f67c3de8d393d9e933a11814297f80871467d1a397382efd299
                                                        • Opcode Fuzzy Hash: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                                        • Instruction Fuzzy Hash: 4DE06D371006059F8720DE6DD400A86B7E5EF95720720852AE89DE3710D731E812CB40
                                                        APIs
                                                        • GetKeyState.USER32(00000012), ref: 0040ADB5
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: State
                                                        • String ID: [CtrlL]$[CtrlR]
                                                        • API String ID: 1649606143-2446555240
                                                        • Opcode ID: 8f256fbae12a6d1972e20e0d193ff0540306bf2bf736503aba8af0ee0077a29a
                                                        • Instruction ID: 615b7dbe40c0b8188db9493e0f2b19f017fb36a74fa458c508a435569d7d4a1e
                                                        • Opcode Fuzzy Hash: 8f256fbae12a6d1972e20e0d193ff0540306bf2bf736503aba8af0ee0077a29a
                                                        • Instruction Fuzzy Hash: 71E0862170071117C514353DD61A67F39228F41776F80013FF882ABAC6E96D8D6023CB
                                                        APIs
                                                        • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040BFB2,00000000,004742E0,004742F8,?,pth_unenc), ref: 00412988
                                                        • RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 00412998
                                                        Strings
                                                        • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00412986
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: DeleteOpenValue
                                                        • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                        • API String ID: 2654517830-1051519024
                                                        • Opcode ID: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                                        • Instruction ID: 4813e9247c8a4fa7715124fbb4df20ddc3d96ddce1d5e270e7c0f337b45b5704
                                                        • Opcode Fuzzy Hash: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                                        • Instruction Fuzzy Hash: 0AE01270310304BFEF104F61ED06FDB37ACBB80B89F004165F505E5191E2B5DD54A658
                                                        APIs
                                                        • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040AF84
                                                        • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040AFAF
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: DeleteDirectoryFileRemove
                                                        • String ID: pth_unenc
                                                        • API String ID: 3325800564-4028850238
                                                        • Opcode ID: 2e8d6704218f96b318e7a73bad0b28a6b8edcd2455483e95ffe0dafda84626ef
                                                        • Instruction ID: b68931c7331ddc333ece9e06749e281aefc344294653c9eba2f2de372e339d66
                                                        • Opcode Fuzzy Hash: 2e8d6704218f96b318e7a73bad0b28a6b8edcd2455483e95ffe0dafda84626ef
                                                        • Instruction Fuzzy Hash: FEE046715112108BC610AB31EC44AEBB398AB05316F00487FF8D3A36A1DE38A988CA98
                                                        APIs
                                                        • TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                                        • WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ObjectProcessSingleTerminateWait
                                                        • String ID: pth_unenc
                                                        • API String ID: 1872346434-4028850238
                                                        • Opcode ID: 0bcc8583bbfeaf574487765c88b71504591df5916e82e2463f0204abfb9b1fb3
                                                        • Instruction ID: 4302d9c34f7b4dbdac7fc8682473a51625df35810590c52ad239c14707b44b4b
                                                        • Opcode Fuzzy Hash: 0bcc8583bbfeaf574487765c88b71504591df5916e82e2463f0204abfb9b1fb3
                                                        • Instruction Fuzzy Hash: C1D0C938559211AFD7614B68BC08B453B6AA745222F108277F828413F1C72598A4AE1C
                                                        APIs
                                                        • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401AD8), ref: 0043FB04
                                                        • GetLastError.KERNEL32 ref: 0043FB12
                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043FB6D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.4170725030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.4170714190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170751889.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170773350.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.4170801892.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc1.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ByteCharMultiWide$ErrorLast
                                                        • String ID:
                                                        • API String ID: 1717984340-0
                                                        • Opcode ID: a3a9a9c7793c2081db5377885f607edf127f94d6c053b0090e31d102b176707d
                                                        • Instruction ID: 94dc36b571f96c0084dd62d2177e44ea0606df48237064e9d41db09688609199
                                                        • Opcode Fuzzy Hash: a3a9a9c7793c2081db5377885f607edf127f94d6c053b0090e31d102b176707d
                                                        • Instruction Fuzzy Hash: 66413870E00206AFCF219F64C854A6BF7A9EF09320F1451BBF8585B2A1E738AC09C759