Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe

Overview

General Information

Sample name:173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe
Analysis ID:1586003
MD5:388c9d6483cf4532b2c121761895d3c3
SHA1:ff6b2257bcebfcf4a71c907d858b5669d1ce5fa0
SHA256:d151b029f2be0e159398119ba1230297086ec636afe5fe03e09207e12eabe57c
Tags:base64-decodedexeuser-abuse_ch
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Installs a global keyboard hook
Machine Learning detection for sample
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["municipioalcidiadechicamocha.ddnsgeek.com:1997:1"], "Assigned name": "08-01-25", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-DCXXDI", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeJoeSecurity_RemcosYara detected Remcos RATJoe Security
      173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeWindows_Trojan_Remcos_b296e965unknownunknown
        • 0x6ad08:$a1: Remcos restarted by watchdog!
        • 0x6b280:$a3: %02i:%02i:%02i:%03i
        173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeREMCOS_RAT_variantsunknownunknown
        • 0x64f94:$str_a1: C:\Windows\System32\cmd.exe
        • 0x64f10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x64f10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x65410:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
        • 0x65a10:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
        • 0x65004:$str_b2: Executing file:
        • 0x65e4c:$str_b3: GetDirectListeningPort
        • 0x65800:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
        • 0x65980:$str_b7: \update.vbs
        • 0x6502c:$str_b9: Downloaded file:
        • 0x65018:$str_b10: Downloading file:
        • 0x650bc:$str_b12: Failed to upload file:
        • 0x65e14:$str_b13: StartForward
        • 0x65e34:$str_b14: StopForward
        • 0x658d8:$str_b15: fso.DeleteFile "
        • 0x6586c:$str_b16: On Error Resume Next
        • 0x65908:$str_b17: fso.DeleteFolder "
        • 0x650ac:$str_b18: Uploaded file:
        • 0x6506c:$str_b19: Unable to delete:
        • 0x658a0:$str_b20: while fso.FileExists("
        • 0x65549:$str_c0: [Firefox StoredLogins not found]
        Click to see the 1 entries

        Dropped Files

        SourceRuleDescriptionAuthorStrings
        C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000000.00000002.4512357235.000000000229F000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            00000000.00000002.4512096897.0000000000603000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
              00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
                  00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                    Click to see the 10 entries

                    Unpacked PEs

                    SourceRuleDescriptionAuthorStrings
                    0.0.173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe.400000.0.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                      0.0.173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                        0.0.173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe.400000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                          0.0.173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe.400000.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                          • 0x6ad08:$a1: Remcos restarted by watchdog!
                          • 0x6b280:$a3: %02i:%02i:%02i:%03i
                          0.0.173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe.400000.0.unpackREMCOS_RAT_variantsunknownunknown
                          • 0x64f94:$str_a1: C:\Windows\System32\cmd.exe
                          • 0x64f10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                          • 0x64f10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                          • 0x65410:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                          • 0x65a10:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                          • 0x65004:$str_b2: Executing file:
                          • 0x65e4c:$str_b3: GetDirectListeningPort
                          • 0x65800:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                          • 0x65980:$str_b7: \update.vbs
                          • 0x6502c:$str_b9: Downloaded file:
                          • 0x65018:$str_b10: Downloading file:
                          • 0x650bc:$str_b12: Failed to upload file:
                          • 0x65e14:$str_b13: StartForward
                          • 0x65e34:$str_b14: StopForward
                          • 0x658d8:$str_b15: fso.DeleteFile "
                          • 0x6586c:$str_b16: On Error Resume Next
                          • 0x65908:$str_b17: fso.DeleteFolder "
                          • 0x650ac:$str_b18: Uploaded file:
                          • 0x6506c:$str_b19: Unable to delete:
                          • 0x658a0:$str_b20: while fso.FileExists("
                          • 0x65549:$str_c0: [Firefox StoredLogins not found]
                          Click to see the 7 entries

                          Sigma Signatures

                          Stealing of Sensitive Information

                          barindex
                          Sigma detected: Remcos
                          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe, ProcessId: 3128, TargetFilename: C:\ProgramData\remcos\logs.dat

                          Suricata Signatures

                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2025-01-08T16:06:43.186538+010020365941Malware Command and Control Activity Detected192.168.2.549705179.15.136.61997TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2025-01-08T16:06:44.528186+010028033043Unknown Traffic192.168.2.549706178.237.33.5080TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2025-01-08T16:06:42.258168+010028349361A Network Trojan was detected192.168.2.5530421.1.1.153UDP

                          Joe Sandbox Signatures

                          Click to jump to signature section

                          Show All Signature Results

                          AV Detection

                          barindex
                          Antivirus / Scanner detection for submitted sample
                          Source: 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeAvira: detected
                          Antivirus detection for URL or domain
                          Source: municipioalcidiadechicamocha.ddnsgeek.comAvira URL Cloud: Label: malware
                          Found malware configuration
                          Source: 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeMalware Configuration Extractor: Remcos {"Host:Port:Password": ["municipioalcidiadechicamocha.ddnsgeek.com:1997:1"], "Assigned name": "08-01-25", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-DCXXDI", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
                          Multi AV Scanner detection for submitted file
                          Source: 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeReversingLabs: Detection: 65%
                          Yara detected Remcos RAT
                          Source: Yara matchFile source: 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe, type: SAMPLE
                          Source: Yara matchFile source: 0.0.173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000002.4512357235.000000000229F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.4512096897.0000000000603000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000000.2054430444.0000000000458000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.4512096897.00000000005BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe PID: 3128, type: MEMORYSTR
                          Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                          AI detected suspicious sample
                          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                          Machine Learning detection for sample
                          Source: 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_00432B45 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,0_2_00432B45
                          Source: 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe, 00000000.00000000.2054430444.0000000000458000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_7e460bfa-4

                          Exploits

                          barindex
                          Yara detected UAC Bypass using CMSTP
                          Source: Yara matchFile source: 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe, type: SAMPLE
                          Source: Yara matchFile source: 0.0.173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000000.2054430444.0000000000458000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe PID: 3128, type: MEMORYSTR

                          Privilege Escalation

                          barindex
                          Contains functionality to bypass UAC (CMSTPLUA)
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_00406764 _wcslen,CoGetObject,0_2_00406764
                          Source: 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040B335
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040B53A
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_0041B63A FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,0_2_0041B63A
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_0044D7F9 FindFirstFileExA,0_2_0044D7F9
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,0_2_004089A9
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_00406AC2 FindFirstFileW,FindNextFileW,0_2_00406AC2
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,0_2_00407A8C
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,0_2_00408DA7
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_00418E5F FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00418E5F
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00406F06

                          Networking

                          barindex
                          Suricata IDS alerts for network traffic
                          Source: Network trafficSuricata IDS: 2834936 - Severity 1 - ETPRO MALWARE Observed DNS Query to Abused DDNS (ddnsgeek .com) : 192.168.2.5:53042 -> 1.1.1.1:53
                          Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49705 -> 179.15.136.6:1997
                          C2 URLs / IPs found in malware configuration
                          Source: Malware configuration extractorURLs: municipioalcidiadechicamocha.ddnsgeek.com
                          Source: global trafficTCP traffic: 192.168.2.5:49705 -> 179.15.136.6:1997
                          Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                          Source: Joe Sandbox ViewIP Address: 179.15.136.6 179.15.136.6
                          Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                          Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49706 -> 178.237.33.50:80
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_00426302 recv,0_2_00426302
                          Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                          Source: global trafficDNS traffic detected: DNS query: municipioalcidiadechicamocha.ddnsgeek.com
                          Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                          Source: 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe, 00000000.00000002.4512096897.0000000000603000.00000004.00000020.00020000.00000000.sdmp, 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe, 00000000.00000002.4512096897.00000000005BE000.00000004.00000020.00020000.00000000.sdmp, 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe, 00000000.00000003.2077942586.0000000000632000.00000004.00000020.00020000.00000000.sdmp, 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe, 00000000.00000002.4512096897.0000000000633000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
                          Source: 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeString found in binary or memory: http://geoplugin.net/json.gp/C
                          Source: 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe, 00000000.00000003.2077860657.0000000000603000.00000004.00000020.00020000.00000000.sdmp, 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe, 00000000.00000002.4512096897.0000000000603000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpF&
                          Source: 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe, 00000000.00000003.2077860657.0000000000603000.00000004.00000020.00020000.00000000.sdmp, 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe, 00000000.00000002.4512096897.0000000000603000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpQ#
                          Source: 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe, 00000000.00000002.4512096897.00000000005BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpSystem32
                          Source: 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe, 00000000.00000003.2077860657.0000000000603000.00000004.00000020.00020000.00000000.sdmp, 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe, 00000000.00000002.4512096897.0000000000603000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpT&

                          Key, Mouse, Clipboard, Microphone and Screen Capturing

                          barindex
                          Contains functionality to register a low level keyboard hook
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_004099E4 SetWindowsHookExA 0000000D,004099D0,000000000_2_004099E4
                          Installs a global keyboard hook
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeJump to behavior
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_00415B5E OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_00415B5E
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_00415B5E OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_00415B5E
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_00415B5E OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_00415B5E
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_00409B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,0_2_00409B10
                          Source: Yara matchFile source: 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe, type: SAMPLE
                          Source: Yara matchFile source: 0.0.173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000000.2054430444.0000000000458000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe PID: 3128, type: MEMORYSTR

                          E-Banking Fraud

                          barindex
                          Yara detected Remcos RAT
                          Source: Yara matchFile source: 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe, type: SAMPLE
                          Source: Yara matchFile source: 0.0.173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000002.4512357235.000000000229F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.4512096897.0000000000603000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000000.2054430444.0000000000458000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.4512096897.00000000005BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe PID: 3128, type: MEMORYSTR
                          Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                          Spam, unwanted Advertisements and Ransom Demands

                          barindex
                          Contains functionalty to change the wallpaper
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_0041BD82 SystemParametersInfoW,0_2_0041BD82

                          System Summary

                          barindex
                          Malicious sample detected (through community Yara rule)
                          Source: 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                          Source: 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Author: unknown
                          Source: 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe, type: SAMPLEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                          Source: 0.0.173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                          Source: 0.0.173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                          Source: 0.0.173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                          Source: 0.2.173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                          Source: 0.2.173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                          Source: 0.2.173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                          Source: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                          Source: 00000000.00000000.2054430444.0000000000458000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                          Source: Process Memory Space: 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe PID: 3128, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeProcess Stats: CPU usage > 49%
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_0041AECC OpenProcess,NtSuspendProcess,CloseHandle,0_2_0041AECC
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_0041AEF8 OpenProcess,NtResumeProcess,CloseHandle,0_2_0041AEF8
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_00415A51 ExitWindowsEx,LoadLibraryA,GetProcAddress,0_2_00415A51
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_0043D04B0_2_0043D04B
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_0042707E0_2_0042707E
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_0041301D0_2_0041301D
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_004410300_2_00441030
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_004531100_2_00453110
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_004271B80_2_004271B8
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_0041D27C0_2_0041D27C
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_004522E20_2_004522E2
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_0043D2A80_2_0043D2A8
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_004373600_2_00437360
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_004363BA0_2_004363BA
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_0042645F0_2_0042645F
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_004315820_2_00431582
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_0043672C0_2_0043672C
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_0041E7EA0_2_0041E7EA
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_0044C9490_2_0044C949
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_004269D60_2_004269D6
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_004369D60_2_004369D6
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_0043CBED0_2_0043CBED
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_00432C540_2_00432C54
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_00436C9D0_2_00436C9D
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_0043CE1C0_2_0043CE1C
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_00436F580_2_00436F58
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_00434F320_2_00434F32
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: String function: 00401F66 appears 50 times
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: String function: 004020E7 appears 40 times
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: String function: 00433AB0 appears 42 times
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: String function: 004341C0 appears 55 times
                          Source: 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                          Source: 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                          Source: 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                          Source: 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                          Source: 0.0.173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                          Source: 0.0.173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                          Source: 0.0.173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                          Source: 0.2.173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                          Source: 0.2.173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                          Source: 0.2.173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                          Source: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                          Source: 00000000.00000000.2054430444.0000000000458000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                          Source: Process Memory Space: 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe PID: 3128, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                          Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@1/2@2/2
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_00416C9D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,0_2_00416C9D
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_0040E2F1 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,0_2_0040E2F1
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_0041A84A FindResourceA,LoadResource,LockResource,SizeofResource,0_2_0041A84A
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_00419DBA OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_00419DBA
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\json[1].jsonJump to behavior
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-DCXXDI
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCommand line argument: Software\0_2_0040D83A
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCommand line argument: Rmc-DCXXDI0_2_0040D83A
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCommand line argument: Exe0_2_0040D83A
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCommand line argument: Exe0_2_0040D83A
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCommand line argument: Rmc-DCXXDI0_2_0040D83A
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCommand line argument: 0TG0_2_0040D83A
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCommand line argument: Inj0_2_0040D83A
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCommand line argument: Inj0_2_0040D83A
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCommand line argument: PSG0_2_0040D83A
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCommand line argument: exepath0_2_0040D83A
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCommand line argument: PSG0_2_0040D83A
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCommand line argument: exepath0_2_0040D83A
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCommand line argument: licence0_2_0040D83A
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCommand line argument: dMG0_2_0040D83A
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCommand line argument: hSG0_2_0040D83A
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCommand line argument: Administrator0_2_0040D83A
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCommand line argument: User0_2_0040D83A
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCommand line argument: del0_2_0040D83A
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCommand line argument: del0_2_0040D83A
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCommand line argument: del0_2_0040D83A
                          Source: 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                          Source: 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeReversingLabs: Detection: 65%
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeSection loaded: winmm.dllJump to behavior
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeSection loaded: wininet.dllJump to behavior
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeSection loaded: iphlpapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeSection loaded: mswsock.dllJump to behavior
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeSection loaded: dnsapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeSection loaded: rasadhlp.dllJump to behavior
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeSection loaded: fwpuclnt.dllJump to behavior
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeSection loaded: winhttp.dllJump to behavior
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeSection loaded: winnsi.dllJump to behavior
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                          Source: 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                          Source: 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                          Source: 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                          Source: 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                          Source: 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                          Source: 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                          Source: 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                          Source: 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                          Source: 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                          Source: 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                          Source: 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                          Source: 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_0041BEEE LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041BEEE
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_004560BF push ecx; ret 0_2_004560D2
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_00434206 push ecx; ret 0_2_00434219
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_004569F0 push eax; ret 0_2_00456A0E
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_00406128 ShellExecuteW,URLDownloadToFileW,0_2_00406128
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_00419DBA OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_00419DBA
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_0041BEEE LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041BEEE
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                          Malware Analysis System Evasion

                          barindex
                          Delayed program exit found
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_0040E627 Sleep,ExitProcess,0_2_0040E627
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,0_2_00419AB8
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeWindow / User API: threadDelayed 4025Jump to behavior
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeWindow / User API: threadDelayed 5442Jump to behavior
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeWindow / User API: foregroundWindowGot 1769Jump to behavior
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe TID: 2748Thread sleep count: 262 > 30Jump to behavior
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe TID: 2748Thread sleep time: -131000s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe TID: 2704Thread sleep count: 4025 > 30Jump to behavior
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe TID: 2704Thread sleep time: -12075000s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe TID: 2704Thread sleep count: 5442 > 30Jump to behavior
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe TID: 2704Thread sleep time: -16326000s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040B335
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040B53A
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_0041B63A FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,0_2_0041B63A
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_0044D7F9 FindFirstFileExA,0_2_0044D7F9
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,0_2_004089A9
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_00406AC2 FindFirstFileW,FindNextFileW,0_2_00406AC2
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,0_2_00407A8C
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,0_2_00408DA7
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_00418E5F FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00418E5F
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00406F06
                          Source: 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe, 00000000.00000002.4512096897.0000000000639000.00000004.00000020.00020000.00000000.sdmp, 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe, 00000000.00000003.2077942586.0000000000639000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW.
                          Source: 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe, 00000000.00000002.4512096897.0000000000639000.00000004.00000020.00020000.00000000.sdmp, 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe, 00000000.00000003.2077942586.0000000000639000.00000004.00000020.00020000.00000000.sdmp, 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe, 00000000.00000002.4512096897.00000000005BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeAPI call chain: ExitProcess graph end nodegraph_0-48131
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_0043A86D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0043A86D
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_0041BEEE LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041BEEE
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_00442764 mov eax, dword ptr fs:[00000030h]0_2_00442764
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_0044EB3E GetProcessHeap,0_2_0044EB3E
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_00434378 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00434378
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_0043A86D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0043A86D
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_00433D4F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00433D4F
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_00433EE2 SetUnhandledExceptionFilter,0_2_00433EE2
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe0_2_0041100E
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_0041894A mouse_event,0_2_0041894A
                          Source: 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe, 00000000.00000002.4512096897.00000000005BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerGl
                          Source: 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe, 00000000.00000002.4512096897.0000000000633000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managery]
                          Source: 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe, 00000000.00000002.4512096897.00000000005BE000.00000004.00000020.00020000.00000000.sdmp, 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe, 00000000.00000002.4512096897.0000000000633000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                          Source: 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe, 00000000.00000002.4512096897.0000000000633000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerP]
                          Source: 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe, 00000000.00000002.4512096897.00000000005BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerDI\
                          Source: 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe, 00000000.00000002.4512096897.00000000005BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerr|
                          Source: 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe, 00000000.00000002.4512096897.00000000005BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerDI\2
                          Source: 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe, 00000000.00000002.4512096897.0000000000633000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerU]
                          Source: 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe, 00000000.00000003.2077860657.0000000000629000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managernet/
                          Source: 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe, 00000000.00000002.4512096897.00000000005BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                          Source: 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe, 00000000.00000002.4512096897.0000000000603000.00000004.00000020.00020000.00000000.sdmp, 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe, 00000000.00000002.4512096897.00000000005BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                          Source: 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe, 00000000.00000002.4512096897.00000000005BE000.00000004.00000020.00020000.00000000.sdmp, logs.dat.0.drBinary or memory string: [Program Manager]
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_00434015 cpuid 0_2_00434015
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: GetLocaleInfoA,0_2_0040E751
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_0045107A
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: GetLocaleInfoW,0_2_004512CA
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_004472BE
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_004513F3
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: GetLocaleInfoW,0_2_004514FA
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_004515C7
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: GetLocaleInfoW,0_2_004477A7
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_00450C8F
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_00450F52
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_00450F07
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_00450FED
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_00404915 GetLocalTime,CreateEventA,CreateThread,0_2_00404915
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_0041A9AD GetComputerNameExW,GetUserNameW,0_2_0041A9AD
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: 0_2_0044804A _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_0044804A
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                          Stealing of Sensitive Information

                          barindex
                          Yara detected Remcos RAT
                          Source: Yara matchFile source: 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe, type: SAMPLE
                          Source: Yara matchFile source: 0.0.173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000002.4512357235.000000000229F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.4512096897.0000000000603000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000000.2054430444.0000000000458000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.4512096897.00000000005BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe PID: 3128, type: MEMORYSTR
                          Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                          Contains functionality to steal Chrome passwords or cookies
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data0_2_0040B21B
                          Contains functionality to steal Firefox passwords or cookies
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\0_2_0040B335
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: \key3.db0_2_0040B335

                          Remote Access Functionality

                          barindex
                          Detected Remcos RAT
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-DCXXDIJump to behavior
                          Yara detected Remcos RAT
                          Source: Yara matchFile source: 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe, type: SAMPLE
                          Source: Yara matchFile source: 0.0.173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000002.4512357235.000000000229F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.4512096897.0000000000603000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000000.2054430444.0000000000458000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.4512096897.00000000005BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe PID: 3128, type: MEMORYSTR
                          Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                          Source: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeCode function: cmd.exe0_2_00405042

                          Mitre Att&ck Matrix

                          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                          Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                          Native API                          		1
                          DLL Side-Loading                          		1
                          DLL Side-Loading                          		1
                          Deobfuscate/Decode Files or Information                          		1
                          OS Credential Dumping                          		2
                          System Time Discovery                          		Remote Services11
                          Archive Collected Data                          		12
                          Ingress Tool Transfer                          		Exfiltration Over Other Network Medium1
                          System Shutdown/Reboot
                          CredentialsDomainsDefault Accounts12
                          Command and Scripting Interpreter                          		1
                          Windows Service                          		1
                          Bypass User Account Control                          		2
                          Obfuscated Files or Information                          		211
                          Input Capture                          		1
                          Account Discovery                          		Remote Desktop Protocol211
                          Input Capture                          		2
                          Encrypted Channel                          		Exfiltration Over Bluetooth1
                          Defacement
                          Email AddressesDNS ServerDomain Accounts2
                          Service Execution                          		Logon Script (Windows)1
                          Access Token Manipulation                          		1
                          DLL Side-Loading                          		2
                          Credentials In Files                          		1
                          System Service Discovery                          		SMB/Windows Admin Shares3
                          Clipboard Data                          		1
                          Non-Standard Port                          		Automated ExfiltrationData Encrypted for Impact
                          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                          Windows Service                          		1
                          Bypass User Account Control                          		NTDS2
                          File and Directory Discovery                          		Distributed Component Object ModelInput Capture1
                          Remote Access Software                          		Traffic DuplicationData Destruction
                          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script11
                          Process Injection                          		1
                          Masquerading                          		LSA Secrets23
                          System Information Discovery                          		SSHKeylogging2
                          Non-Application Layer Protocol                          		Scheduled TransferData Encrypted for Impact
                          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                          Virtualization/Sandbox Evasion                          		Cached Domain Credentials21
                          Security Software Discovery                          		VNCGUI Input Capture12
                          Application Layer Protocol                          		Data Transfer Size LimitsService Stop
                          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                          Access Token Manipulation                          		DCSync1
                          Virtualization/Sandbox Evasion                          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                          Process Injection                          		Proc Filesystem2
                          Process Discovery                          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                          Application Window Discovery                          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                          System Owner/User Discovery                          		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                          Behavior Graph

                          Hide Legend

                          Legend:

                          • Process
                          • Signature
                          • Created File
                          • DNS/IP Info
                          • Is Dropped
                          • Is Windows Process
                          • Number of created Registry Values
                          • Number of created Files
                          • Visual Basic
                          • Delphi
                          • Java
                          • .Net C# or VB.NET
                          • C, C++ or other language
                          • Is malicious
                          • Internet

                          Screenshots

                          Thumbnails

                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                          windows-stand

                          Antivirus, Machine Learning and Genetic Malware Detection

                          Initial Sample

                          SourceDetectionScannerLabelLink
                          173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe66%ReversingLabsWin32.Backdoor.Remcos
                          173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe100%AviraBDS/Backdoor.Gen
                          173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe100%Joe Sandbox ML

                          Dropped Files

                          No Antivirus matches

                          Unpacked PE Files

                          No Antivirus matches

                          Domains

                          No Antivirus matches

                          URLs

                          SourceDetectionScannerLabelLink
                          municipioalcidiadechicamocha.ddnsgeek.com100%Avira URL Cloudmalware

                          Domains and IPs

                          Contacted Domains

                          NameIPActiveMaliciousAntivirus DetectionReputation
                          geoplugin.net
                          		178.237.33.50
                          		truefalse
                            		high
                            municipioalcidiadechicamocha.ddnsgeek.com
                            		179.15.136.6
                            		truefalse
                              		high

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              http://geoplugin.net/json.gpfalse
                                		high
                                municipioalcidiadechicamocha.ddnsgeek.comtrue
                                • Avira URL Cloud: malware
                                		unknown

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                http://geoplugin.net/json.gp/C173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exefalse
                                  		high
                                  http://geoplugin.net/json.gpF&173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe, 00000000.00000003.2077860657.0000000000603000.00000004.00000020.00020000.00000000.sdmp, 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe, 00000000.00000002.4512096897.0000000000603000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://geoplugin.net/json.gpSystem32173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe, 00000000.00000002.4512096897.00000000005BE000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://geoplugin.net/json.gpQ#173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe, 00000000.00000003.2077860657.0000000000603000.00000004.00000020.00020000.00000000.sdmp, 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe, 00000000.00000002.4512096897.0000000000603000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://geoplugin.net/json.gpT&173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe, 00000000.00000003.2077860657.0000000000603000.00000004.00000020.00020000.00000000.sdmp, 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe, 00000000.00000002.4512096897.0000000000603000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          179.15.136.6
                                          		municipioalcidiadechicamocha.ddnsgeek.comColombia
                                          		27831ColombiaMovilCOfalse
                                          178.237.33.50
                                          		geoplugin.netNetherlands
                                          		8455ATOM86-ASATOM86NLfalse

                                          General Information

                                          Joe Sandbox version:41.0.0 Charoite
                                          Analysis ID:1586003
                                          Start date and time:2025-01-08 16:05:49 +01:00
                                          Joe Sandbox product:CloudBasic
                                          Overall analysis duration:0h 6m 31s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                          Number of analysed new started processes analysed:4
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Sample name:173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe
                                          Detection:MAL
                                          Classification:mal100.rans.troj.spyw.expl.evad.winEXE@1/2@2/2
                                          EGA Information:
                                          • Successful, ratio: 100%
                                          HCA Information:
                                          • Successful, ratio: 100%
                                          • Number of executed functions: 38
                                          • Number of non-executed functions: 207
                                          Cookbook Comments:
                                          • Found application associated with file extension: .exe
                                          • Override analysis time to 240s for sample files taking high CPU consumption

                                          Warnings

                                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                          • Excluded IPs from analysis (whitelisted): 13.107.246.45, 172.202.163.200
                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                          • VT rate limit hit for: 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          10:07:13API Interceptor7368541x Sleep call for process: 173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          179.15.136.61736348224ad77cf86e491faad27e4b5decf1eb0bb26f16b0527e5ef488389ba353aa3db79582.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                            17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                              1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                  17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                    178.237.33.501736348224ad77cf86e491faad27e4b5decf1eb0bb26f16b0527e5ef488389ba353aa3db79582.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                    • geoplugin.net/json.gp
                                                    17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                    • geoplugin.net/json.gp
                                                    1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                    • geoplugin.net/json.gp
                                                    1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                    • geoplugin.net/json.gp
                                                    17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                    • geoplugin.net/json.gp
                                                    DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                    • geoplugin.net/json.gp
                                                    c2.htaGet hashmaliciousRemcosBrowse
                                                    • geoplugin.net/json.gp
                                                    c2.htaGet hashmaliciousRemcosBrowse
                                                    • geoplugin.net/json.gp
                                                    RailProvides_nopump.exeGet hashmaliciousRemcosBrowse
                                                    • geoplugin.net/json.gp
                                                    c2.htaGet hashmaliciousRemcosBrowse
                                                    • geoplugin.net/json.gp

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    municipioalcidiadechicamocha.ddnsgeek.com1736348224ad77cf86e491faad27e4b5decf1eb0bb26f16b0527e5ef488389ba353aa3db79582.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                    • 179.15.136.6
                                                    1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                    • 179.15.136.6
                                                    1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                    • 179.15.136.6
                                                    17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                    • 179.15.136.6
                                                    geoplugin.net1736348224ad77cf86e491faad27e4b5decf1eb0bb26f16b0527e5ef488389ba353aa3db79582.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                    • 178.237.33.50
                                                    17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                    • 178.237.33.50
                                                    1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                    • 178.237.33.50
                                                    1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                    • 178.237.33.50
                                                    17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                    • 178.237.33.50
                                                    DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                    • 178.237.33.50
                                                    c2.htaGet hashmaliciousRemcosBrowse
                                                    • 178.237.33.50
                                                    c2.htaGet hashmaliciousRemcosBrowse
                                                    • 178.237.33.50
                                                    RailProvides_nopump.exeGet hashmaliciousRemcosBrowse
                                                    • 178.237.33.50
                                                    c2.htaGet hashmaliciousRemcosBrowse
                                                    • 178.237.33.50

                                                    ASNs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    ATOM86-ASATOM86NL1736348224ad77cf86e491faad27e4b5decf1eb0bb26f16b0527e5ef488389ba353aa3db79582.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                    • 178.237.33.50
                                                    17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                    • 178.237.33.50
                                                    1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                    • 178.237.33.50
                                                    1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                    • 178.237.33.50
                                                    17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                    • 178.237.33.50
                                                    DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                    • 178.237.33.50
                                                    c2.htaGet hashmaliciousRemcosBrowse
                                                    • 178.237.33.50
                                                    c2.htaGet hashmaliciousRemcosBrowse
                                                    • 178.237.33.50
                                                    RailProvides_nopump.exeGet hashmaliciousRemcosBrowse
                                                    • 178.237.33.50
                                                    c2.htaGet hashmaliciousRemcosBrowse
                                                    • 178.237.33.50
                                                    ColombiaMovilCO1736348224ad77cf86e491faad27e4b5decf1eb0bb26f16b0527e5ef488389ba353aa3db79582.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                    • 179.15.136.6
                                                    17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                    • 179.15.136.6
                                                    1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                    • 179.15.136.6
                                                    1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                    • 179.15.136.6
                                                    17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                    • 179.15.136.6
                                                    sh4.elfGet hashmaliciousMiraiBrowse
                                                    • 177.252.126.19
                                                    armv5l.elfGet hashmaliciousUnknownBrowse
                                                    • 191.93.155.250
                                                    Fantazy.x86.elfGet hashmaliciousUnknownBrowse
                                                    • 179.12.199.43
                                                    armv5l.elfGet hashmaliciousUnknownBrowse
                                                    • 191.91.160.57
                                                    kwari.arm.elfGet hashmaliciousUnknownBrowse
                                                    • 181.204.131.174

                                                    JA3 Fingerprints

                                                    No context

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\ProgramData\remcos\logs.dat

                                                    Download File
                                                    Process:C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):144
                                                    Entropy (8bit):3.3683413243328855
                                                    Encrypted:false
                                                    SSDEEP:3:rgls1MNrlKel5JWRal2Jl+7R0DAlBG45klovDl6v:MlsaNM65YcIeeDAlOWAv
                                                    MD5:95B9E5F5BFFDDDC61FB522A85F96805E
                                                    SHA1:CDEB1CBA21B9200A05385B223EC7C54C9AFECC54
                                                    SHA-256:4DA2D7B6E8CF24020522184C8C668B46120CB6C1BD9E049E09B67EC83D9F22A4
                                                    SHA-512:B4AD4FBF3B4E0E21186D8E0EC9D61E2D96C9E5774DC3EEBDEF1DC539AFE322EC1654109D57357F3377272604CF690BAC60BFD1E68861FE72C0AD885BF1EA8385
                                                    Malicious:true
                                                    Yara Hits:
                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                                                    Reputation:low
                                                    Preview:....[.2.0.2.5./.0.1./.0.8. .1.0.:.0.6.:.4.1. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\json[1].json

                                                    Download File
                                                    Process:C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe
                                                    File Type:JSON data
                                                    Category:dropped
                                                    Size (bytes):963
                                                    Entropy (8bit):5.019205124979377
                                                    Encrypted:false
                                                    SSDEEP:12:tkluWJmnd6UGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkk:qlupdVauKyGX85jvXhNlT3/7AcV9Wro
                                                    MD5:B62617530A8532F9AECAA939B6AB93BB
                                                    SHA1:E4DE9E9838052597EB2A5B363654C737BA1E6A66
                                                    SHA-256:508F952EF83C41861ECD44FB821F7BB73535BFF89F54D54C3549127DCA004E70
                                                    SHA-512:A0B385593B721313130CF14182F3B6EE5FF29D2A36FED99139FA2EE838002DFEEC83285DEDEAE437A53D053FCC631AEAD001D3E804386211BBA2F174134EA70D
                                                    Malicious:false
                                                    Reputation:moderate, very likely benign file
                                                    Preview:{. "geoplugin_request":"8.46.123.189",. "geoplugin_status":200,. "geoplugin_delay":"2ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                    Static File Info

                                                    General

                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                    Entropy (8bit):6.589872065697318
                                                    TrID:
                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                    • DOS Executable Generic (2002/1) 0.02%
                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                    File name:173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe
                                                    File size:493'568 bytes
                                                    MD5:388c9d6483cf4532b2c121761895d3c3
                                                    SHA1:ff6b2257bcebfcf4a71c907d858b5669d1ce5fa0
                                                    SHA256:d151b029f2be0e159398119ba1230297086ec636afe5fe03e09207e12eabe57c
                                                    SHA512:1888fe84f6549975a2352ffcffcaab37cff4a6b17560dff4d07a483ee95a145344c0bf46a307a854142db9a3552da5c00cbb2b8653fe59ada2800482c3a91c34
                                                    SSDEEP:12288:x13ak/mBXTG4/1v08KI7ZnMEF76JqmsvZQzS:jak/mBXTV/R0nEF76gFZU
                                                    TLSH:0AA4BF01BAD2C072D57654300C3AE775DEBDBD212839897BB3D61D97FD30190A63AAB2
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........)...H...H...H....(..H....*..H....+..H...0]..H..&....H... ...H... ...H... ...H...0J..H...H...I...!...H...!&..H...!...H..Rich.H.

                                                    File Icon

                                                    Icon Hash:95694d05214c1b33

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x433d45
                                                    Entrypoint Section:.text
                                                    Digitally signed:false
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                    DLL Characteristics:TERMINAL_SERVER_AWARE
                                                    Time Stamp:0x677C5D61 [Mon Jan 6 22:46:57 2025 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:
                                                    OS Version Major:5
                                                    OS Version Minor:1
                                                    File Version Major:5
                                                    File Version Minor:1
                                                    Subsystem Version Major:5
                                                    Subsystem Version Minor:1
                                                    Import Hash:e77512f955eaf60ccff45e02d69234de

                                                    Entrypoint Preview

                                                    Instruction
                                                    call 00007F1254DF86F8h
                                                    jmp 00007F1254DF804Fh
                                                    push ebp
                                                    mov ebp, esp
                                                    sub esp, 00000324h
                                                    push ebx
                                                    push 00000017h
                                                    call 00007F1254E1A52Eh
                                                    test eax, eax
                                                    je 00007F1254DF81D7h
                                                    mov ecx, dword ptr [ebp+08h]
                                                    int 29h
                                                    push 00000003h
                                                    call 00007F1254DF8394h
                                                    mov dword ptr [esp], 000002CCh
                                                    lea eax, dword ptr [ebp-00000324h]
                                                    push 00000000h
                                                    push eax
                                                    call 00007F1254DFA6B0h
                                                    add esp, 0Ch
                                                    mov dword ptr [ebp-00000274h], eax
                                                    mov dword ptr [ebp-00000278h], ecx
                                                    mov dword ptr [ebp-0000027Ch], edx
                                                    mov dword ptr [ebp-00000280h], ebx
                                                    mov dword ptr [ebp-00000284h], esi
                                                    mov dword ptr [ebp-00000288h], edi
                                                    mov word ptr [ebp-0000025Ch], ss
                                                    mov word ptr [ebp-00000268h], cs
                                                    mov word ptr [ebp-0000028Ch], ds
                                                    mov word ptr [ebp-00000290h], es
                                                    mov word ptr [ebp-00000294h], fs
                                                    mov word ptr [ebp-00000298h], gs
                                                    pushfd
                                                    pop dword ptr [ebp-00000264h]
                                                    mov eax, dword ptr [ebp+04h]
                                                    mov dword ptr [ebp-0000026Ch], eax
                                                    lea eax, dword ptr [ebp+04h]
                                                    mov dword ptr [ebp-00000260h], eax
                                                    mov dword ptr [ebp-00000324h], 00010001h
                                                    mov eax, dword ptr [eax-04h]
                                                    push 00000050h
                                                    mov dword ptr [ebp-00000270h], eax
                                                    lea eax, dword ptr [ebp-58h]
                                                    push 00000000h
                                                    push eax
                                                    call 00007F1254DFA626h

                                                    Rich Headers

                                                    Programming Language:
                                                    • [C++] VS2008 SP1 build 30729
                                                    • [IMP] VS2008 SP1 build 30729

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x6f0300x104.rdata
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x770000x4b84.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x7c0000x3b9c.reloc
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x6d5200x38.rdata
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x6d5f80x18.rdata
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x6d5580x40.rdata
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x580000x4f4.rdata
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x10000x5612d0x562005c74fad187ce0ec180ec04ec1b2886ccFalse0.5738587400217707data6.626093338563234IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                    .rdata0x580000x18b100x18c006a99ef6306230cc107eebd633ea523feFalse0.49747474747474746data5.749671721823548IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .data0x710000x5d940xe00f36050cd29c9ed45c5f5146a79631724False0.22712053571428573data3.113812036269812IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    .rsrc0x770000x4b840x4c00a2492825c3d1de75366bed21454b3528False0.2866981907894737data3.9942440475546364IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .reloc0x7c0000x3b9c0x3c001ed637208bbcc0435870762eae94c19aFalse0.759375data6.709901047445024IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                    Resources

                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                    RT_ICON0x7718c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.3421985815602837
                                                    RT_ICON0x775f40x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.27704918032786885
                                                    RT_ICON0x77f7c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.23686679174484052
                                                    RT_ICON0x790240x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.22977178423236513
                                                    RT_RCDATA0x7b5cc0x575data1.0078740157480315
                                                    RT_GROUP_ICON0x7bb440x3edataEnglishUnited States0.8064516129032258

                                                    Imports

                                                    DLLImport
                                                    KERNEL32.dllExpandEnvironmentStringsA, GetLongPathNameW, CopyFileW, GetLocaleInfoA, CreateToolhelp32Snapshot, Process32NextW, Process32FirstW, VirtualProtect, SetLastError, VirtualFree, VirtualAlloc, LoadLibraryA, GetNativeSystemInfo, HeapAlloc, GetProcessHeap, FreeLibrary, IsBadReadPtr, GetTempPathW, OpenProcess, OpenMutexA, lstrcatW, GetCurrentProcessId, GetTempFileNameW, GetSystemDirectoryA, GlobalAlloc, GlobalLock, GetTickCount, GlobalUnlock, WriteProcessMemory, ResumeThread, GetThreadContext, ReadProcessMemory, CreateProcessW, SetThreadContext, LocalAlloc, GlobalFree, MulDiv, SizeofResource, QueryDosDeviceW, FindFirstVolumeW, GetConsoleScreenBufferInfo, SetConsoleTextAttribute, lstrlenW, GetStdHandle, SetFilePointer, FindResourceA, LockResource, LoadResource, LocalFree, FindVolumeClose, GetVolumePathNamesForVolumeNameW, lstrcpyW, SetConsoleOutputCP, FormatMessageA, FindFirstFileA, AllocConsole, lstrcmpW, GetModuleFileNameA, lstrcpynA, QueryPerformanceFrequency, QueryPerformanceCounter, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, HeapSize, WriteConsoleW, SetStdHandle, SetEnvironmentVariableW, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindFirstFileExA, HeapReAlloc, ReadConsoleW, GetConsoleMode, GetConsoleCP, FlushFileBuffers, GetFileType, GetTimeZoneInformation, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetTimeFormatW, GetDateFormatW, GetACP, GetModuleHandleExW, MoveFileExW, LoadLibraryExW, RaiseException, RtlUnwind, GetCPInfo, GetStringTypeW, GetLocaleInfoW, LCMapStringW, CompareStringW, MultiByteToWideChar, DecodePointer, EncodePointer, TlsFree, TlsSetValue, GetFileSize, TerminateThread, GetLastError, GetModuleHandleA, RemoveDirectoryW, MoveFileW, SetFilePointerEx, CreateDirectoryW, GetLogicalDriveStringsA, DeleteFileW, FindNextFileA, DeleteFileA, SetFileAttributesW, GetFileAttributesW, FindClose, lstrlenA, GetDriveTypeA, FindNextFileW, GetFileSizeEx, FindFirstFileW, GetModuleHandleW, ExitProcess, GetProcAddress, CreateMutexA, GetCurrentProcess, CreateProcessA, PeekNamedPipe, CreatePipe, TerminateProcess, ReadFile, HeapFree, HeapCreate, CreateEventA, GetLocalTime, CreateThread, SetEvent, CreateEventW, WaitForSingleObject, Sleep, GetModuleFileNameW, CloseHandle, ExitThread, CreateFileW, WriteFile, FindNextVolumeW, TlsGetValue, TlsAlloc, SwitchToThread, WideCharToMultiByte, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, IsProcessorFeaturePresent, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, WaitForSingleObjectEx, ResetEvent, InitializeCriticalSectionAndSpinCount, SetEndOfFile
                                                    USER32.dllDefWindowProcA, TranslateMessage, DispatchMessageA, GetMessageA, GetWindowTextW, wsprintfW, GetClipboardData, UnhookWindowsHookEx, GetForegroundWindow, ToUnicodeEx, GetKeyboardLayout, SetWindowsHookExA, CloseClipboard, OpenClipboard, GetKeyboardState, CallNextHookEx, GetKeyboardLayoutNameA, GetKeyState, GetWindowTextLengthW, GetWindowThreadProcessId, SetForegroundWindow, SetClipboardData, EnumWindows, ExitWindowsEx, EmptyClipboard, ShowWindow, SetWindowTextW, MessageBoxW, IsWindowVisible, CreateWindowExA, SendInput, EnumDisplaySettingsW, mouse_event, MapVirtualKeyA, TrackPopupMenu, CreatePopupMenu, AppendMenuA, RegisterClassExA, GetCursorPos, SystemParametersInfoW, GetIconInfo, GetSystemMetrics, CloseWindow, DrawIcon
                                                    GDI32.dllBitBlt, CreateCompatibleBitmap, CreateCompatibleDC, StretchBlt, GetDIBits, DeleteDC, DeleteObject, CreateDCA, GetObjectA, SelectObject
                                                    ADVAPI32.dllLookupPrivilegeValueA, CryptAcquireContextA, CryptGenRandom, CryptReleaseContext, GetUserNameW, RegEnumKeyExA, QueryServiceStatus, CloseServiceHandle, OpenSCManagerW, OpenSCManagerA, ControlService, StartServiceW, QueryServiceConfigW, ChangeServiceConfigW, OpenServiceW, EnumServicesStatusW, AdjustTokenPrivileges, RegDeleteKeyA, OpenProcessToken, RegCreateKeyA, RegCloseKey, RegQueryInfoKeyW, RegQueryValueExA, RegCreateKeyExW, RegEnumKeyExW, RegSetValueExW, RegSetValueExA, RegOpenKeyExA, RegOpenKeyExW, RegCreateKeyW, RegDeleteValueW, RegEnumValueW, RegQueryValueExW
                                                    SHELL32.dllShellExecuteExA, Shell_NotifyIconA, ExtractIconA, ShellExecuteW
                                                    ole32.dllCoInitializeEx, CoGetObject, CoUninitialize
                                                    SHLWAPI.dllStrToIntA, PathFileExistsW, PathFileExistsA
                                                    WINMM.dllmciSendStringA, mciSendStringW, waveInClose, waveInStop, waveInStart, waveInUnprepareHeader, waveInOpen, waveInAddBuffer, waveInPrepareHeader, PlaySoundW
                                                    WS2_32.dllsend, WSAStartup, socket, connect, WSAGetLastError, recv, closesocket, inet_ntoa, htons, htonl, getservbyname, ntohs, getservbyport, gethostbyaddr, inet_addr, WSASetLastError, gethostbyname
                                                    urlmon.dllURLOpenBlockingStreamW, URLDownloadToFileW
                                                    gdiplus.dllGdipAlloc, GdiplusStartup, GdipGetImageEncoders, GdipLoadImageFromStream, GdipSaveImageToStream, GdipGetImageEncodersSize, GdipFree, GdipDisposeImage, GdipCloneImage
                                                    WININET.dllInternetOpenUrlW, InternetOpenW, InternetCloseHandle, InternetReadFile

                                                    Possible Origin

                                                    Language of compilation systemCountry where language is spokenMap
                                                    EnglishUnited States

                                                    Network Behavior

                                                    Suricata IDS Alerts

                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                    2025-01-08T16:06:42.258168+01002834936ETPRO MALWARE Observed DNS Query to Abused DDNS (ddnsgeek .com)1192.168.2.5530421.1.1.153UDP
                                                    2025-01-08T16:06:43.186538+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549705179.15.136.61997TCP
                                                    2025-01-08T16:06:44.528186+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.549706178.237.33.5080TCP

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Jan 8, 2025 16:06:42.486702919 CET497051997192.168.2.5179.15.136.6
                                                    Jan 8, 2025 16:06:42.491616964 CET199749705179.15.136.6192.168.2.5
                                                    Jan 8, 2025 16:06:42.491741896 CET497051997192.168.2.5179.15.136.6
                                                    Jan 8, 2025 16:06:42.497592926 CET497051997192.168.2.5179.15.136.6
                                                    Jan 8, 2025 16:06:42.502542973 CET199749705179.15.136.6192.168.2.5
                                                    Jan 8, 2025 16:06:43.139400005 CET199749705179.15.136.6192.168.2.5
                                                    Jan 8, 2025 16:06:43.186537981 CET497051997192.168.2.5179.15.136.6
                                                    Jan 8, 2025 16:06:43.283458948 CET199749705179.15.136.6192.168.2.5
                                                    Jan 8, 2025 16:06:43.287899971 CET497051997192.168.2.5179.15.136.6
                                                    Jan 8, 2025 16:06:43.292690039 CET199749705179.15.136.6192.168.2.5
                                                    Jan 8, 2025 16:06:43.292769909 CET497051997192.168.2.5179.15.136.6
                                                    Jan 8, 2025 16:06:43.297583103 CET199749705179.15.136.6192.168.2.5
                                                    Jan 8, 2025 16:06:43.613594055 CET199749705179.15.136.6192.168.2.5
                                                    Jan 8, 2025 16:06:43.615358114 CET497051997192.168.2.5179.15.136.6
                                                    Jan 8, 2025 16:06:43.620157003 CET199749705179.15.136.6192.168.2.5
                                                    Jan 8, 2025 16:06:43.777409077 CET199749705179.15.136.6192.168.2.5
                                                    Jan 8, 2025 16:06:43.827285051 CET497051997192.168.2.5179.15.136.6
                                                    Jan 8, 2025 16:06:43.899719954 CET4970680192.168.2.5178.237.33.50
                                                    Jan 8, 2025 16:06:43.904589891 CET8049706178.237.33.50192.168.2.5
                                                    Jan 8, 2025 16:06:43.904669046 CET4970680192.168.2.5178.237.33.50
                                                    Jan 8, 2025 16:06:43.904781103 CET4970680192.168.2.5178.237.33.50
                                                    Jan 8, 2025 16:06:43.909538031 CET8049706178.237.33.50192.168.2.5
                                                    Jan 8, 2025 16:06:44.528053999 CET8049706178.237.33.50192.168.2.5
                                                    Jan 8, 2025 16:06:44.528186083 CET4970680192.168.2.5178.237.33.50
                                                    Jan 8, 2025 16:06:44.548341990 CET497051997192.168.2.5179.15.136.6
                                                    Jan 8, 2025 16:06:44.553242922 CET199749705179.15.136.6192.168.2.5
                                                    Jan 8, 2025 16:06:45.527940989 CET8049706178.237.33.50192.168.2.5
                                                    Jan 8, 2025 16:06:45.528145075 CET4970680192.168.2.5178.237.33.50
                                                    Jan 8, 2025 16:07:08.108933926 CET199749705179.15.136.6192.168.2.5
                                                    Jan 8, 2025 16:07:08.122256041 CET497051997192.168.2.5179.15.136.6
                                                    Jan 8, 2025 16:07:08.127245903 CET199749705179.15.136.6192.168.2.5
                                                    Jan 8, 2025 16:07:38.304604053 CET199749705179.15.136.6192.168.2.5
                                                    Jan 8, 2025 16:07:38.306225061 CET497051997192.168.2.5179.15.136.6
                                                    Jan 8, 2025 16:07:38.311053991 CET199749705179.15.136.6192.168.2.5
                                                    Jan 8, 2025 16:08:08.440021992 CET199749705179.15.136.6192.168.2.5
                                                    Jan 8, 2025 16:08:08.627506018 CET497051997192.168.2.5179.15.136.6
                                                    Jan 8, 2025 16:08:08.632360935 CET199749705179.15.136.6192.168.2.5
                                                    Jan 8, 2025 16:08:33.874387980 CET4970680192.168.2.5178.237.33.50
                                                    Jan 8, 2025 16:08:34.358438969 CET4970680192.168.2.5178.237.33.50
                                                    Jan 8, 2025 16:08:34.967808008 CET4970680192.168.2.5178.237.33.50
                                                    Jan 8, 2025 16:08:36.170949936 CET4970680192.168.2.5178.237.33.50
                                                    Jan 8, 2025 16:08:38.484699965 CET199749705179.15.136.6192.168.2.5
                                                    Jan 8, 2025 16:08:38.486452103 CET497051997192.168.2.5179.15.136.6
                                                    Jan 8, 2025 16:08:38.491265059 CET199749705179.15.136.6192.168.2.5
                                                    Jan 8, 2025 16:08:38.670944929 CET4970680192.168.2.5178.237.33.50
                                                    Jan 8, 2025 16:08:43.670949936 CET4970680192.168.2.5178.237.33.50
                                                    Jan 8, 2025 16:08:53.358459949 CET4970680192.168.2.5178.237.33.50
                                                    Jan 8, 2025 16:09:08.543373108 CET199749705179.15.136.6192.168.2.5
                                                    Jan 8, 2025 16:09:08.544770956 CET497051997192.168.2.5179.15.136.6
                                                    Jan 8, 2025 16:09:08.549618006 CET199749705179.15.136.6192.168.2.5
                                                    Jan 8, 2025 16:09:38.539695024 CET199749705179.15.136.6192.168.2.5
                                                    Jan 8, 2025 16:09:38.546272039 CET497051997192.168.2.5179.15.136.6
                                                    Jan 8, 2025 16:09:38.551090956 CET199749705179.15.136.6192.168.2.5
                                                    Jan 8, 2025 16:10:08.556097031 CET199749705179.15.136.6192.168.2.5
                                                    Jan 8, 2025 16:10:08.558398008 CET497051997192.168.2.5179.15.136.6
                                                    Jan 8, 2025 16:10:08.563407898 CET199749705179.15.136.6192.168.2.5
                                                    Jan 8, 2025 16:10:38.655735016 CET199749705179.15.136.6192.168.2.5
                                                    Jan 8, 2025 16:10:38.657531977 CET497051997192.168.2.5179.15.136.6
                                                    Jan 8, 2025 16:10:38.662319899 CET199749705179.15.136.6192.168.2.5

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Jan 8, 2025 16:06:42.258167982 CET5304253192.168.2.51.1.1.1
                                                    Jan 8, 2025 16:06:42.482961893 CET53530421.1.1.1192.168.2.5
                                                    Jan 8, 2025 16:06:43.889240026 CET6094853192.168.2.51.1.1.1
                                                    Jan 8, 2025 16:06:43.896301031 CET53609481.1.1.1192.168.2.5

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    Jan 8, 2025 16:06:42.258167982 CET192.168.2.51.1.1.10xe8ccStandard query (0)municipioalcidiadechicamocha.ddnsgeek.comA (IP address)IN (0x0001)false
                                                    Jan 8, 2025 16:06:43.889240026 CET192.168.2.51.1.1.10xb040Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    Jan 8, 2025 16:06:42.482961893 CET1.1.1.1192.168.2.50xe8ccNo error (0)municipioalcidiadechicamocha.ddnsgeek.com179.15.136.6A (IP address)IN (0x0001)false
                                                    Jan 8, 2025 16:06:43.896301031 CET1.1.1.1192.168.2.50xb040No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                    HTTP Request Dependency Graph

                                                    • geoplugin.net

                                                    HTTP Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.549706178.237.33.50803128C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 8, 2025 16:06:43.904781103 CET71OUTGET /json.gp HTTP/1.1
                                                    Host: geoplugin.net
                                                    Cache-Control: no-cache
                                                    Jan 8, 2025 16:06:44.528053999 CET1171INHTTP/1.1 200 OK
                                                    date: Wed, 08 Jan 2025 15:06:44 GMT
                                                    server: Apache
                                                    content-length: 963
                                                    content-type: application/json; charset=utf-8
                                                    cache-control: public, max-age=300
                                                    access-control-allow-origin: *
                                                    Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 32 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 [TRUNCATED]
                                                    Data Ascii: { "geoplugin_request":"8.46.123.189", "geoplugin_status":200, "geoplugin_delay":"2ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    High Level Behavior Distribution

                                                    Click to dive into process behavior distribution

                                                    System Behavior

                                                    General

                                                    Target ID:0
                                                    Start time:10:06:41
                                                    Start date:08/01/2025
                                                    Path:C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe"
                                                    Imagebase:0x400000
                                                    File size:493'568 bytes
                                                    MD5 hash:388C9D6483CF4532B2C121761895D3C3
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.4512357235.000000000229F000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.4512096897.0000000000603000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000000.2054430444.0000000000458000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000000.2054430444.0000000000458000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000000.2054430444.0000000000458000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000000.2054430444.0000000000458000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.4512096897.00000000005BE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                    Reputation:low
                                                    Has exited:false

                                                    Disassembly

                                                    Reset < >

                                                      Execution Graph

                                                      Execution Coverage:4.4%
                                                      Dynamic/Decrypted Code Coverage:0%
                                                      Signature Coverage:21.6%
                                                      Total number of Nodes:1395
                                                      Total number of Limit Nodes:67
                                                      execution_graph 46462 44eac6 46463 44ead1 46462->46463 46464 44eaf9 46463->46464 46465 44eaea 46463->46465 46466 44eb08 46464->46466 46484 455783 27 API calls 2 library calls 46464->46484 46483 445564 20 API calls __dosmaperr 46465->46483 46471 44bbce 46466->46471 46469 44eaef ___scrt_fastfail 46472 44bbe6 46471->46472 46473 44bbdb 46471->46473 46475 44bbee 46472->46475 46481 44bbf7 _strftime 46472->46481 46491 446d0f 21 API calls 3 library calls 46473->46491 46485 446cd5 46475->46485 46477 44bc21 RtlReAllocateHeap 46480 44bbe3 46477->46480 46477->46481 46478 44bbfc 46492 445564 20 API calls __dosmaperr 46478->46492 46480->46469 46481->46477 46481->46478 46493 442410 7 API calls 2 library calls 46481->46493 46483->46469 46484->46466 46486 446ce0 RtlFreeHeap 46485->46486 46487 446d09 __dosmaperr 46485->46487 46486->46487 46488 446cf5 46486->46488 46487->46480 46494 445564 20 API calls __dosmaperr 46488->46494 46490 446cfb GetLastError 46490->46487 46491->46480 46492->46480 46493->46481 46494->46490 46495 426061 46496 426076 46495->46496 46502 426116 46495->46502 46497 4261a9 46496->46497 46498 426130 46496->46498 46499 4260f9 46496->46499 46496->46502 46504 426165 46496->46504 46505 4260c4 46496->46505 46510 426182 46496->46510 46523 42455f 50 API calls ctype 46496->46523 46497->46502 46528 4257d2 28 API calls 46497->46528 46498->46502 46498->46504 46526 41f280 54 API calls 46498->46526 46499->46498 46499->46502 46525 42455f 50 API calls ctype 46499->46525 46504->46510 46527 424d86 21 API calls 46504->46527 46505->46499 46505->46502 46524 41f280 54 API calls 46505->46524 46510->46497 46510->46502 46511 425183 46510->46511 46512 4251a2 ___scrt_fastfail 46511->46512 46514 4251b1 46512->46514 46517 4251d6 46512->46517 46529 41e2a2 21 API calls 46512->46529 46514->46517 46522 4251b6 46514->46522 46530 41fcdf 47 API calls 46514->46530 46517->46497 46518 4251bf 46518->46517 46537 424390 21 API calls 2 library calls 46518->46537 46520 425259 46520->46517 46531 4321a4 46520->46531 46522->46517 46522->46518 46536 41d179 50 API calls 46522->46536 46523->46505 46524->46505 46525->46498 46526->46498 46527->46510 46528->46502 46529->46514 46530->46520 46532 4321b2 46531->46532 46533 4321ae 46531->46533 46538 43aa9c 46532->46538 46533->46522 46536->46518 46537->46517 46543 446d0f _strftime 46538->46543 46539 446d4d 46546 445564 20 API calls __dosmaperr 46539->46546 46541 446d38 RtlAllocateHeap 46542 4321b7 46541->46542 46541->46543 46542->46522 46543->46539 46543->46541 46545 442410 7 API calls 2 library calls 46543->46545 46545->46543 46546->46542 46547 42cfd4 46548 42cffa ___scrt_fastfail 46547->46548 46551 42d091 46548->46551 46555 42b5d7 46548->46555 46550 42d05e 46550->46551 46567 42cdb5 46550->46567 46553 42d07b 46553->46551 46572 42ce25 50 API calls ___scrt_fastfail 46553->46572 46556 42b690 46555->46556 46557 42b5e6 46555->46557 46556->46550 46557->46556 46558 42b620 46557->46558 46573 42b595 46 API calls 46557->46573 46563 42b63c 46558->46563 46574 42b595 46 API calls 46558->46574 46562 42b674 46562->46556 46577 42b595 46 API calls 46562->46577 46564 42b658 46563->46564 46575 42b595 46 API calls 46563->46575 46564->46562 46576 42b595 46 API calls 46564->46576 46578 432866 46567->46578 46569 42cdff 46569->46553 46570 42cdc9 46570->46569 46582 42fa6a 46570->46582 46572->46551 46573->46558 46574->46563 46575->46564 46576->46562 46577->46556 46579 43287b 46578->46579 46581 432896 46578->46581 46579->46581 46585 432b45 CryptAcquireContextA 46579->46585 46581->46570 46589 430efb 21 API calls 46582->46589 46584 42fa81 46584->46569 46586 432b61 46585->46586 46587 432b66 CryptGenRandom 46585->46587 46586->46581 46587->46586 46588 432b7b CryptReleaseContext 46587->46588 46588->46586 46589->46584 46590 42623b 46595 426302 recv 46590->46595 46596 41d6db 46598 41d6f1 ctype ___scrt_fastfail 46596->46598 46597 41d8ee 46602 41d93f 46597->46602 46612 41d27c DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_fastfail 46597->46612 46598->46597 46600 4321a4 21 API calls 46598->46600 46605 41d8a1 ___scrt_fastfail 46600->46605 46601 41d8ff 46601->46602 46603 41d96b 46601->46603 46604 4321a4 21 API calls 46601->46604 46603->46602 46616 41d67f 21 API calls ___scrt_fastfail 46603->46616 46608 41d938 ___scrt_fastfail 46604->46608 46605->46602 46606 4321a4 21 API calls 46605->46606 46610 41d8c9 ___scrt_fastfail 46606->46610 46608->46602 46613 43285a 46608->46613 46610->46602 46611 4321a4 21 API calls 46610->46611 46611->46597 46612->46601 46617 43277a 46613->46617 46615 432862 46615->46603 46616->46602 46618 432789 46617->46618 46619 432793 46617->46619 46618->46615 46619->46618 46620 4321a4 21 API calls 46619->46620 46621 4327b4 46620->46621 46621->46618 46622 432b45 3 API calls 46621->46622 46622->46618 46623 433bc9 46624 433bd5 ___DestructExceptionObject 46623->46624 46655 4338be 46624->46655 46626 433bdc 46627 433d2f 46626->46627 46630 433c06 46626->46630 46957 433d4f IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 46627->46957 46629 433d36 46958 4428ce 28 API calls _Atexit 46629->46958 46642 433c45 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 46630->46642 46951 4436e1 5 API calls __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 46630->46951 46632 433d3c 46959 442880 28 API calls _Atexit 46632->46959 46635 433c1f 46637 433c25 46635->46637 46952 443685 5 API calls __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 46635->46952 46636 433d44 46639 433ca6 46666 433e69 46639->46666 46642->46639 46953 43f037 38 API calls 4 library calls 46642->46953 46649 433cc8 46649->46629 46650 433ccc 46649->46650 46651 433cd5 46650->46651 46955 442871 28 API calls _Atexit 46650->46955 46956 433a4d 13 API calls 2 library calls 46651->46956 46654 433cdd 46654->46637 46656 4338c7 46655->46656 46960 434015 IsProcessorFeaturePresent 46656->46960 46658 4338d3 46961 437bfe 10 API calls 3 library calls 46658->46961 46660 4338d8 46665 4338dc 46660->46665 46962 44356e IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 46660->46962 46662 4338f3 46662->46626 46663 4338e5 46663->46662 46963 437c27 8 API calls 3 library calls 46663->46963 46665->46626 46964 436260 46666->46964 46669 433cac 46670 443632 46669->46670 46966 44dfd9 46670->46966 46672 433cb5 46675 40d83a 46672->46675 46673 44363b 46673->46672 46970 44e2e3 38 API calls 46673->46970 46972 41beee LoadLibraryA GetProcAddress 46675->46972 46677 40d856 GetModuleFileNameW 46977 40e240 46677->46977 46679 40d872 46992 401fbd 46679->46992 46682 401fbd 28 API calls 46683 40d890 46682->46683 46996 41b1ce 46683->46996 46687 40d8a2 47021 401d8c 46687->47021 46689 40d8ab 46690 40d908 46689->46690 46691 40d8be 46689->46691 47027 401d64 46690->47027 47301 40ea5e 111 API calls 46691->47301 46694 40d918 46697 401d64 28 API calls 46694->46697 46695 40d8d0 46696 401d64 28 API calls 46695->46696 46700 40d8dc 46696->46700 46698 40d937 46697->46698 47032 404cbf 46698->47032 47302 40ea0f 68 API calls 46700->47302 46701 40d946 47036 405ce6 46701->47036 46704 40d952 47039 401eef 46704->47039 46705 40d8f7 47303 40e22d 68 API calls 46705->47303 46708 40d95e 47043 401eea 46708->47043 46710 40d967 46712 401eea 26 API calls 46710->46712 46711 401eea 26 API calls 46713 40dd72 46711->46713 46714 40d970 46712->46714 46954 433e9f GetModuleHandleW 46713->46954 46715 401d64 28 API calls 46714->46715 46716 40d979 46715->46716 47047 401ebd 46716->47047 46718 40d984 46719 401d64 28 API calls 46718->46719 46720 40d99d 46719->46720 46721 401d64 28 API calls 46720->46721 46722 40d9b8 46721->46722 46723 40da19 46722->46723 47304 4085b4 46722->47304 46724 401d64 28 API calls 46723->46724 46740 40e20c 46723->46740 46730 40da30 46724->46730 46726 40d9e5 46727 401eef 26 API calls 46726->46727 46728 40d9f1 46727->46728 46729 401eea 26 API calls 46728->46729 46732 40d9fa 46729->46732 46731 40da77 46730->46731 46735 41258f 3 API calls 46730->46735 47051 40bed7 46731->47051 47308 41258f RegOpenKeyExA 46732->47308 46734 40da7d 46736 40d900 46734->46736 47054 41a66e 46734->47054 46741 40da5b 46735->46741 46736->46711 46739 40da98 46742 40daeb 46739->46742 47071 40697b 46739->47071 47386 4129da 30 API calls 46740->47386 46741->46731 47311 4129da 30 API calls 46741->47311 46744 401d64 28 API calls 46742->46744 46747 40daf4 46744->46747 46756 40db00 46747->46756 46757 40db05 46747->46757 46749 40e222 47387 41138d 64 API calls ___scrt_fastfail 46749->47387 46750 40dac1 46754 401d64 28 API calls 46750->46754 46751 40dab7 47312 40699d 30 API calls 46751->47312 46763 40daca 46754->46763 47315 4069ba CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 46756->47315 46761 401d64 28 API calls 46757->46761 46758 40dabc 47313 4064d0 97 API calls 46758->47313 46762 40db0e 46761->46762 47075 41b013 46762->47075 46763->46742 46767 40dae6 46763->46767 46765 40db19 47079 401e18 46765->47079 47314 4064d0 97 API calls 46767->47314 46768 40db24 47083 401e13 46768->47083 46771 40db2d 46772 401d64 28 API calls 46771->46772 46773 40db36 46772->46773 46774 401d64 28 API calls 46773->46774 46775 40db50 46774->46775 46776 401d64 28 API calls 46775->46776 46777 40db6a 46776->46777 46778 401d64 28 API calls 46777->46778 46779 40db83 46778->46779 46780 401d64 28 API calls 46779->46780 46811 40dbf0 46779->46811 46786 40db98 _wcslen 46780->46786 46781 40dbff 46782 40dc08 46781->46782 46808 40dc84 ___scrt_fastfail 46781->46808 46783 401d64 28 API calls 46782->46783 46785 40dc11 46783->46785 46784 40dd7d ___scrt_fastfail 47375 412735 RegOpenKeyExA 46784->47375 46787 401d64 28 API calls 46785->46787 46788 401d64 28 API calls 46786->46788 46786->46811 46789 40dc23 46787->46789 46790 40dbb3 46788->46790 46792 401d64 28 API calls 46789->46792 46793 401d64 28 API calls 46790->46793 46794 40dc35 46792->46794 46795 40dbc8 46793->46795 46797 401d64 28 API calls 46794->46797 47316 40c89e 46795->47316 46796 40ddc2 46798 401d64 28 API calls 46796->46798 46800 40dc5e 46797->46800 46801 40dde9 46798->46801 46806 401d64 28 API calls 46800->46806 47097 401f66 46801->47097 46803 401e18 26 API calls 46805 40dbe7 46803->46805 46809 401e13 26 API calls 46805->46809 46810 40dc6f 46806->46810 46807 40ddf8 47101 4127aa RegCreateKeyA 46807->47101 47087 41297a 46808->47087 46809->46811 47373 40bc67 46 API calls _wcslen 46810->47373 46811->46781 46811->46784 46815 40dc7f 46815->46808 46817 40dd18 46820 401d64 28 API calls 46817->46820 46818 401d64 28 API calls 46819 40de1a 46818->46819 47107 43a7f7 46819->47107 46821 40dd2f 46820->46821 46821->46796 46824 40dd43 46821->46824 46827 401d64 28 API calls 46824->46827 46825 40de31 47378 41c0bb 87 API calls ___scrt_fastfail 46825->47378 46826 40de54 46831 401f66 28 API calls 46826->46831 46829 40dd51 46827->46829 46832 41b013 28 API calls 46829->46832 46830 40de38 CreateThread 46830->46826 48136 41cb7a 10 API calls 46830->48136 46833 40de69 46831->46833 46834 40dd5a 46832->46834 46835 401f66 28 API calls 46833->46835 47374 40e2f1 112 API calls 46834->47374 46837 40de78 46835->46837 47111 41a891 46837->47111 46838 40dd5f 46838->46796 46840 40dd66 46838->46840 46840->46736 46842 401d64 28 API calls 46843 40de89 46842->46843 46844 401d64 28 API calls 46843->46844 46845 40de9e 46844->46845 46846 401d64 28 API calls 46845->46846 46847 40debe 46846->46847 46848 43a7f7 _strftime 42 API calls 46847->46848 46849 40decb 46848->46849 46850 401d64 28 API calls 46849->46850 46851 40ded6 46850->46851 46852 401d64 28 API calls 46851->46852 46853 40dee7 46852->46853 46854 401d64 28 API calls 46853->46854 46855 40defc 46854->46855 46856 401d64 28 API calls 46855->46856 46857 40df0d 46856->46857 46858 40df14 StrToIntA 46857->46858 47135 409517 46858->47135 46861 401d64 28 API calls 46862 40df2f 46861->46862 46863 40df74 46862->46863 46864 40df3b 46862->46864 46867 401d64 28 API calls 46863->46867 47379 433818 22 API calls 3 library calls 46864->47379 46866 40df44 46868 401d64 28 API calls 46866->46868 46869 40df84 46867->46869 46870 40df57 46868->46870 46872 40df90 46869->46872 46873 40dfcc 46869->46873 46871 40df5e CreateThread 46870->46871 46871->46863 48134 41931e 109 API calls 2 library calls 46871->48134 47380 433818 22 API calls 3 library calls 46872->47380 46874 401d64 28 API calls 46873->46874 46876 40dfd5 46874->46876 46880 40dfe1 46876->46880 46881 40e03f 46876->46881 46877 40df99 46878 401d64 28 API calls 46877->46878 46879 40dfab 46878->46879 46882 40dfb2 CreateThread 46879->46882 46884 401d64 28 API calls 46880->46884 46883 401d64 28 API calls 46881->46883 46882->46873 48133 41931e 109 API calls 2 library calls 46882->48133 46885 40e048 46883->46885 46886 40dff1 46884->46886 46887 40e054 46885->46887 46888 40e08d 46885->46888 46889 401d64 28 API calls 46886->46889 46891 401d64 28 API calls 46887->46891 47160 41a9ad GetComputerNameExW GetUserNameW 46888->47160 46892 40e006 46889->46892 46894 40e05d 46891->46894 47381 40c854 32 API calls 46892->47381 46898 401d64 28 API calls 46894->46898 46895 401e18 26 API calls 46897 40e0a1 46895->46897 46900 401e13 26 API calls 46897->46900 46901 40e072 46898->46901 46899 40e019 46902 401e18 26 API calls 46899->46902 46903 40e0aa 46900->46903 46912 43a7f7 _strftime 42 API calls 46901->46912 46906 40e025 46902->46906 46904 40e0b3 SetProcessDEPPolicy 46903->46904 46905 40e0b6 CreateThread 46903->46905 46904->46905 46907 40e0d7 46905->46907 46908 40e0cb CreateThread 46905->46908 48105 40e627 46905->48105 46909 401e13 26 API calls 46906->46909 46910 40e0e0 CreateThread 46907->46910 46911 40e0ec 46907->46911 46908->46907 48135 41100e 138 API calls 46908->48135 46913 40e02e CreateThread 46909->46913 46910->46911 48137 4115fc 38 API calls ___scrt_fastfail 46910->48137 46915 40e146 46911->46915 46917 401f66 28 API calls 46911->46917 46914 40e07f 46912->46914 46913->46881 48132 40196b 49 API calls _strftime 46913->48132 47382 40b95c 7 API calls 46914->47382 47171 412546 RegOpenKeyExA 46915->47171 46918 40e119 46917->46918 47383 404c9e 28 API calls 46918->47383 46922 40e126 46924 401f66 28 API calls 46922->46924 46923 40e1fd 47183 40cbac 46923->47183 46927 40e135 46924->46927 46926 41b013 28 API calls 46930 40e177 46926->46930 46928 41a891 79 API calls 46927->46928 46931 40e13a 46928->46931 47174 41265c RegOpenKeyExW 46930->47174 46933 401eea 26 API calls 46931->46933 46933->46915 46938 401e13 26 API calls 46941 40e198 46938->46941 46939 40e1c0 DeleteFileW 46940 40e1c7 46939->46940 46939->46941 46943 41b013 28 API calls 46940->46943 46941->46939 46941->46940 46942 40e1ae Sleep 46941->46942 47384 401e07 46942->47384 46945 40e1d7 46943->46945 47179 412a52 RegOpenKeyExW 46945->47179 46947 40e1ea 46948 401e13 26 API calls 46947->46948 46949 40e1f4 46948->46949 46950 401e13 26 API calls 46949->46950 46950->46923 46951->46635 46952->46642 46953->46639 46954->46649 46955->46651 46956->46654 46957->46629 46958->46632 46959->46636 46960->46658 46961->46660 46962->46663 46963->46665 46965 433e7c GetStartupInfoW 46964->46965 46965->46669 46967 44dfeb 46966->46967 46968 44dfe2 46966->46968 46967->46673 46971 44ded8 51 API calls 5 library calls 46968->46971 46970->46673 46971->46967 46973 41bf2d LoadLibraryA GetProcAddress 46972->46973 46974 41bf1d GetModuleHandleA GetProcAddress 46972->46974 46975 41bf56 32 API calls 46973->46975 46976 41bf46 LoadLibraryA GetProcAddress 46973->46976 46974->46973 46975->46677 46976->46975 47388 41a84a FindResourceA 46977->47388 46980 43aa9c ___crtLCMapStringA 21 API calls 46981 40e26a ctype 46980->46981 47391 401f86 46981->47391 46984 401eef 26 API calls 46985 40e290 46984->46985 46986 401eea 26 API calls 46985->46986 46987 40e299 46986->46987 46988 43aa9c ___crtLCMapStringA 21 API calls 46987->46988 46989 40e2aa ctype 46988->46989 47395 406052 46989->47395 46991 40e2dd 46991->46679 46993 401fcc 46992->46993 47403 402501 46993->47403 46995 401fea 46995->46682 46997 41b1e1 46996->46997 47001 41b253 46997->47001 47009 401eef 26 API calls 46997->47009 47012 401eea 26 API calls 46997->47012 47016 41b251 46997->47016 47408 403b60 46997->47408 47411 41c1b4 28 API calls 46997->47411 46998 401eea 26 API calls 46999 41b283 46998->46999 47000 401eea 26 API calls 46999->47000 47002 41b28b 47000->47002 47003 403b60 28 API calls 47001->47003 47005 401eea 26 API calls 47002->47005 47006 41b25f 47003->47006 47007 40d899 47005->47007 47008 401eef 26 API calls 47006->47008 47017 40e995 47007->47017 47010 41b268 47008->47010 47009->46997 47011 401eea 26 API calls 47010->47011 47013 41b270 47011->47013 47012->46997 47412 41c1b4 28 API calls 47013->47412 47016->46998 47018 40e9a2 47017->47018 47020 40e9b2 47018->47020 47429 40200a 26 API calls 47018->47429 47020->46687 47022 40200a 47021->47022 47026 40203a 47022->47026 47430 402654 26 API calls 47022->47430 47024 40202b 47431 4026ba 26 API calls _Deallocate 47024->47431 47026->46689 47028 401d6c 47027->47028 47030 401d74 47028->47030 47432 401fff 28 API calls 47028->47432 47030->46694 47033 404ccb 47032->47033 47433 402e78 47033->47433 47035 404cee 47035->46701 47442 404bc4 47036->47442 47038 405cf4 47038->46704 47040 401efe 47039->47040 47042 401f0a 47040->47042 47451 4021b9 26 API calls 47040->47451 47042->46708 47045 4021b9 47043->47045 47044 4021e8 47044->46710 47045->47044 47452 40262e 26 API calls _Deallocate 47045->47452 47049 401ec9 47047->47049 47048 401ee4 47048->46718 47049->47048 47050 402325 28 API calls 47049->47050 47050->47048 47453 401e8f 47051->47453 47053 40bee1 CreateMutexA GetLastError 47053->46734 47455 41b366 47054->47455 47056 41a67c 47459 4125eb RegOpenKeyExA 47056->47459 47059 401eef 26 API calls 47060 41a6aa 47059->47060 47061 401eea 26 API calls 47060->47061 47063 41a6b2 47061->47063 47062 41a705 47062->46739 47063->47062 47064 4125eb 31 API calls 47063->47064 47065 41a6d8 47064->47065 47066 41a6e3 StrToIntA 47065->47066 47067 41a6f1 47066->47067 47068 41a6fa 47066->47068 47464 41c30d 28 API calls 47067->47464 47069 401eea 26 API calls 47068->47069 47069->47062 47072 40698f 47071->47072 47073 41258f 3 API calls 47072->47073 47074 406996 47073->47074 47074->46750 47074->46751 47076 41b027 47075->47076 47465 40b027 47076->47465 47078 41b02f 47078->46765 47080 401e27 47079->47080 47082 401e33 47080->47082 47474 402121 26 API calls 47080->47474 47082->46768 47085 402121 47083->47085 47084 402150 47084->46771 47085->47084 47475 402718 26 API calls _Deallocate 47085->47475 47088 412998 47087->47088 47089 406052 28 API calls 47088->47089 47090 4129ad 47089->47090 47091 401fbd 28 API calls 47090->47091 47092 4129bd 47091->47092 47093 4127aa 29 API calls 47092->47093 47094 4129c7 47093->47094 47095 401eea 26 API calls 47094->47095 47096 4129d4 47095->47096 47096->46817 47098 401f6e 47097->47098 47476 402301 47098->47476 47102 4127fa 47101->47102 47105 4127c3 47101->47105 47103 401eea 26 API calls 47102->47103 47104 40de0e 47103->47104 47104->46818 47106 4127d5 RegSetValueExA RegCloseKey 47105->47106 47106->47102 47108 43a810 _strftime 47107->47108 47480 439b4e 47108->47480 47112 41a942 47111->47112 47113 41a8a7 GetLocalTime 47111->47113 47115 401eea 26 API calls 47112->47115 47114 404cbf 28 API calls 47113->47114 47116 41a8e9 47114->47116 47117 41a94a 47115->47117 47118 405ce6 28 API calls 47116->47118 47119 401eea 26 API calls 47117->47119 47120 41a8f5 47118->47120 47121 40de7d 47119->47121 47514 4027cb 47120->47514 47121->46842 47123 41a901 47124 405ce6 28 API calls 47123->47124 47125 41a90d 47124->47125 47517 406478 76 API calls 47125->47517 47127 41a91b 47128 401eea 26 API calls 47127->47128 47129 41a927 47128->47129 47130 401eea 26 API calls 47129->47130 47131 41a930 47130->47131 47132 401eea 26 API calls 47131->47132 47133 41a939 47132->47133 47134 401eea 26 API calls 47133->47134 47134->47112 47136 409536 _wcslen 47135->47136 47137 409541 47136->47137 47138 409558 47136->47138 47139 40c89e 32 API calls 47137->47139 47140 40c89e 32 API calls 47138->47140 47142 409549 47139->47142 47141 409560 47140->47141 47143 401e18 26 API calls 47141->47143 47144 401e18 26 API calls 47142->47144 47145 40956e 47143->47145 47146 409553 47144->47146 47147 401e13 26 API calls 47145->47147 47149 401e13 26 API calls 47146->47149 47148 409576 47147->47148 47537 40856b 28 API calls 47148->47537 47151 4095ad 47149->47151 47522 409837 47151->47522 47153 409588 47538 4028cf 47153->47538 47156 409593 47157 401e18 26 API calls 47156->47157 47158 40959d 47157->47158 47159 401e13 26 API calls 47158->47159 47159->47146 47717 403b40 47160->47717 47164 41aa08 47165 4028cf 28 API calls 47164->47165 47166 41aa12 47165->47166 47167 401e13 26 API calls 47166->47167 47168 41aa1b 47167->47168 47169 401e13 26 API calls 47168->47169 47170 40e096 47169->47170 47170->46895 47172 412567 RegQueryValueExA RegCloseKey 47171->47172 47173 40e15e 47171->47173 47172->47173 47173->46923 47173->46926 47175 412688 RegQueryValueExW RegCloseKey 47174->47175 47176 4126b5 47174->47176 47175->47176 47177 403b40 28 API calls 47176->47177 47178 40e18d 47177->47178 47178->46938 47180 412a6a RegDeleteValueW 47179->47180 47181 412a7e 47179->47181 47180->47181 47182 412a7a 47180->47182 47181->46947 47182->46947 47184 40cbc5 47183->47184 47185 412546 3 API calls 47184->47185 47186 40cbcc 47185->47186 47187 40cbeb 47186->47187 47739 401602 47186->47739 47191 40cc37 47187->47191 47189 40cbd9 47742 4128ad RegCreateKeyA 47189->47742 47192 40cc4b 47191->47192 47193 412546 3 API calls 47192->47193 47194 40cc52 47193->47194 47195 40cc81 47194->47195 47196 40cc57 47194->47196 47200 41258f 3 API calls 47195->47200 47197 401602 27 API calls 47196->47197 47198 40cc5e 47197->47198 47759 43eadd 47198->47759 47202 40cc7f 47200->47202 47206 4140ac 47202->47206 47204 40cc6a 47205 4128ad 3 API calls 47204->47205 47205->47202 47207 4140c3 47206->47207 47796 41ac7e 47207->47796 47209 4140ce 47210 401d64 28 API calls 47209->47210 47211 4140e7 47210->47211 47212 43a7f7 _strftime 42 API calls 47211->47212 47213 4140f4 47212->47213 47214 414106 47213->47214 47215 4140f9 Sleep 47213->47215 47216 401f66 28 API calls 47214->47216 47215->47214 47217 414115 47216->47217 47218 401d64 28 API calls 47217->47218 47219 414123 47218->47219 47220 401fbd 28 API calls 47219->47220 47221 41412b 47220->47221 47222 41b1ce 28 API calls 47221->47222 47223 414133 47222->47223 47800 404262 WSAStartup 47223->47800 47225 41413d 47226 401d64 28 API calls 47225->47226 47227 414146 47226->47227 47228 401d64 28 API calls 47227->47228 47259 4141c5 47227->47259 47229 41415f 47228->47229 47232 401d64 28 API calls 47229->47232 47230 401d64 28 API calls 47230->47259 47231 401fbd 28 API calls 47231->47259 47233 414170 47232->47233 47235 401d64 28 API calls 47233->47235 47234 41b1ce 28 API calls 47234->47259 47236 414181 47235->47236 47238 401d64 28 API calls 47236->47238 47237 4085b4 28 API calls 47237->47259 47239 414192 47238->47239 47241 401d64 28 API calls 47239->47241 47240 401eef 26 API calls 47240->47259 47242 4141a3 47241->47242 47243 401d64 28 API calls 47242->47243 47244 4141b5 47243->47244 47932 404101 87 API calls 47244->47932 47247 41431c WSAGetLastError 47933 41be81 30 API calls 47247->47933 47252 414331 47254 41a891 79 API calls 47252->47254 47257 401d8c 26 API calls 47252->47257 47258 401d64 28 API calls 47252->47258 47252->47259 47260 43a7f7 _strftime 42 API calls 47252->47260 47297 401f66 28 API calls 47252->47297 47298 414cb4 CreateThread 47252->47298 47299 401eea 26 API calls 47252->47299 47300 401e13 26 API calls 47252->47300 47934 404c9e 28 API calls 47252->47934 47936 40a767 84 API calls 47252->47936 47937 4047eb 98 API calls 47252->47937 47254->47252 47256 404cbf 28 API calls 47256->47259 47257->47252 47258->47252 47259->47230 47259->47231 47259->47234 47259->47237 47259->47240 47259->47247 47259->47252 47259->47256 47261 405ce6 28 API calls 47259->47261 47263 4027cb 28 API calls 47259->47263 47264 401f66 28 API calls 47259->47264 47265 41a891 79 API calls 47259->47265 47266 401eea 26 API calls 47259->47266 47269 4082dc 28 API calls 47259->47269 47270 440e5e 26 API calls 47259->47270 47271 412735 3 API calls 47259->47271 47272 4125eb 31 API calls 47259->47272 47273 403b40 28 API calls 47259->47273 47274 41aff9 28 API calls 47259->47274 47276 41b0d3 28 API calls 47259->47276 47278 41af51 28 API calls 47259->47278 47279 401d64 28 API calls 47259->47279 47801 414072 47259->47801 47806 4041f1 47259->47806 47813 404915 47259->47813 47828 40428c connect 47259->47828 47888 41ab78 47259->47888 47891 41375b 47259->47891 47894 40cc9a 47259->47894 47900 40cbf1 47259->47900 47262 414d12 Sleep 47260->47262 47261->47259 47262->47252 47263->47259 47264->47259 47265->47259 47266->47259 47269->47259 47270->47259 47271->47259 47272->47259 47273->47259 47274->47259 47276->47259 47278->47259 47280 4145fa GetTickCount 47279->47280 47281 41af51 28 API calls 47280->47281 47294 414614 47281->47294 47283 41af51 28 API calls 47283->47294 47285 41b0d3 28 API calls 47285->47294 47288 40275c 28 API calls 47288->47294 47289 405ce6 28 API calls 47289->47294 47290 4027cb 28 API calls 47290->47294 47292 401eea 26 API calls 47292->47294 47293 401e13 26 API calls 47293->47294 47294->47283 47294->47285 47294->47288 47294->47289 47294->47290 47294->47292 47294->47293 47906 41aeab GetLastInputInfo GetTickCount 47294->47906 47907 41ae5d 47294->47907 47912 40e751 GetLocaleInfoA 47294->47912 47915 4027ec 28 API calls 47294->47915 47916 4045d5 47294->47916 47935 404468 60 API calls ctype 47294->47935 47297->47252 47298->47252 48098 41a07f 104 API calls 47298->48098 47299->47252 47300->47252 47301->46695 47302->46705 47305 4085c0 47304->47305 47306 402e78 28 API calls 47305->47306 47307 4085e4 47306->47307 47307->46726 47309 4125e3 47308->47309 47310 4125b9 RegQueryValueExA RegCloseKey 47308->47310 47309->46723 47310->47309 47311->46731 47312->46758 47313->46750 47314->46742 47315->46757 47317 40c8ba 47316->47317 47318 40c8da 47317->47318 47319 40c90f 47317->47319 47323 40c8d0 47317->47323 48099 41a956 29 API calls 47318->48099 47322 41b366 2 API calls 47319->47322 47321 40ca03 GetLongPathNameW 47325 403b40 28 API calls 47321->47325 47326 40c914 47322->47326 47323->47321 47324 40c8e3 47327 401e18 26 API calls 47324->47327 47328 40ca18 47325->47328 47329 40c918 47326->47329 47330 40c96a 47326->47330 47368 40c8ed 47327->47368 47332 403b40 28 API calls 47328->47332 47331 403b40 28 API calls 47329->47331 47333 403b40 28 API calls 47330->47333 47335 40c926 47331->47335 47336 40ca27 47332->47336 47334 40c978 47333->47334 47341 403b40 28 API calls 47334->47341 47342 403b40 28 API calls 47335->47342 48102 40cd0a 28 API calls 47336->48102 47337 401e13 26 API calls 47337->47323 47339 40ca3a 48103 402860 28 API calls 47339->48103 47344 40c98e 47341->47344 47345 40c93c 47342->47345 47343 40ca45 48104 402860 28 API calls 47343->48104 48101 402860 28 API calls 47344->48101 48100 402860 28 API calls 47345->48100 47349 40ca4f 47352 401e13 26 API calls 47349->47352 47350 40c999 47353 401e18 26 API calls 47350->47353 47351 40c947 47354 401e18 26 API calls 47351->47354 47355 40ca59 47352->47355 47356 40c9a4 47353->47356 47357 40c952 47354->47357 47358 401e13 26 API calls 47355->47358 47359 401e13 26 API calls 47356->47359 47360 401e13 26 API calls 47357->47360 47361 40ca62 47358->47361 47362 40c9ad 47359->47362 47363 40c95b 47360->47363 47364 401e13 26 API calls 47361->47364 47365 401e13 26 API calls 47362->47365 47366 401e13 26 API calls 47363->47366 47367 40ca6b 47364->47367 47365->47368 47366->47368 47369 401e13 26 API calls 47367->47369 47368->47337 47370 40ca74 47369->47370 47371 401e13 26 API calls 47370->47371 47372 40ca7d 47371->47372 47372->46803 47373->46815 47374->46838 47376 41275b RegQueryValueExA RegCloseKey 47375->47376 47377 41277f 47375->47377 47376->47377 47377->46796 47378->46830 47379->46866 47380->46877 47381->46899 47382->46888 47383->46922 47385 401e0c 47384->47385 47386->46749 47389 41a867 LoadResource LockResource SizeofResource 47388->47389 47390 40e25b 47388->47390 47389->47390 47390->46980 47392 401f8e 47391->47392 47398 402325 47392->47398 47394 401fa4 47394->46984 47396 401f86 28 API calls 47395->47396 47397 406066 47396->47397 47397->46991 47399 40232f 47398->47399 47401 40233a 47399->47401 47402 40294a 28 API calls 47399->47402 47401->47394 47402->47401 47404 40250d 47403->47404 47406 40252b 47404->47406 47407 40261a 28 API calls 47404->47407 47406->46995 47407->47406 47413 403c30 47408->47413 47411->46997 47412->47016 47414 403c39 47413->47414 47417 403c59 47414->47417 47418 403c68 47417->47418 47423 4032a4 47418->47423 47420 403c74 47421 402325 28 API calls 47420->47421 47422 403b73 47421->47422 47422->46997 47424 4032b0 47423->47424 47425 4032ad 47423->47425 47428 4032b6 28 API calls 47424->47428 47425->47420 47429->47020 47430->47024 47431->47026 47434 402e85 47433->47434 47435 402e98 47434->47435 47437 402ea9 47434->47437 47438 402eae 47434->47438 47440 403445 28 API calls 47435->47440 47437->47035 47438->47437 47441 40225b 26 API calls 47438->47441 47440->47437 47441->47437 47443 404bd0 47442->47443 47446 40245c 47443->47446 47445 404be4 47445->47038 47447 402469 47446->47447 47449 402478 47447->47449 47450 402ad3 28 API calls 47447->47450 47449->47445 47450->47449 47451->47042 47452->47044 47454 401e94 47453->47454 47456 41b373 GetCurrentProcess IsWow64Process 47455->47456 47457 41b38e 47455->47457 47456->47457 47458 41b38a 47456->47458 47457->47056 47458->47056 47460 412619 RegQueryValueExA RegCloseKey 47459->47460 47461 412641 47459->47461 47460->47461 47462 401f66 28 API calls 47461->47462 47463 412656 47462->47463 47463->47059 47464->47068 47466 40b02f 47465->47466 47469 40b04b 47466->47469 47468 40b045 47468->47078 47470 40b055 47469->47470 47472 40b060 47470->47472 47473 40b138 28 API calls 47470->47473 47472->47468 47473->47472 47474->47082 47475->47084 47477 40230d 47476->47477 47478 402325 28 API calls 47477->47478 47479 401f80 47478->47479 47479->46807 47498 43a755 47480->47498 47482 439b9b 47507 4394ee 38 API calls 2 library calls 47482->47507 47483 439b60 47483->47482 47484 439b75 47483->47484 47497 40de27 47483->47497 47505 445564 20 API calls __dosmaperr 47484->47505 47487 439b7a 47506 43aa37 26 API calls _Deallocate 47487->47506 47490 439ba7 47491 439bd6 47490->47491 47508 43a79a 42 API calls __Tolower 47490->47508 47494 439c42 47491->47494 47509 43a701 26 API calls 2 library calls 47491->47509 47510 43a701 26 API calls 2 library calls 47494->47510 47495 439d09 _strftime 47495->47497 47511 445564 20 API calls __dosmaperr 47495->47511 47497->46825 47497->46826 47499 43a75a 47498->47499 47500 43a76d 47498->47500 47512 445564 20 API calls __dosmaperr 47499->47512 47500->47483 47502 43a75f 47513 43aa37 26 API calls _Deallocate 47502->47513 47504 43a76a 47504->47483 47505->47487 47506->47497 47507->47490 47508->47490 47509->47494 47510->47495 47511->47497 47512->47502 47513->47504 47518 401e9b 47514->47518 47516 4027d9 47516->47123 47517->47127 47519 401ea7 47518->47519 47520 40245c 28 API calls 47519->47520 47521 401eb9 47520->47521 47521->47516 47523 409855 47522->47523 47524 41258f 3 API calls 47523->47524 47525 40985c 47524->47525 47526 409870 47525->47526 47527 40988a 47525->47527 47529 4095cf 47526->47529 47530 409875 47526->47530 47541 4082dc 47527->47541 47529->46861 47532 4082dc 28 API calls 47530->47532 47534 409883 47532->47534 47567 409959 29 API calls 47534->47567 47536 409888 47536->47529 47537->47153 47708 402d8b 47538->47708 47540 4028dd 47540->47156 47542 4082eb 47541->47542 47568 408431 47542->47568 47544 408309 47545 4098a5 47544->47545 47573 40affa 47545->47573 47548 4098f6 47550 401f66 28 API calls 47548->47550 47549 4098ce 47551 401f66 28 API calls 47549->47551 47552 409901 47550->47552 47553 4098d8 47551->47553 47555 401f66 28 API calls 47552->47555 47554 41b013 28 API calls 47553->47554 47556 4098e6 47554->47556 47557 409910 47555->47557 47577 40a876 31 API calls ___crtLCMapStringA 47556->47577 47559 41a891 79 API calls 47557->47559 47561 409915 CreateThread 47559->47561 47560 4098ed 47562 401eea 26 API calls 47560->47562 47563 409930 CreateThread 47561->47563 47564 40993c CreateThread 47561->47564 47589 4099a9 47561->47589 47562->47548 47563->47564 47586 409993 47563->47586 47565 401e13 26 API calls 47564->47565 47583 4099b5 47564->47583 47566 409950 47565->47566 47566->47529 47567->47536 47707 40999f 136 API calls 47567->47707 47569 40843d 47568->47569 47571 40845b 47569->47571 47572 402f0d 28 API calls 47569->47572 47571->47544 47572->47571 47575 40b006 47573->47575 47574 4098c3 47574->47548 47574->47549 47575->47574 47578 403b9e 47575->47578 47577->47560 47579 403ba8 47578->47579 47581 403bb3 47579->47581 47582 403cfd 28 API calls 47579->47582 47581->47574 47582->47581 47592 40a3f4 47583->47592 47641 4099e4 47586->47641 47662 409e48 47589->47662 47594 40a402 47592->47594 47593 4099be 47594->47593 47595 40a45c Sleep GetForegroundWindow GetWindowTextLengthW 47594->47595 47600 41aeab GetLastInputInfo GetTickCount 47594->47600 47601 40a4a2 GetWindowTextW 47594->47601 47603 401e13 26 API calls 47594->47603 47604 40affa 28 API calls 47594->47604 47605 40a5ff 47594->47605 47607 40a569 Sleep 47594->47607 47610 401f66 28 API calls 47594->47610 47611 40a4f1 47594->47611 47615 4028cf 28 API calls 47594->47615 47616 405ce6 28 API calls 47594->47616 47618 409d58 27 API calls 47594->47618 47619 41b013 28 API calls 47594->47619 47620 401eea 26 API calls 47594->47620 47621 433724 5 API calls __Init_thread_wait 47594->47621 47622 433ab0 29 API calls __onexit 47594->47622 47623 4336da EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 47594->47623 47624 4082a8 28 API calls 47594->47624 47626 40b0dd 28 API calls 47594->47626 47627 40ae58 44 API calls 2 library calls 47594->47627 47628 440e5e 47594->47628 47632 404c9e 28 API calls 47594->47632 47597 40b027 28 API calls 47595->47597 47597->47594 47600->47594 47601->47594 47603->47594 47604->47594 47606 401e13 26 API calls 47605->47606 47606->47593 47607->47594 47610->47594 47611->47594 47614 4082dc 28 API calls 47611->47614 47625 40a876 31 API calls ___crtLCMapStringA 47611->47625 47614->47611 47615->47594 47616->47594 47618->47594 47619->47594 47620->47594 47621->47594 47622->47594 47623->47594 47624->47594 47625->47611 47626->47594 47627->47594 47629 440e6a 47628->47629 47633 440c5a 47629->47633 47632->47594 47634 440c71 47633->47634 47638 440cb2 47634->47638 47639 445564 20 API calls __dosmaperr 47634->47639 47636 440ca8 47640 43aa37 26 API calls _Deallocate 47636->47640 47638->47594 47639->47636 47640->47638 47642 409a63 GetMessageA 47641->47642 47643 4099ff GetModuleHandleA SetWindowsHookExA 47641->47643 47644 409a75 TranslateMessage DispatchMessageA 47642->47644 47655 40999c 47642->47655 47643->47642 47645 409a1b GetLastError 47643->47645 47644->47642 47644->47655 47656 41af51 47645->47656 47649 409a3e 47650 401f66 28 API calls 47649->47650 47651 409a4d 47650->47651 47652 41a891 79 API calls 47651->47652 47653 409a52 47652->47653 47654 401eea 26 API calls 47653->47654 47654->47655 47657 440e5e 26 API calls 47656->47657 47658 41af72 47657->47658 47659 401f66 28 API calls 47658->47659 47660 409a31 47659->47660 47661 404c9e 28 API calls 47660->47661 47661->47649 47663 409e5d Sleep 47662->47663 47682 409d97 47663->47682 47665 4099b2 47666 409e9d CreateDirectoryW 47670 409e6f 47666->47670 47667 409eae GetFileAttributesW 47667->47670 47668 409ec5 SetFileAttributesW 47668->47670 47669 409f10 47672 409f3f PathFileExistsW 47669->47672 47674 401f86 28 API calls 47669->47674 47676 40a048 SetFileAttributesW 47669->47676 47677 401eef 26 API calls 47669->47677 47678 406052 28 API calls 47669->47678 47679 401eea 26 API calls 47669->47679 47681 401eea 26 API calls 47669->47681 47704 41b825 32 API calls 47669->47704 47705 41b892 CreateFileW SetFilePointer WriteFile CloseHandle 47669->47705 47670->47663 47670->47665 47670->47666 47670->47667 47670->47668 47670->47669 47673 401d64 28 API calls 47670->47673 47695 41b79a 47670->47695 47672->47669 47673->47670 47674->47669 47676->47670 47677->47669 47678->47669 47679->47669 47681->47670 47683 409e44 47682->47683 47687 409dad 47682->47687 47683->47670 47684 409dcc CreateFileW 47685 409dda GetFileSize 47684->47685 47684->47687 47686 409e0f CloseHandle 47685->47686 47685->47687 47686->47687 47687->47684 47687->47686 47688 409e21 47687->47688 47689 409e04 Sleep 47687->47689 47690 409dfd 47687->47690 47688->47683 47692 4082dc 28 API calls 47688->47692 47689->47686 47706 40a7f0 83 API calls 47690->47706 47693 409e3d 47692->47693 47694 4098a5 127 API calls 47693->47694 47694->47683 47696 41b7ad CreateFileW 47695->47696 47698 41b7e6 47696->47698 47699 41b7ea 47696->47699 47698->47670 47700 41b801 WriteFile 47699->47700 47701 41b7f1 SetFilePointer 47699->47701 47702 41b816 CloseHandle 47700->47702 47703 41b814 47700->47703 47701->47700 47701->47702 47702->47698 47703->47702 47704->47669 47705->47669 47706->47689 47709 402d97 47708->47709 47712 4030f7 47709->47712 47711 402dab 47711->47540 47713 403101 47712->47713 47715 403115 47713->47715 47716 4036c2 28 API calls 47713->47716 47715->47711 47716->47715 47718 403b48 47717->47718 47724 403b7a 47718->47724 47721 403cbb 47728 403dc2 47721->47728 47723 403cc9 47723->47164 47725 403b86 47724->47725 47726 403b9e 28 API calls 47725->47726 47727 403b5a 47726->47727 47727->47721 47729 403dce 47728->47729 47732 402ffd 47729->47732 47731 403de3 47731->47723 47733 40300e 47732->47733 47734 4032a4 28 API calls 47733->47734 47735 40301a 47734->47735 47737 40302e 47735->47737 47738 4035e8 28 API calls 47735->47738 47737->47731 47738->47737 47745 4397ca 47739->47745 47743 4128ec 47742->47743 47744 4128c5 RegSetValueExA RegCloseKey 47742->47744 47743->47187 47744->47743 47748 43974b 47745->47748 47747 401608 47747->47189 47749 43975a 47748->47749 47750 43976e 47748->47750 47756 445564 20 API calls __dosmaperr 47749->47756 47755 43976a __alldvrm 47750->47755 47758 447811 11 API calls 2 library calls 47750->47758 47752 43975f 47757 43aa37 26 API calls _Deallocate 47752->47757 47755->47747 47756->47752 47757->47755 47758->47755 47767 4470cf GetLastError 47759->47767 47761 40cc64 47762 41a659 47761->47762 47793 43eabc 47762->47793 47765 43eabc 38 API calls 47766 41a66a 47765->47766 47766->47204 47768 4470e5 47767->47768 47769 4470f1 47767->47769 47788 447676 11 API calls 2 library calls 47768->47788 47789 448916 20 API calls 3 library calls 47769->47789 47772 4470eb 47772->47769 47774 44713a SetLastError 47772->47774 47773 4470fd 47775 447105 47773->47775 47790 4476cc 11 API calls 2 library calls 47773->47790 47774->47761 47778 446cd5 _free 20 API calls 47775->47778 47777 44711a 47777->47775 47780 447121 47777->47780 47779 44710b 47778->47779 47781 447146 SetLastError 47779->47781 47791 446f41 20 API calls __dosmaperr 47780->47791 47792 4455c6 38 API calls _Atexit 47781->47792 47783 44712c 47785 446cd5 _free 20 API calls 47783->47785 47787 447133 47785->47787 47787->47774 47787->47781 47788->47772 47789->47773 47790->47777 47791->47783 47794 4470cf __Tolower 38 API calls 47793->47794 47795 41a65f 47794->47795 47795->47765 47797 41acc4 ctype ___scrt_fastfail 47796->47797 47798 401f66 28 API calls 47797->47798 47799 41ad39 47798->47799 47799->47209 47800->47225 47802 414081 47801->47802 47803 41408b getaddrinfo WSASetLastError 47801->47803 47938 413f0f 35 API calls ___std_exception_copy 47802->47938 47803->47259 47805 414086 47805->47803 47807 404206 socket 47806->47807 47808 4041fd 47806->47808 47810 404220 47807->47810 47811 404224 CreateEventW 47807->47811 47939 404262 WSAStartup 47808->47939 47810->47259 47811->47259 47812 404202 47812->47807 47812->47810 47814 40492a 47813->47814 47815 4049b1 47813->47815 47816 404933 47814->47816 47817 404987 CreateEventA CreateThread 47814->47817 47818 404942 GetLocalTime 47814->47818 47815->47259 47816->47817 47817->47815 47941 404b1d 47817->47941 47819 41af51 28 API calls 47818->47819 47820 40495b 47819->47820 47940 404c9e 28 API calls 47820->47940 47822 404968 47823 401f66 28 API calls 47822->47823 47824 404977 47823->47824 47825 41a891 79 API calls 47824->47825 47826 40497c 47825->47826 47827 401eea 26 API calls 47826->47827 47827->47817 47829 4043e1 47828->47829 47830 4042b3 47828->47830 47831 4043e7 WSAGetLastError 47829->47831 47882 404343 47829->47882 47832 4042e8 47830->47832 47834 404cbf 28 API calls 47830->47834 47830->47882 47833 4043f7 47831->47833 47831->47882 47945 42035c 27 API calls 47832->47945 47835 4042f7 47833->47835 47836 4043fc 47833->47836 47838 4042d4 47834->47838 47841 401f66 28 API calls 47835->47841 47950 41be81 30 API calls 47836->47950 47842 401f66 28 API calls 47838->47842 47840 4042f0 47840->47835 47844 404306 47840->47844 47845 404448 47841->47845 47846 4042e3 47842->47846 47843 40440b 47951 404c9e 28 API calls 47843->47951 47851 404315 47844->47851 47852 40434c 47844->47852 47848 401f66 28 API calls 47845->47848 47849 41a891 79 API calls 47846->47849 47853 404457 47848->47853 47849->47832 47850 404418 47854 401f66 28 API calls 47850->47854 47855 401f66 28 API calls 47851->47855 47947 42113f 56 API calls 47852->47947 47856 41a891 79 API calls 47853->47856 47858 404427 47854->47858 47859 404324 47855->47859 47856->47882 47861 41a891 79 API calls 47858->47861 47862 401f66 28 API calls 47859->47862 47860 404354 47863 404389 47860->47863 47864 404359 47860->47864 47865 40442c 47861->47865 47866 404333 47862->47866 47949 4204f5 28 API calls 47863->47949 47868 401f66 28 API calls 47864->47868 47869 401eea 26 API calls 47865->47869 47871 41a891 79 API calls 47866->47871 47870 404368 47868->47870 47869->47882 47873 401f66 28 API calls 47870->47873 47874 404338 47871->47874 47872 404391 47875 4043be CreateEventW CreateEventW 47872->47875 47877 401f66 28 API calls 47872->47877 47876 404377 47873->47876 47946 41de20 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 47874->47946 47875->47882 47878 41a891 79 API calls 47876->47878 47880 4043a7 47877->47880 47881 40437c 47878->47881 47883 401f66 28 API calls 47880->47883 47948 42079d 54 API calls 47881->47948 47882->47259 47885 4043b6 47883->47885 47886 41a891 79 API calls 47885->47886 47887 4043bb 47886->47887 47887->47875 47952 41ab50 GlobalMemoryStatusEx 47888->47952 47890 41ab8d 47890->47259 47953 41371e 47891->47953 47895 40ccbc ___scrt_fastfail 47894->47895 47896 412735 3 API calls 47895->47896 47897 40ccf2 47896->47897 47898 403b40 28 API calls 47897->47898 47899 40cd03 47898->47899 47899->47259 47901 40cc0d 47900->47901 47902 412546 3 API calls 47901->47902 47904 40cc14 47902->47904 47903 40cc2c 47903->47259 47904->47903 47905 41258f 3 API calls 47904->47905 47905->47903 47906->47294 47908 436260 ___scrt_fastfail 47907->47908 47909 41ae7c GetForegroundWindow GetWindowTextW 47908->47909 47910 403b40 28 API calls 47909->47910 47911 41aea6 47910->47911 47911->47294 47913 401f66 28 API calls 47912->47913 47914 40e776 47913->47914 47914->47294 47915->47294 47919 4045ec 47916->47919 47917 43aa9c ___crtLCMapStringA 21 API calls 47917->47919 47919->47917 47920 40465b 47919->47920 47921 401f86 28 API calls 47919->47921 47923 401eef 26 API calls 47919->47923 47925 401eea 26 API calls 47919->47925 47994 404688 47919->47994 48005 40455b 59 API calls 47919->48005 47920->47919 47922 404666 47920->47922 47921->47919 48006 4047eb 98 API calls 47922->48006 47923->47919 47925->47919 47926 40466d 47927 401eea 26 API calls 47926->47927 47928 404676 47927->47928 47929 401eea 26 API calls 47928->47929 47930 40467f 47929->47930 47930->47252 47932->47259 47933->47252 47934->47252 47935->47294 47936->47252 47937->47252 47938->47805 47939->47812 47940->47822 47944 404b29 101 API calls 47941->47944 47943 404b26 47944->47943 47945->47840 47946->47882 47947->47860 47948->47874 47949->47872 47950->47843 47951->47850 47952->47890 47956 4136f1 47953->47956 47957 413706 ___scrt_initialize_default_local_stdio_options 47956->47957 47960 43e4ed 47957->47960 47963 43b240 47960->47963 47964 43b280 47963->47964 47965 43b268 47963->47965 47964->47965 47967 43b288 47964->47967 47987 445564 20 API calls __dosmaperr 47965->47987 47989 4394ee 38 API calls 2 library calls 47967->47989 47968 43b26d 47988 43aa37 26 API calls _Deallocate 47968->47988 47971 43b298 47990 43b9c6 20 API calls 2 library calls 47971->47990 47972 43b278 47980 433f37 47972->47980 47975 413714 47975->47259 47976 43b310 47991 43c034 50 API calls 3 library calls 47976->47991 47978 43b31b 47992 43ba30 20 API calls _free 47978->47992 47981 433f42 IsProcessorFeaturePresent 47980->47981 47982 433f40 47980->47982 47984 4343b4 47981->47984 47982->47975 47993 434378 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 47984->47993 47986 434497 47986->47975 47987->47968 47988->47972 47989->47971 47990->47976 47991->47978 47992->47972 47993->47986 47995 4046a3 47994->47995 47996 4047d8 47995->47996 47999 403b60 28 API calls 47995->47999 48000 401ebd 28 API calls 47995->48000 48001 401fbd 28 API calls 47995->48001 48003 401eef 26 API calls 47995->48003 48004 401eea 26 API calls 47995->48004 47997 401eea 26 API calls 47996->47997 47998 4047e1 47997->47998 47998->47920 47999->47995 48002 404772 CreateEventA CreateThread WaitForSingleObject CloseHandle 48000->48002 48001->47995 48002->47995 48007 414d2d 48002->48007 48003->47995 48004->47995 48005->47919 48006->47926 48008 401fbd 28 API calls 48007->48008 48009 414d4f SetEvent 48008->48009 48010 414d64 48009->48010 48011 403b60 28 API calls 48010->48011 48012 414d7e 48011->48012 48013 401fbd 28 API calls 48012->48013 48014 414d8e 48013->48014 48015 401fbd 28 API calls 48014->48015 48016 414da0 48015->48016 48017 41b1ce 28 API calls 48016->48017 48018 414da9 48017->48018 48019 4163cd 48018->48019 48021 414dc9 GetTickCount 48018->48021 48022 414f7e 48018->48022 48020 401d8c 26 API calls 48019->48020 48023 4163d6 48020->48023 48024 41af51 28 API calls 48021->48024 48022->48019 48084 414f2b 48022->48084 48025 401eea 26 API calls 48023->48025 48026 414ddf 48024->48026 48028 4163e2 48025->48028 48086 41aeab GetLastInputInfo GetTickCount 48026->48086 48030 401eea 26 API calls 48028->48030 48032 4163ee 48030->48032 48031 414de6 48033 41af51 28 API calls 48031->48033 48034 414df1 48033->48034 48035 41ae5d 30 API calls 48034->48035 48036 414dff 48035->48036 48087 41b0d3 48036->48087 48039 401d64 28 API calls 48040 414e1b 48039->48040 48091 4027ec 28 API calls 48040->48091 48042 414e29 48092 40275c 28 API calls 48042->48092 48044 414e38 48045 4027cb 28 API calls 48044->48045 48046 414e47 48045->48046 48093 40275c 28 API calls 48046->48093 48048 414e56 48049 4027cb 28 API calls 48048->48049 48050 414e62 48049->48050 48094 40275c 28 API calls 48050->48094 48052 414e6c 48095 404468 60 API calls ctype 48052->48095 48054 414e7b 48055 401eea 26 API calls 48054->48055 48056 414e84 48055->48056 48057 401eea 26 API calls 48056->48057 48058 414e90 48057->48058 48059 401eea 26 API calls 48058->48059 48060 414e9c 48059->48060 48061 401eea 26 API calls 48060->48061 48062 414ea8 48061->48062 48063 401eea 26 API calls 48062->48063 48064 414eb4 48063->48064 48065 401eea 26 API calls 48064->48065 48066 414ec0 48065->48066 48067 401e13 26 API calls 48066->48067 48068 414ecc 48067->48068 48069 401eea 26 API calls 48068->48069 48070 414ed5 48069->48070 48071 401eea 26 API calls 48070->48071 48072 414ede 48071->48072 48073 401d64 28 API calls 48072->48073 48074 414ee9 48073->48074 48075 43a7f7 _strftime 42 API calls 48074->48075 48076 414ef6 48075->48076 48077 414f21 48076->48077 48078 414efb 48076->48078 48079 401d64 28 API calls 48077->48079 48080 414f14 48078->48080 48081 414f09 48078->48081 48079->48084 48083 404915 104 API calls 48080->48083 48096 4049ba 81 API calls 48081->48096 48085 414f0f 48083->48085 48084->48019 48097 404ab1 83 API calls 48084->48097 48085->48019 48086->48031 48088 41b0e0 48087->48088 48089 401f86 28 API calls 48088->48089 48090 414e0d 48089->48090 48090->48039 48091->48042 48092->48044 48093->48048 48094->48052 48095->48054 48096->48085 48097->48085 48099->47324 48100->47351 48101->47350 48102->47339 48103->47343 48104->47349 48107 40e642 48105->48107 48106 41258f 3 API calls 48106->48107 48107->48106 48109 40e6e6 48107->48109 48111 40e6d6 Sleep 48107->48111 48128 40e674 48107->48128 48108 4082dc 28 API calls 48108->48128 48110 4082dc 28 API calls 48109->48110 48113 40e6f1 48110->48113 48111->48107 48112 41b013 28 API calls 48112->48128 48115 41b013 28 API calls 48113->48115 48116 40e6fd 48115->48116 48140 41284c 29 API calls 48116->48140 48119 401e13 26 API calls 48119->48128 48120 40e710 48121 401e13 26 API calls 48120->48121 48123 40e71c 48121->48123 48122 401f66 28 API calls 48122->48128 48124 401f66 28 API calls 48123->48124 48125 40e72d 48124->48125 48127 4127aa 29 API calls 48125->48127 48126 4127aa 29 API calls 48126->48128 48129 40e740 48127->48129 48128->48108 48128->48111 48128->48112 48128->48119 48128->48122 48128->48126 48138 40bf04 73 API calls ___scrt_fastfail 48128->48138 48139 41284c 29 API calls 48128->48139 48141 411771 TerminateProcess WaitForSingleObject 48129->48141 48131 40e748 ExitProcess 48142 41170f 61 API calls 48135->48142 48139->48128 48140->48120 48141->48131 48143 43aba8 48145 43abb4 _swprintf ___DestructExceptionObject 48143->48145 48144 43abc2 48161 445564 20 API calls __dosmaperr 48144->48161 48145->48144 48148 43abec 48145->48148 48147 43abc7 48162 43aa37 26 API calls _Deallocate 48147->48162 48156 444cdc EnterCriticalSection 48148->48156 48151 43abf7 48157 43ac98 48151->48157 48154 43abd2 __fread_nolock 48156->48151 48158 43aca6 48157->48158 48160 43ac02 48158->48160 48164 448626 39 API calls 2 library calls 48158->48164 48163 43ac1f LeaveCriticalSection std::_Lockit::~_Lockit 48160->48163 48161->48147 48162->48154 48163->48154 48164->48158 48165 402bcc 48166 402bd7 48165->48166 48167 402bdf 48165->48167 48183 403315 28 API calls 2 library calls 48166->48183 48169 402beb 48167->48169 48173 4015d3 48167->48173 48170 402bdd 48175 433818 48173->48175 48174 43aa9c ___crtLCMapStringA 21 API calls 48174->48175 48175->48174 48176 402be9 48175->48176 48179 433839 std::_Facet_Register 48175->48179 48184 442410 7 API calls 2 library calls 48175->48184 48178 433ff7 std::_Facet_Register 48186 437de7 RaiseException 48178->48186 48179->48178 48185 437de7 RaiseException 48179->48185 48181 434014 48183->48170 48184->48175 48185->48178 48186->48181 48187 414f4c 48202 41a726 48187->48202 48189 414f55 48190 401fbd 28 API calls 48189->48190 48191 414f64 48190->48191 48212 404468 60 API calls ctype 48191->48212 48193 414f70 48194 401eea 26 API calls 48193->48194 48195 414f79 48194->48195 48196 401d8c 26 API calls 48195->48196 48197 4163d6 48196->48197 48198 401eea 26 API calls 48197->48198 48199 4163e2 48198->48199 48200 401eea 26 API calls 48199->48200 48201 4163ee 48200->48201 48203 41a734 48202->48203 48204 43aa9c ___crtLCMapStringA 21 API calls 48203->48204 48205 41a73e InternetOpenW InternetOpenUrlW 48204->48205 48206 41a767 InternetReadFile 48205->48206 48210 41a78a 48206->48210 48207 401f86 28 API calls 48207->48210 48208 41a7b7 InternetCloseHandle InternetCloseHandle 48209 41a7c9 48208->48209 48209->48189 48210->48206 48210->48207 48210->48208 48211 401eea 26 API calls 48210->48211 48211->48210 48212->48193 48213 42629c 48218 426319 send 48213->48218

                                                      Executed Functions

                                                      Function 0041BEEE Relevance: 115.6, APIs: 40, Strings: 26, Instructions: 140libraryloaderCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D856), ref: 0041BF03
                                                      • GetProcAddress.KERNEL32(00000000), ref: 0041BF0C
                                                      • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D856), ref: 0041BF23
                                                      • GetProcAddress.KERNEL32(00000000), ref: 0041BF26
                                                      • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D856), ref: 0041BF38
                                                      • GetProcAddress.KERNEL32(00000000), ref: 0041BF3B
                                                      • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D856), ref: 0041BF4C
                                                      • GetProcAddress.KERNEL32(00000000), ref: 0041BF4F
                                                      • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D856), ref: 0041BF60
                                                      • GetProcAddress.KERNEL32(00000000), ref: 0041BF63
                                                      • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D856), ref: 0041BF70
                                                      • GetProcAddress.KERNEL32(00000000), ref: 0041BF73
                                                      • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D856), ref: 0041BF80
                                                      • GetProcAddress.KERNEL32(00000000), ref: 0041BF83
                                                      • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D856), ref: 0041BF90
                                                      • GetProcAddress.KERNEL32(00000000), ref: 0041BF93
                                                      • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D856), ref: 0041BFA4
                                                      • GetProcAddress.KERNEL32(00000000), ref: 0041BFA7
                                                      • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D856), ref: 0041BFB4
                                                      • GetProcAddress.KERNEL32(00000000), ref: 0041BFB7
                                                      • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D856), ref: 0041BFC8
                                                      • GetProcAddress.KERNEL32(00000000), ref: 0041BFCB
                                                      • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D856), ref: 0041BFDC
                                                      • GetProcAddress.KERNEL32(00000000), ref: 0041BFDF
                                                      • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D856), ref: 0041BFF0
                                                      • GetProcAddress.KERNEL32(00000000), ref: 0041BFF3
                                                      • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D856), ref: 0041C000
                                                      • GetProcAddress.KERNEL32(00000000), ref: 0041C003
                                                      • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D856), ref: 0041C011
                                                      • GetProcAddress.KERNEL32(00000000), ref: 0041C014
                                                      • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040D856), ref: 0041C021
                                                      • GetProcAddress.KERNEL32(00000000), ref: 0041C024
                                                      • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040D856), ref: 0041C036
                                                      • GetProcAddress.KERNEL32(00000000), ref: 0041C039
                                                      • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040D856), ref: 0041C046
                                                      • GetProcAddress.KERNEL32(00000000), ref: 0041C049
                                                      • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040D856), ref: 0041C05B
                                                      • GetProcAddress.KERNEL32(00000000), ref: 0041C05E
                                                      • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040D856), ref: 0041C06B
                                                      • GetProcAddress.KERNEL32(00000000), ref: 0041C06E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressProc$HandleLibraryLoadModule
                                                      • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                      • API String ID: 384173800-625181639
                                                      • Opcode ID: b0b2e61fc073e98d70dce9ef4f7eaaaad63808f39ef958059982ad015adeb2a9
                                                      • Instruction ID: 91c85bc0cfa8e625a7056272f5779649be84715ca0db9f9d819234a6a75bf275
                                                      • Opcode Fuzzy Hash: b0b2e61fc073e98d70dce9ef4f7eaaaad63808f39ef958059982ad015adeb2a9
                                                      • Instruction Fuzzy Hash: 4C31E2A0E8035C7ADB207BB69CC9F3B7E6DD9847953510427B54893190EB7DEC408EAE
                                                      Function 0040D83A Relevance: 60.3, APIs: 13, Strings: 21, Instructions: 800COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 5 40d83a-40d8bc call 41beee GetModuleFileNameW call 40e240 call 401fbd * 2 call 41b1ce call 40e995 call 401d8c call 43ea30 22 40d908-40d9d0 call 401d64 call 401e8f call 401d64 call 404cbf call 405ce6 call 401eef call 401eea * 2 call 401d64 call 401ebd call 40541d call 401d64 call 404bb1 call 401d64 call 404bb1 5->22 23 40d8be-40d903 call 40ea5e call 401d64 call 401e8f call 40fd92 call 40ea0f call 40e22d 5->23 69 40d9d2-40da1d call 4085b4 call 401eef call 401eea call 401e8f call 41258f 22->69 70 40da23-40da3e call 401d64 call 40b125 22->70 49 40dd69-40dd7a call 401eea 23->49 69->70 102 40e20c-40e22c call 401e8f call 4129da call 41138d 69->102 80 40da40-40da5f call 401e8f call 41258f 70->80 81 40da78-40da7f call 40bed7 70->81 80->81 97 40da61-40da77 call 401e8f call 4129da 80->97 90 40da81-40da83 81->90 91 40da88-40da8f 81->91 94 40dd68 90->94 95 40da91 91->95 96 40da93-40da9f call 41a66e 91->96 94->49 95->96 103 40daa1-40daa3 96->103 104 40daa8-40daac 96->104 97->81 103->104 107 40daeb-40dafe call 401d64 call 401e8f 104->107 108 40daae call 40697b 104->108 127 40db00 call 4069ba 107->127 128 40db05-40db8d call 401d64 call 41b013 call 401e18 call 401e13 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f 107->128 117 40dab3-40dab5 108->117 120 40dac1-40dad4 call 401d64 call 401e8f 117->120 121 40dab7-40dabc call 40699d call 4064d0 117->121 120->107 137 40dad6-40dadc 120->137 121->120 127->128 163 40dbf5-40dbf9 128->163 164 40db8f-40dba8 call 401d64 call 401e8f call 43a821 128->164 137->107 140 40dade-40dae4 137->140 140->107 142 40dae6 call 4064d0 140->142 142->107 166 40dd7d-40ddd4 call 436260 call 4022f8 call 401e8f * 2 call 412735 call 4082d7 163->166 167 40dbff-40dc06 163->167 164->163 191 40dbaa-40dbf0 call 401d64 call 401e8f call 401d64 call 401e8f call 40c89e call 401e18 call 401e13 164->191 222 40ddd9-40de2f call 401d64 call 401e8f call 401f66 call 401e8f call 4127aa call 401d64 call 401e8f call 43a7f7 166->222 170 40dc84-40dc8e call 4082d7 167->170 171 40dc08-40dc82 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 40bc67 167->171 177 40dc93-40dcb7 call 4022f8 call 433ad3 170->177 171->177 198 40dcc6 177->198 199 40dcb9-40dcc4 call 436260 177->199 191->163 204 40dcc8-40dd13 call 401e07 call 43e559 call 4022f8 call 401e8f call 4022f8 call 401e8f call 41297a 198->204 199->204 259 40dd18-40dd3d call 433adc call 401d64 call 40b125 204->259 273 40de31 222->273 274 40de4c-40de4e 222->274 259->222 272 40dd43-40dd64 call 401d64 call 41b013 call 40e2f1 259->272 272->222 292 40dd66 272->292 278 40de33-40de4a call 41c0bb CreateThread 273->278 275 40de50-40de52 274->275 276 40de54 274->276 275->278 280 40de5a-40df39 call 401f66 * 2 call 41a891 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 43a7f7 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f StrToIntA call 409517 call 401d64 call 401e8f 276->280 278->280 330 40df74 280->330 331 40df3b-40df72 call 433818 call 401d64 call 401e8f CreateThread 280->331 292->94 333 40df76-40df8e call 401d64 call 401e8f 330->333 331->333 343 40df90-40dfc7 call 433818 call 401d64 call 401e8f CreateThread 333->343 344 40dfcc-40dfdf call 401d64 call 401e8f 333->344 343->344 354 40dfe1-40e03a call 401d64 call 401e8f call 401d64 call 401e8f call 40c854 call 401e18 call 401e13 CreateThread 344->354 355 40e03f-40e052 call 401d64 call 401e8f 344->355 354->355 365 40e054-40e088 call 401d64 call 401e8f call 401d64 call 401e8f call 43a7f7 call 40b95c 355->365 366 40e08d-40e0b1 call 41a9ad call 401e18 call 401e13 355->366 365->366 386 40e0b3-40e0b4 SetProcessDEPPolicy 366->386 387 40e0b6-40e0c9 CreateThread 366->387 386->387 390 40e0d7-40e0de 387->390 391 40e0cb-40e0d5 CreateThread 387->391 394 40e0e0-40e0ea CreateThread 390->394 395 40e0ec-40e0f3 390->395 391->390 394->395 398 40e0f5-40e0f8 395->398 399 40e106-40e10b 395->399 401 40e146-40e161 call 401e8f call 412546 398->401 402 40e0fa-40e104 398->402 404 40e110-40e141 call 401f66 call 404c9e call 401f66 call 41a891 call 401eea 399->404 413 40e167-40e1a7 call 41b013 call 401e07 call 41265c call 401e13 call 401e07 401->413 414 40e1fd-40e207 call 40cbac call 40cc37 call 4140ac 401->414 402->404 404->401 435 40e1c0-40e1c5 DeleteFileW 413->435 414->102 436 40e1c7-40e1f8 call 41b013 call 401e07 call 412a52 call 401e13 * 2 435->436 437 40e1a9-40e1ac 435->437 436->414 437->436 438 40e1ae-40e1bb Sleep call 401e07 437->438 438->435
                                                      APIs
                                                        • Part of subcall function 0041BEEE: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D856), ref: 0041BF03
                                                        • Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041BF0C
                                                        • Part of subcall function 0041BEEE: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D856), ref: 0041BF23
                                                        • Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041BF26
                                                        • Part of subcall function 0041BEEE: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D856), ref: 0041BF38
                                                        • Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041BF3B
                                                        • Part of subcall function 0041BEEE: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D856), ref: 0041BF4C
                                                        • Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041BF4F
                                                        • Part of subcall function 0041BEEE: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D856), ref: 0041BF60
                                                        • Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041BF63
                                                        • Part of subcall function 0041BEEE: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D856), ref: 0041BF70
                                                        • Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041BF73
                                                        • Part of subcall function 0041BEEE: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D856), ref: 0041BF80
                                                        • Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041BF83
                                                        • Part of subcall function 0041BEEE: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D856), ref: 0041BF90
                                                        • Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041BF93
                                                        • Part of subcall function 0041BEEE: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D856), ref: 0041BFA4
                                                        • Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041BFA7
                                                        • Part of subcall function 0041BEEE: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D856), ref: 0041BFB4
                                                        • Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041BFB7
                                                        • Part of subcall function 0041BEEE: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D856), ref: 0041BFC8
                                                        • Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041BFCB
                                                        • Part of subcall function 0041BEEE: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D856), ref: 0041BFDC
                                                        • Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041BFDF
                                                        • Part of subcall function 0041BEEE: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D856), ref: 0041BFF0
                                                        • Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041BFF3
                                                        • Part of subcall function 0041BEEE: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D856), ref: 0041C000
                                                        • Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041C003
                                                        • Part of subcall function 0041BEEE: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D856), ref: 0041C011
                                                      • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe,00000104), ref: 0040D863
                                                        • Part of subcall function 0040FD92: __EH_prolog.LIBCMT ref: 0040FD97
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                                      • String ID: SG$0TG$Access Level: $Administrator$C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe$Exe$Exe$Inj$PSG$PSG$Remcos Agent initialized$Rmc-DCXXDI$Software\$User$dMG$del$del$exepath$hSG$licence$license_code.txt
                                                      • API String ID: 2830904901-1286219514
                                                      • Opcode ID: 725633127e4b77860ee352cd58d9fd0f2a9b5a5623a9bf6990050f69c27e9e3b
                                                      • Instruction ID: b96e9d53b64ce9762df997b7c443b274fb73bccd3fe431706256fac2145036cf
                                                      • Opcode Fuzzy Hash: 725633127e4b77860ee352cd58d9fd0f2a9b5a5623a9bf6990050f69c27e9e3b
                                                      • Instruction Fuzzy Hash: 2E32C760B043406ADA14B776DC57BBE259A9F81748F00483FB9467B2E2DEBC9D44C39E
                                                      Function 004099E4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 65windowCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1289 4099e4-4099fd 1290 409a63-409a73 GetMessageA 1289->1290 1291 4099ff-409a19 GetModuleHandleA SetWindowsHookExA 1289->1291 1292 409a75-409a8d TranslateMessage DispatchMessageA 1290->1292 1293 409a8f 1290->1293 1291->1290 1294 409a1b-409a61 GetLastError call 41af51 call 404c9e call 401f66 call 41a891 call 401eea 1291->1294 1292->1290 1292->1293 1295 409a91-409a96 1293->1295 1294->1295
                                                      APIs
                                                      • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00409A01
                                                      • SetWindowsHookExA.USER32(0000000D,004099D0,00000000), ref: 00409A0F
                                                      • GetLastError.KERNEL32 ref: 00409A1B
                                                        • Part of subcall function 0041A891: GetLocalTime.KERNEL32(00000000), ref: 0041A8AB
                                                      • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00409A6B
                                                      • TranslateMessage.USER32(?), ref: 00409A7A
                                                      • DispatchMessageA.USER32(?), ref: 00409A85
                                                      Strings
                                                      • Keylogger initialization failure: error , xrefs: 00409A32
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                      • String ID: Keylogger initialization failure: error
                                                      • API String ID: 3219506041-952744263
                                                      • Opcode ID: c6ad27a1f32c7b35bd706965db4ad972d695f79b56ef0d389dbfdbb6ef8f6fa1
                                                      • Instruction ID: 916e88852ed13b3ab14e3660f0b3d121b0d8821096f38c6baae7fa71b0b7a026
                                                      • Opcode Fuzzy Hash: c6ad27a1f32c7b35bd706965db4ad972d695f79b56ef0d389dbfdbb6ef8f6fa1
                                                      • Instruction Fuzzy Hash: 6D118271604301AFC710BB7A9C4996B77ECAB94B15B10057EFC45E2191EE34DA01CBAA
                                                      Function 0040E627 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                        • Part of subcall function 0041258F: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004125AF
                                                        • Part of subcall function 0041258F: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,00475308), ref: 004125CD
                                                        • Part of subcall function 0041258F: RegCloseKey.KERNEL32(?), ref: 004125D8
                                                      • Sleep.KERNEL32(00000BB8), ref: 0040E6DB
                                                      • ExitProcess.KERNEL32 ref: 0040E74A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CloseExitOpenProcessQuerySleepValue
                                                      • String ID: 6.0.0 Pro$override$pth_unenc
                                                      • API String ID: 2281282204-4012039065
                                                      • Opcode ID: e48c5bd0e5f8f7b978d8bdbd670fe216713c81f394539d974a824bf7a4ef8053
                                                      • Instruction ID: 41eca1b412dc6cb4cbd69e66e1420b1d2a9bda06de9f36a729d5cd10817e4b5d
                                                      • Opcode Fuzzy Hash: e48c5bd0e5f8f7b978d8bdbd670fe216713c81f394539d974a824bf7a4ef8053
                                                      • Instruction Fuzzy Hash: A821D131F1420027D60876778857B6F399A9B81719F90052EF819A72E7EEBD9E1083DF
                                                      Function 00404915 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60timethreadCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1449 404915-404924 1450 4049b1 1449->1450 1451 40492a-404931 1449->1451 1452 4049b3-4049b7 1450->1452 1453 404933-404937 1451->1453 1454 404939-404940 1451->1454 1455 404987-4049af CreateEventA CreateThread 1453->1455 1454->1455 1456 404942-404982 GetLocalTime call 41af51 call 404c9e call 401f66 call 41a891 call 401eea 1454->1456 1455->1452 1456->1455
                                                      APIs
                                                      • GetLocalTime.KERNEL32(00000001,00474EE0,004755B0,00000000,?,?,?,?,?,00414F1C,?,00000001), ref: 00404946
                                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EE0,004755B0,00000000,?,?,?,?,?,00414F1C,?,00000001), ref: 00404994
                                                      • CreateThread.KERNEL32(00000000,00000000,00404B1D,?,00000000,00000000), ref: 004049A7
                                                      Strings
                                                      • KeepAlive | Enabled | Timeout: , xrefs: 0040495C
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Create$EventLocalThreadTime
                                                      • String ID: KeepAlive | Enabled | Timeout:
                                                      • API String ID: 2532271599-1507639952
                                                      • Opcode ID: 3706b51fedfb6b17057c05fa2c189eb69b55955f33b2a26d59dd23dd1e9d912a
                                                      • Instruction ID: 334fa9fd2124ebc6c4f40b6d461b17bc354faf393a4ed588a06a33f3771f6744
                                                      • Opcode Fuzzy Hash: 3706b51fedfb6b17057c05fa2c189eb69b55955f33b2a26d59dd23dd1e9d912a
                                                      • Instruction Fuzzy Hash: 1611E3B19052547ACB10A7BA8849BDB7F9CAB86364F00007FF50462292DA789845CBFA
                                                      Function 00432B45 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,00000001,004328CD,00000024,?,?,?), ref: 00432B57
                                                      • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,0042CDC9,?), ref: 00432B6D
                                                      • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,0042CDC9,?), ref: 00432B7F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Crypt$Context$AcquireRandomRelease
                                                      • String ID:
                                                      • API String ID: 1815803762-0
                                                      • Opcode ID: 35a60dd61fd8b237ab80bed8c3b3b6d5f5cecafcaafe6d2ae27acd69f3d7963f
                                                      • Instruction ID: 69441ad90531868046e0b1178e1924530c202fcb63ed7aa5228c64bcbe668f15
                                                      • Opcode Fuzzy Hash: 35a60dd61fd8b237ab80bed8c3b3b6d5f5cecafcaafe6d2ae27acd69f3d7963f
                                                      • Instruction Fuzzy Hash: ADE09231608350FFFB300F25AC08F177B94EB89B65F21063AF155E40E4CAA59805961C
                                                      Function 0041A9AD Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetComputerNameExW.KERNEL32(00000001,?,0000002B,004750FC), ref: 0041A9CA
                                                      • GetUserNameW.ADVAPI32(?,0040E096), ref: 0041A9E2
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Name$ComputerUser
                                                      • String ID:
                                                      • API String ID: 4229901323-0
                                                      • Opcode ID: c38e36c8d41ee46761b6a4ad2d0e2b40601694a6c822a335d006f55048ef3fa5
                                                      • Instruction ID: dd4171341b6269d20eef4dfb17ad31a68228dcd82fcdc0eb213b330dd994abd5
                                                      • Opcode Fuzzy Hash: c38e36c8d41ee46761b6a4ad2d0e2b40601694a6c822a335d006f55048ef3fa5
                                                      • Instruction Fuzzy Hash: 16014F7290011CAADB00EB90DC49ADDBB7CEF44315F10016AB502B3195EFB4AB898A98
                                                      Function 0040E751 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004146BA,00474EE0,00475A38,00474EE0,00000000,00474EE0,?,00474EE0,6.0.0 Pro), ref: 0040E765
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: InfoLocale
                                                      • String ID:
                                                      • API String ID: 2299586839-0
                                                      • Opcode ID: 4f63efff100e8568bd7427ee403b69b99ebb5287ae6166f5ca37386f2dc94b8d
                                                      • Instruction ID: 426317967f55bc2b8d076a22fb2a8dcf1c85f3a8f112093483d3870effb55d88
                                                      • Opcode Fuzzy Hash: 4f63efff100e8568bd7427ee403b69b99ebb5287ae6166f5ca37386f2dc94b8d
                                                      • Instruction Fuzzy Hash: A6D05E607002197BEA109691CC0AE9B7A9CE700B66F000165BA01E72C0E9A0AF048AE1
                                                      Function 00426302 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: recv
                                                      • String ID:
                                                      • API String ID: 1507349165-0
                                                      • Opcode ID: e479f6d312995adc38c95d140b7cef8bd4a3583c6482d3884fe68aabfa392038
                                                      • Instruction ID: 85cd51724732601f8c8003b199973b8832ebbe95acea7078dd2fcbbf2f3153fb
                                                      • Opcode Fuzzy Hash: e479f6d312995adc38c95d140b7cef8bd4a3583c6482d3884fe68aabfa392038
                                                      • Instruction Fuzzy Hash: FCB09279118202FFCA051B60CC0887ABEB6ABCC381F108D2DB986A01B0DE37C451AB26
                                                      Function 004140AC Relevance: 51.6, APIs: 5, Strings: 24, Instructions: 855sleepnetworkCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 449 4140ac-4140f7 call 401faa call 41ac7e call 401faa call 401d64 call 401e8f call 43a7f7 462 414106-414154 call 401f66 call 401d64 call 401fbd call 41b1ce call 404262 call 401d64 call 40b125 449->462 463 4140f9-414100 Sleep 449->463 478 414156-4141c5 call 401d64 call 4022f8 call 401d64 call 401e8f call 401d64 call 4022f8 call 401d64 call 401e8f call 401d64 call 4022f8 call 401d64 call 401e8f call 404101 462->478 479 4141c8-414262 call 401f66 call 401d64 call 401fbd call 41b1ce call 401d64 * 2 call 4085b4 call 4027cb call 401eef call 401eea * 2 call 401d64 call 405422 462->479 463->462 478->479 532 414272-414279 479->532 533 414264-414270 479->533 534 41427e-41431a call 40541d call 404cbf call 405ce6 call 4027cb call 401f66 call 41a891 call 401eea * 2 call 401d64 call 401e8f call 401d64 call 401e8f call 414072 532->534 533->534 561 414367-414375 call 4041f1 534->561 562 41431c-414362 WSAGetLastError call 41be81 call 404c9e call 401f66 call 41a891 call 401eea 534->562 568 4143a2-4143b7 call 404915 call 40428c 561->568 569 414377-41439d call 401f66 * 2 call 41a891 561->569 584 414ce6-414cf8 call 4047eb call 4020b4 562->584 568->584 585 4143bd-41450a call 401d64 * 2 call 404cbf call 405ce6 call 4027cb call 405ce6 call 4027cb call 401f66 call 41a891 call 401eea * 4 call 41ab78 call 41375b call 4082dc call 440e5e call 401d64 call 401fbd call 4022f8 call 401e8f * 2 call 412735 568->585 569->584 598 414d20-414d28 call 401d8c 584->598 599 414cfa-414d1a call 401d64 call 401e8f call 43a7f7 Sleep 584->599 649 41450c-414519 call 40541d 585->649 650 41451e-414545 call 401e8f call 4125eb 585->650 598->479 599->598 649->650 656 414547-414549 650->656 657 41454c-414975 call 403b40 call 41aff9 call 40cc9a call 41b0d3 call 40cbf1 call 41aff9 call 41b0d3 call 41af51 call 401d64 GetTickCount call 41af51 call 41aeab call 41af51 * 2 call 41ae5d call 41b0d3 * 5 call 40e751 call 41b0d3 call 4027ec call 40275c call 4027cb call 40275c call 4027cb * 3 call 40275c call 4027cb call 405ce6 call 4027cb call 405ce6 call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 405ce6 call 4027cb * 5 call 40275c call 4027cb call 40275c call 4027cb * 7 call 40275c call 4027cb call 40275c call 4027cb call 40275c 650->657 656->657 797 414977 call 404468 657->797 798 41497c-414c4d call 401eea * 54 call 401e13 call 401eea * 7 call 401e13 call 401eea call 401e13 call 4045d5 797->798 930 414c52-414c59 798->930 931 414c5b-414c62 930->931 932 414c6d-414c74 930->932 931->932 933 414c64-414c66 931->933 934 414c80-414cb2 call 405415 call 401f66 * 2 call 41a891 932->934 935 414c76-414c7b call 40a767 932->935 933->932 946 414cb4-414cc0 CreateThread 934->946 947 414cc6-414ce1 call 401eea * 2 call 401e13 934->947 935->934 946->947 947->584
                                                      APIs
                                                      • Sleep.KERNEL32(00000000,00000029,00475308,?,00000000), ref: 00414100
                                                      • WSAGetLastError.WS2_32 ref: 00414321
                                                      • Sleep.KERNEL32(00000000,00000002), ref: 00414D1A
                                                        • Part of subcall function 0041A891: GetLocalTime.KERNEL32(00000000), ref: 0041A8AB
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Sleep$ErrorLastLocalTime
                                                      • String ID: | $ ]$%I64u$6.0.0 Pro$C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$Exe$PSG$PhNG$Rmc-DCXXDI$TLS Off$TLS On $TeF$dMG$hSG$hlight$name$NG$NG$VG
                                                      • API String ID: 524882891-2701970350
                                                      • Opcode ID: 918bc987664b8491f60aceb4f06e3f4d68d9346336c78d86623a22e9571963aa
                                                      • Instruction ID: c3263a97f07b8ae9d11225c8127e62ab27a72c03ae3a8f764161ebb565a1ac44
                                                      • Opcode Fuzzy Hash: 918bc987664b8491f60aceb4f06e3f4d68d9346336c78d86623a22e9571963aa
                                                      • Instruction Fuzzy Hash: EE625E71A001145ACB18F771DDA6AEE73659FA0308F1041BFB80A771E2EF785E85CA9D
                                                      Function 0040A3F4 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 158sleepCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • __Init_thread_footer.LIBCMT ref: 0040A456
                                                      • Sleep.KERNEL32(000001F4), ref: 0040A461
                                                      • GetForegroundWindow.USER32 ref: 0040A467
                                                      • GetWindowTextLengthW.USER32(00000000), ref: 0040A470
                                                      • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040A4A4
                                                      • Sleep.KERNEL32(000003E8), ref: 0040A574
                                                        • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,?,0040AF3F,?,?,?,?,?,00000000), ref: 00409D84
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                      • String ID: [${ User has been idle for $ minutes }$<mG$<mG$<mG$]
                                                      • API String ID: 911427763-3636820255
                                                      • Opcode ID: 0c0e445e6939d6f7940a0c5a45d91b61cd855127d753689433e6956e50b99563
                                                      • Instruction ID: ab9145b4e211f5f3da3af6290e6e7a2c9d96cae7f6b46a2c86e206227f6ebbf0
                                                      • Opcode Fuzzy Hash: 0c0e445e6939d6f7940a0c5a45d91b61cd855127d753689433e6956e50b99563
                                                      • Instruction Fuzzy Hash: 1951D0716043409BC324FB25D886AAE7795AF84718F00093FF446A32E2DF7C9E55868F
                                                      Function 0040428C Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 147networkCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1034 40428c-4042ad connect 1035 4043e1-4043e5 1034->1035 1036 4042b3-4042b6 1034->1036 1039 4043e7-4043f5 WSAGetLastError 1035->1039 1040 40445f 1035->1040 1037 4043da-4043dc 1036->1037 1038 4042bc-4042bf 1036->1038 1041 404461-404465 1037->1041 1042 4042c1-4042e8 call 404cbf call 401f66 call 41a891 1038->1042 1043 4042eb-4042f5 call 42035c 1038->1043 1039->1040 1044 4043f7-4043fa 1039->1044 1040->1041 1042->1043 1056 404306-404313 call 42057e 1043->1056 1057 4042f7-404301 1043->1057 1046 404439-40443e 1044->1046 1047 4043fc-404437 call 41be81 call 404c9e call 401f66 call 41a891 call 401eea 1044->1047 1049 404443-40445c call 401f66 * 2 call 41a891 1046->1049 1047->1040 1049->1040 1066 404315-404338 call 401f66 * 2 call 41a891 1056->1066 1067 40434c-404357 call 42113f 1056->1067 1057->1049 1096 40433b-404347 call 42039c 1066->1096 1080 404389-404396 call 4204f5 1067->1080 1081 404359-404387 call 401f66 * 2 call 41a891 call 42079d 1067->1081 1093 404398-4043bb call 401f66 * 2 call 41a891 1080->1093 1094 4043be-4043d7 CreateEventW * 2 1080->1094 1081->1096 1093->1094 1094->1037 1096->1040
                                                      APIs
                                                      • connect.WS2_32(?,?,?), ref: 004042A5
                                                      • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043CB
                                                      • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043D5
                                                      • WSAGetLastError.WS2_32(?,?,?,0040192B), ref: 004043E7
                                                        • Part of subcall function 0041A891: GetLocalTime.KERNEL32(00000000), ref: 0041A8AB
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                      • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                      • API String ID: 994465650-2151626615
                                                      • Opcode ID: cf49c6f555c49f8e19da3bd343099bda81994a7576a786df9d473324a29203c1
                                                      • Instruction ID: 8d860672b69a19ae3c360ccb47b0a38bc4e99592ce22fc56bfe6acc5d0e7da0a
                                                      • Opcode Fuzzy Hash: cf49c6f555c49f8e19da3bd343099bda81994a7576a786df9d473324a29203c1
                                                      • Instruction Fuzzy Hash: D54109B0B0020277CA04B77A884766E7A55AB85314B80012FE901A7AD3FE3DAD2587DF
                                                      Function 0040C89E Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1109 40c89e-40c8c3 call 401e52 1112 40c8c9 1109->1112 1113 40c9ed-40ca13 call 401e07 GetLongPathNameW call 403b40 1109->1113 1114 40c8d0-40c8d5 1112->1114 1115 40c9c2-40c9c7 1112->1115 1116 40c905-40c90a 1112->1116 1117 40c9d8 1112->1117 1118 40c9c9-40c9ce call 43ae1f 1112->1118 1119 40c8da-40c8e8 call 41a956 call 401e18 1112->1119 1120 40c8fb-40c900 1112->1120 1121 40c9bb-40c9c0 1112->1121 1122 40c90f-40c916 call 41b366 1112->1122 1137 40ca18-40ca85 call 403b40 call 40cd0a call 402860 * 2 call 401e13 * 5 1113->1137 1125 40c9dd-40c9e2 call 43ae1f 1114->1125 1115->1125 1116->1125 1117->1125 1129 40c9d3-40c9d6 1118->1129 1141 40c8ed 1119->1141 1120->1125 1121->1125 1138 40c918-40c968 call 403b40 call 43ae1f call 403b40 call 402860 call 401e18 call 401e13 * 2 1122->1138 1139 40c96a-40c9b6 call 403b40 call 43ae1f call 403b40 call 402860 call 401e18 call 401e13 * 2 1122->1139 1134 40c9e3-40c9e8 call 4082d7 1125->1134 1129->1117 1129->1134 1134->1113 1147 40c8f1-40c8f6 call 401e13 1138->1147 1139->1141 1141->1147 1147->1113
                                                      APIs
                                                      • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040CA04
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: LongNamePath
                                                      • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                      • API String ID: 82841172-425784914
                                                      • Opcode ID: 4c2cb8f42a11c4837a933b64665c4adbebb485c1a13128294ca0300166a406df
                                                      • Instruction ID: f058a63a2e06dcb2b247864a9289bab0e783a4957c20bc3838a58b63f1508e50
                                                      • Opcode Fuzzy Hash: 4c2cb8f42a11c4837a933b64665c4adbebb485c1a13128294ca0300166a406df
                                                      • Instruction Fuzzy Hash: F0415C721482009AC214F721DC97DAFB7A4AE90759F10063FF546720E2EE7CAA59C69F
                                                      Function 00409E48 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 163sleepCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • Sleep.KERNEL32(00001388), ref: 00409E62
                                                        • Part of subcall function 00409D97: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                                        • Part of subcall function 00409D97: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                                        • Part of subcall function 00409D97: Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                                        • Part of subcall function 00409D97: CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                                      • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409E9E
                                                      • GetFileAttributesW.KERNEL32(00000000), ref: 00409EAF
                                                      • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00409EC6
                                                      • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409F40
                                                        • Part of subcall function 0041B825: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B83E
                                                      • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466900,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A049
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                      • String ID: PSG$PSG$]
                                                      • API String ID: 3795512280-3325506286
                                                      • Opcode ID: 59d6eda1dc5a04f955d13a7f06d1206386346812c1dd96bd75aa56d1c89d0c36
                                                      • Instruction ID: 2e46ee78bd67d64478951c63fc585b7447d0c94e1b250d5b4a4871e09aa14890
                                                      • Opcode Fuzzy Hash: 59d6eda1dc5a04f955d13a7f06d1206386346812c1dd96bd75aa56d1c89d0c36
                                                      • Instruction Fuzzy Hash: 68517F716043005ACB05BB71C866ABF779AAF81309F00453FF886B71E2DE7D9D45C69A
                                                      Function 0041A66E Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 59COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                        • Part of subcall function 0041B366: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B377
                                                        • Part of subcall function 0041B366: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B37E
                                                        • Part of subcall function 004125EB: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 0041260F
                                                        • Part of subcall function 004125EB: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 0041262C
                                                        • Part of subcall function 004125EB: RegCloseKey.KERNEL32(?), ref: 00412637
                                                      • StrToIntA.SHLWAPI(00000000,0046CC58,?,00000000,00000000,004750FC,00000003,Exe,00000000,0000000E,00000000,0046656C,00000003,00000000), ref: 0041A6E4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Process$CloseCurrentOpenQueryValueWow64
                                                      • String ID: (32 bit)$ (64 bit)$8ZG$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                      • API String ID: 782494840-1475859423
                                                      • Opcode ID: f7a85f495538476fd04f4c990f04aa920c7271ab473fda262265197c8bc14782
                                                      • Instruction ID: 1adcdd06a104af508aeef54d465e0c78d2d81651f2e3fe11076ab4bcd17b792f
                                                      • Opcode Fuzzy Hash: f7a85f495538476fd04f4c990f04aa920c7271ab473fda262265197c8bc14782
                                                      • Instruction Fuzzy Hash: 1811C660A001012AC704B3A6DCDBDBF765A9B91304F44413FB856A71E2FB6C9D9583EE
                                                      Function 0041A726 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68networkfileCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1330 41a726-41a765 call 401faa call 43aa9c InternetOpenW InternetOpenUrlW 1335 41a767-41a788 InternetReadFile 1330->1335 1336 41a78a-41a7aa call 401f86 call 402f08 call 401eea 1335->1336 1337 41a7ae-41a7b1 1335->1337 1336->1337 1339 41a7b3-41a7b5 1337->1339 1340 41a7b7-41a7c4 InternetCloseHandle * 2 call 43aa97 1337->1340 1339->1335 1339->1340 1344 41a7c9-41a7d3 1340->1344
                                                      APIs
                                                      • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041A749
                                                      • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041A75F
                                                      • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041A778
                                                      • InternetCloseHandle.WININET(00000000), ref: 0041A7BE
                                                      • InternetCloseHandle.WININET(00000000), ref: 0041A7C1
                                                      Strings
                                                      • http://geoplugin.net/json.gp, xrefs: 0041A759
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Internet$CloseHandleOpen$FileRead
                                                      • String ID: http://geoplugin.net/json.gp
                                                      • API String ID: 3121278467-91888290
                                                      • Opcode ID: d708bf57c9bcdd1f8a7a65ae69f1350cab0609a96e180bb87bda40cc4cda5db0
                                                      • Instruction ID: dd066ffe0ad47051801ff1a9504fa95a24023bf504f9cdcf24902ddc36d2e50e
                                                      • Opcode Fuzzy Hash: d708bf57c9bcdd1f8a7a65ae69f1350cab0609a96e180bb87bda40cc4cda5db0
                                                      • Instruction Fuzzy Hash: C311947110A3126BD624EB169C85DBF7BECEF86765F00043EF845A2191DF68D848C6BA
                                                      Function 00409D97 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1395 409d97-409da7 1396 409e44-409e47 1395->1396 1397 409dad-409daf 1395->1397 1398 409db2-409dd8 call 401e07 CreateFileW 1397->1398 1401 409e18 1398->1401 1402 409dda-409de8 GetFileSize 1398->1402 1405 409e1b-409e1f 1401->1405 1403 409dea 1402->1403 1404 409e0f-409e16 CloseHandle 1402->1404 1406 409df4-409dfb 1403->1406 1407 409dec-409df2 1403->1407 1404->1405 1405->1398 1408 409e21-409e24 1405->1408 1409 409e04-409e09 Sleep 1406->1409 1410 409dfd-409dff call 40a7f0 1406->1410 1407->1404 1407->1406 1408->1396 1411 409e26-409e2d 1408->1411 1409->1404 1410->1409 1411->1396 1413 409e2f-409e3f call 4082dc call 4098a5 1411->1413 1413->1396
                                                      APIs
                                                      • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                                      • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                                      • Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                                      • CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: File$CloseCreateHandleSizeSleep
                                                      • String ID: pQG
                                                      • API String ID: 1958988193-3769108836
                                                      • Opcode ID: 0f98f6b2fa3e8daa10c794e4e90518561bdac5fa53dda9530c93ee6adae91d98
                                                      • Instruction ID: 007c54a35b5ab6fada7f5b2b4f31fda992404cc28ee9ac254c5285dcec39f6dc
                                                      • Opcode Fuzzy Hash: 0f98f6b2fa3e8daa10c794e4e90518561bdac5fa53dda9530c93ee6adae91d98
                                                      • Instruction Fuzzy Hash: 0911E730640B406AE720E724D88972F7B9AAB81316F44047EF18566AE3CA799CD5C29D
                                                      Function 004127AA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37registryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1417 4127aa-4127c1 RegCreateKeyA 1418 4127c3-4127f8 call 4022f8 call 401e8f RegSetValueExA RegCloseKey 1417->1418 1419 4127fa 1417->1419 1421 4127fc-412808 call 401eea 1418->1421 1419->1421
                                                      APIs
                                                      • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004127B9
                                                      • RegSetValueExA.KERNEL32(?,XwF,00000000,?,00000000,00000000,00475308,?,?,0040E6D3,00467758,6.0.0 Pro), ref: 004127E1
                                                      • RegCloseKey.KERNEL32(?,?,?,0040E6D3,00467758,6.0.0 Pro), ref: 004127EC
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CloseCreateValue
                                                      • String ID: XwF$pth_unenc
                                                      • API String ID: 1818849710-1649331827
                                                      • Opcode ID: a33492682faf8f4a7bd2e45a582a8398943db92faccb4fb8927a7d9da3d413cc
                                                      • Instruction ID: b42ea712bc7a6ff48bd64609183fdbccf638e423d93a2202917fd6756948167f
                                                      • Opcode Fuzzy Hash: a33492682faf8f4a7bd2e45a582a8398943db92faccb4fb8927a7d9da3d413cc
                                                      • Instruction Fuzzy Hash: 27F06D32140204BBCB00AFA1DD45AEF3768EF00751B108169B916B60A1EE759E04EBA4
                                                      Function 004098A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • CreateThread.KERNEL32(00000000,00000000,004099A9,?,00000000,00000000), ref: 0040992A
                                                      • CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040993A
                                                      • CreateThread.KERNEL32(00000000,00000000,Function_000099B5,?,00000000,00000000), ref: 00409946
                                                        • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
                                                        • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CreateThread$LocalTimewsprintf
                                                      • String ID: Offline Keylogger Started
                                                      • API String ID: 465354869-4114347211
                                                      • Opcode ID: 413225cce52aee32b715eff5e13c65a485cf973104212bdc3a05f84c9635596c
                                                      • Instruction ID: 15e43fcc554e39227c644a0273f32637653ac1eeca6ef832bd6c9a92d0497390
                                                      • Opcode Fuzzy Hash: 413225cce52aee32b715eff5e13c65a485cf973104212bdc3a05f84c9635596c
                                                      • Instruction Fuzzy Hash: 0A1198B15003097AD224BA36CC86DBF7A5CDA813A8B40053EB845622D3EA785E14C6FB
                                                      Function 004128AD Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegCreateKeyA.ADVAPI32(80000001,00000000,TeF), ref: 004128BB
                                                      • RegSetValueExA.KERNEL32(TeF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004670E0,00000001,000000AF,00466554), ref: 004128D6
                                                      • RegCloseKey.KERNEL32(?,?,?,?,0040B94C,004670E0,00000001,000000AF,00466554), ref: 004128E1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CloseCreateValue
                                                      • String ID: TeF
                                                      • API String ID: 1818849710-331424825
                                                      • Opcode ID: 69388a3f5ca785ef31159ee28a7932d701a8b17d3c2adace4bd37096d90c6bf5
                                                      • Instruction ID: 5082c9e4fe043c0a9a82c1e0a3a4def458545ef8caf92c2e29ea1f35f3ad8a86
                                                      • Opcode Fuzzy Hash: 69388a3f5ca785ef31159ee28a7932d701a8b17d3c2adace4bd37096d90c6bf5
                                                      • Instruction Fuzzy Hash: C9E03971640308BFDF119B919C05FDB3BA8EB04B95F004165FA05F61A1DAB1DE18EBA8
                                                      Function 00404688 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,?), ref: 00404778
                                                      • CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 0040478C
                                                      • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000,?,?,00000000), ref: 00404797
                                                      • CloseHandle.KERNEL32(?,?,00000000,00000000,?,?,00000000), ref: 004047A0
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                      • String ID:
                                                      • API String ID: 3360349984-0
                                                      • Opcode ID: eceb8113e26336935bf5c75f2de3c1b2d8d60dab3ee53c9ce013581b5c88e7f2
                                                      • Instruction ID: 5371640f48c6a0368c7cea64887978d4ac2a240c02499e3407376e9d4191e8ff
                                                      • Opcode Fuzzy Hash: eceb8113e26336935bf5c75f2de3c1b2d8d60dab3ee53c9ce013581b5c88e7f2
                                                      • Instruction Fuzzy Hash: 10417171504301ABC700FB61CC55D7FBBE9AFD5315F00093EF892A32E2EE389909866A
                                                      Function 0041B79A Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466900,00000000,00000000,0040C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041B7D9
                                                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041B7F6
                                                      • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041B80A
                                                      • CloseHandle.KERNEL32(00000000), ref: 0041B817
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: File$CloseCreateHandlePointerWrite
                                                      • String ID:
                                                      • API String ID: 3604237281-0
                                                      • Opcode ID: 801f75d00fac8da0c66411ebabb5881698d5c73b15829ac97cd3568d121a9cb6
                                                      • Instruction ID: fca0af3f27241acfb9d15a16a542bc487c24adb9e916811621f81636ea96e045
                                                      • Opcode Fuzzy Hash: 801f75d00fac8da0c66411ebabb5881698d5c73b15829ac97cd3568d121a9cb6
                                                      • Instruction Fuzzy Hash: 1501F5712052057FE6105E249CC9EBB739CEB82B75F10063EF662D23C1DB25CC8686B9
                                                      Function 00414D2D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 163COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CountEventTick
                                                      • String ID: NG
                                                      • API String ID: 180926312-1651712548
                                                      • Opcode ID: 2dd0ccaeec8dff5bc5cefe6a82063f4aebaa20f84b08a88131a51017049765b7
                                                      • Instruction ID: 085b2f02be9ab0868ba51c73fb921716b1faa5b055701b3286f453889ed4f7a0
                                                      • Opcode Fuzzy Hash: 2dd0ccaeec8dff5bc5cefe6a82063f4aebaa20f84b08a88131a51017049765b7
                                                      • Instruction Fuzzy Hash: C85182321042409AC624FB71D8A2AEF73E5AFD0304F00453FB94A671E2EF789949C69E
                                                      Function 0040BED7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040DA7D,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,0046656C,00000003,00000000), ref: 0040BEE6
                                                      • GetLastError.KERNEL32 ref: 0040BEF1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CreateErrorLastMutex
                                                      • String ID: Rmc-DCXXDI
                                                      • API String ID: 1925916568-2144396903
                                                      • Opcode ID: a3b1be1148cb3973ecd705bae41f9902d0fcd13797bcadbc01d9bc0dca2f87b2
                                                      • Instruction ID: 2210f0ff69d3cac9d22e7a3f14049619627ec1602d204fa864a150733b7892bf
                                                      • Opcode Fuzzy Hash: a3b1be1148cb3973ecd705bae41f9902d0fcd13797bcadbc01d9bc0dca2f87b2
                                                      • Instruction Fuzzy Hash: B9D012702057009BE70817709D4E76D3951D784703F00407DB90BE51E1CEA488409519
                                                      Function 004125EB Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 0041260F
                                                      • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 0041262C
                                                      • RegCloseKey.KERNEL32(?), ref: 00412637
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CloseOpenQueryValue
                                                      • String ID:
                                                      • API String ID: 3677997916-0
                                                      • Opcode ID: 3cd3d7d3008c69d15b158efa000f5de0851c37b6ec12a2d5daac047773a23bf0
                                                      • Instruction ID: 14faf112d3046a25d46051106a5b1d66d342437105d793e51b0bcc882fecfd0c
                                                      • Opcode Fuzzy Hash: 3cd3d7d3008c69d15b158efa000f5de0851c37b6ec12a2d5daac047773a23bf0
                                                      • Instruction Fuzzy Hash: D8F0D176900118BBCB209B91DD09EDF7B7CEB44B50F00406ABA05F2190DA749E599BA8
                                                      Function 00412735 Relevance: 4.5, APIs: 3, Instructions: 41registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,00475308), ref: 00412751
                                                      • RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 0041276A
                                                      • RegCloseKey.KERNEL32(00000000), ref: 00412775
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CloseOpenQueryValue
                                                      • String ID:
                                                      • API String ID: 3677997916-0
                                                      • Opcode ID: 2290404c5028f19351fda844a65f428930317fa0cea8d3593e6495ca7ac6aa60
                                                      • Instruction ID: 218a6bf298efa18a53fa985214dbde7e418f837aa6fd6996b0f70a828ecfe766
                                                      • Opcode Fuzzy Hash: 2290404c5028f19351fda844a65f428930317fa0cea8d3593e6495ca7ac6aa60
                                                      • Instruction Fuzzy Hash: 6501AD35800229BFDF215F91DC09DDF7F38EF05760F004065BA08A20A0EB3589A9DBA4
                                                      Function 0041258F Relevance: 4.5, APIs: 3, Instructions: 38registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004125AF
                                                      • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,00475308), ref: 004125CD
                                                      • RegCloseKey.KERNEL32(?), ref: 004125D8
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CloseOpenQueryValue
                                                      • String ID:
                                                      • API String ID: 3677997916-0
                                                      • Opcode ID: f2bc15ec1dd87dd5d2b8e96f704feec537dddf8cd8f352820b88cb246238aa27
                                                      • Instruction ID: f1b1b21d3432ee16d2560aa6e8f8b6fc3b679f7482eced78fea8614e15db81c1
                                                      • Opcode Fuzzy Hash: f2bc15ec1dd87dd5d2b8e96f704feec537dddf8cd8f352820b88cb246238aa27
                                                      • Instruction Fuzzy Hash: B4F03075A00208BFDF119FA09C45FDEBBB8EB04B55F104065FA05F6191D670DA54DB94
                                                      Function 00412546 Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?,00000000,?,?,0040B996,004670E0), ref: 0041255D
                                                      • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0040B996,004670E0), ref: 00412571
                                                      • RegCloseKey.KERNEL32(?,?,?,0040B996,004670E0), ref: 0041257C
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CloseOpenQueryValue
                                                      • String ID:
                                                      • API String ID: 3677997916-0
                                                      • Opcode ID: 90b816baf6681459c689896bd7ee7621983de5913a9f55156db5b466bfdb1e74
                                                      • Instruction ID: da5e3a6b8615f7fc9763e362b131f946d251b316bd2acc507b7b22157b73f9fc
                                                      • Opcode Fuzzy Hash: 90b816baf6681459c689896bd7ee7621983de5913a9f55156db5b466bfdb1e74
                                                      • Instruction Fuzzy Hash: 1BE03931941224BB9B200BA29D09EDB7F6DEF06BA1B010455B809A2111DAA18E54EAF4
                                                      Function 00409517 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _wcslen
                                                      • String ID: ]
                                                      • API String ID: 176396367-1876980090
                                                      • Opcode ID: 025e3e4768cc8a802bf55c327d7a2483ad7764abdea9560a4cc63c803d4be503
                                                      • Instruction ID: 7b719d08391bbb12b01dd12fa1e9474f3c31e37c6e717f7fed2b29792a4b3228
                                                      • Opcode Fuzzy Hash: 025e3e4768cc8a802bf55c327d7a2483ad7764abdea9560a4cc63c803d4be503
                                                      • Instruction Fuzzy Hash: B71193329002059BCB05FF66D8529EE77A4EF54319B10443FF842662E2EF78A915CB98
                                                      Function 0041AB50 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GlobalMemoryStatusEx.KERNEL32(?), ref: 0041AB64
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: GlobalMemoryStatus
                                                      • String ID: @
                                                      • API String ID: 1890195054-2766056989
                                                      • Opcode ID: a4fe8e15525f2be1febd29730eb74c732a6063ed027868c332be47892e1af589
                                                      • Instruction ID: b665d68c061e3f9f56ba9c4249da2251c097319f67e9030db6e937b6cf7da2fa
                                                      • Opcode Fuzzy Hash: a4fe8e15525f2be1febd29730eb74c732a6063ed027868c332be47892e1af589
                                                      • Instruction Fuzzy Hash: 00D067B59013189FCB20DFA8E945A8DBBF8EB48214F004529E946E3744E774E945CB94
                                                      Function 0044BBCE Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • _free.LIBCMT ref: 0044BBEF
                                                        • Part of subcall function 00446D0F: RtlAllocateHeap.NTDLL(00000000,00434613,?,?,00437437,?,?,?,?,?,0040CD5A,00434613,?,?,?,?), ref: 00446D41
                                                      • RtlReAllocateHeap.NTDLL(00000000,00476D58,?,00000004,00000000,?,0044EB1A,00476D58,00000004,?,00476D58,?,?,00443335,00476D58,?), ref: 0044BC2B
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AllocateHeap$_free
                                                      • String ID:
                                                      • API String ID: 1482568997-0
                                                      • Opcode ID: c663a77da406be6e54bbe5e4694e400583292b09c8c587c623d78d47e3d5e62a
                                                      • Instruction ID: 767aa377775814b37deb1c17d78f1b9627af84273febb40deea43816b68d1426
                                                      • Opcode Fuzzy Hash: c663a77da406be6e54bbe5e4694e400583292b09c8c587c623d78d47e3d5e62a
                                                      • Instruction Fuzzy Hash: D3F0C23160051166FB212A679C81F6B2B59CF82B74B15402FF805AA691DF3CD841A1ED
                                                      Function 004041F1 Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • socket.WS2_32(?,00000001,00000006), ref: 00404212
                                                        • Part of subcall function 00404262: WSAStartup.WS2_32(00000202,00000000), ref: 00404277
                                                      • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404252
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CreateEventStartupsocket
                                                      • String ID:
                                                      • API String ID: 1953588214-0
                                                      • Opcode ID: 9dcc25316a99288ac387cf2e613c868b0e107fead0b532e7680f1acbcbd447ec
                                                      • Instruction ID: e62a462d4859cb901c95814de100b0ae44c334504336dc08fc7633b5118be932
                                                      • Opcode Fuzzy Hash: 9dcc25316a99288ac387cf2e613c868b0e107fead0b532e7680f1acbcbd447ec
                                                      • Instruction Fuzzy Hash: 100171B0508B809FD7358F38B8456977FE0AB15314F044DAEF1D697BA1C7B5A481CB18
                                                      Function 00433818 Relevance: 3.0, APIs: 2, Instructions: 38COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00433FF2
                                                        • Part of subcall function 00437DE7: RaiseException.KERNEL32(?,?,00434621,?,?,?,?,?,?,?,?,00434621,?,0046E654,0041AF80,?), ref: 00437E47
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0043400F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Exception@8Throw$ExceptionRaise
                                                      • String ID:
                                                      • API String ID: 3476068407-0
                                                      • Opcode ID: 2f8450b131b2c7cae6b2994a14d2746b0b5bc3d5d5124e6b0ed98aed2215fcc2
                                                      • Instruction ID: 1c2073f64fee591a786a8a3f9c67cac18272885bad9296719f7a79fda1cbf913
                                                      • Opcode Fuzzy Hash: 2f8450b131b2c7cae6b2994a14d2746b0b5bc3d5d5124e6b0ed98aed2215fcc2
                                                      • Instruction Fuzzy Hash: 1BF0BB25C0430D768B04BEA6E80A9AD33BC5E08329F50513BB825914D1FB7C9759C5CD
                                                      Function 0041AE5D Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetForegroundWindow.USER32 ref: 0041AE7F
                                                      • GetWindowTextW.USER32(00000000,?,00000100), ref: 0041AE92
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Window$ForegroundText
                                                      • String ID:
                                                      • API String ID: 29597999-0
                                                      • Opcode ID: 27a61dc13c3baf2ab93a997f5cd2cb0d43e4b22d1e77ef92c0de48519faa66db
                                                      • Instruction ID: 7a6786a6daea7d79da8b38e9164549a295f8c3929764bf887eb2819544a3ffc0
                                                      • Opcode Fuzzy Hash: 27a61dc13c3baf2ab93a997f5cd2cb0d43e4b22d1e77ef92c0de48519faa66db
                                                      • Instruction Fuzzy Hash: 4AE04875A0031867FB20B7659C4EFD6766C9704B05F0400ADB619E21C3EDB4EA048BE4
                                                      Function 00414072 Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • getaddrinfo.WS2_32(00000000,00000000,00000000,00472B28,004750FC,00000000,00414318,00000000,00000001), ref: 00414094
                                                      • WSASetLastError.WS2_32(00000000), ref: 00414099
                                                        • Part of subcall function 00413F0F: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413F5E
                                                        • Part of subcall function 00413F0F: LoadLibraryA.KERNEL32(?), ref: 00413FA0
                                                        • Part of subcall function 00413F0F: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413FC0
                                                        • Part of subcall function 00413F0F: FreeLibrary.KERNEL32(00000000), ref: 00413FC7
                                                        • Part of subcall function 00413F0F: LoadLibraryA.KERNEL32(?), ref: 00413FFF
                                                        • Part of subcall function 00413F0F: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414011
                                                        • Part of subcall function 00413F0F: FreeLibrary.KERNEL32(00000000), ref: 00414018
                                                        • Part of subcall function 00413F0F: GetProcAddress.KERNEL32(00000000,?), ref: 00414027
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
                                                      • String ID:
                                                      • API String ID: 1170566393-0
                                                      • Opcode ID: 82e440812e84df215c52e3f2a247b94cffd3b5d9bcffb41726cfdd66b840233f
                                                      • Instruction ID: e2cb8cd332084910a557c38b5932e5372e8318120e5bc29c0191cd414ba32ecd
                                                      • Opcode Fuzzy Hash: 82e440812e84df215c52e3f2a247b94cffd3b5d9bcffb41726cfdd66b840233f
                                                      • Instruction Fuzzy Hash: F4D012326406216B93506B6D5D01EBB5AEDDF96761B06003BF508D6111DA946C4142A8
                                                      Function 00446D0F Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • RtlAllocateHeap.NTDLL(00000000,00434613,?,?,00437437,?,?,?,?,?,0040CD5A,00434613,?,?,?,?), ref: 00446D41
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AllocateHeap
                                                      • String ID:
                                                      • API String ID: 1279760036-0
                                                      • Opcode ID: 0df71086ebe011a22fdff847967a9c5229befe104b2723ee1c4cd472e7f23894
                                                      • Instruction ID: 40638bbf90b8c7646580dfe44e72c34c865d7c07d7b9b06d8b79509a7ad90776
                                                      • Opcode Fuzzy Hash: 0df71086ebe011a22fdff847967a9c5229befe104b2723ee1c4cd472e7f23894
                                                      • Instruction Fuzzy Hash: 52E0E5B1B00220A6FB202A6A8C02B5B36498F437B4F070033AC0A9A291CE6CCC4081AF
                                                      Function 00404262 Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • WSAStartup.WS2_32(00000202,00000000), ref: 00404277
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Startup
                                                      • String ID:
                                                      • API String ID: 724789610-0
                                                      • Opcode ID: 512c305c5d81d862cf08042479f934390d4c65f7aad148c3c3ac63496dcf4775
                                                      • Instruction ID: a6df37c1a3c4b0bfee4e794801b63ea3b6ec8424062e123ecf3ffc10766d7ffb
                                                      • Opcode Fuzzy Hash: 512c305c5d81d862cf08042479f934390d4c65f7aad148c3c3ac63496dcf4775
                                                      • Instruction Fuzzy Hash: F7D012325586094ED620AAB5AD0F8A4775CD317611F0003BA6CB5825D3FA84561CC6AB
                                                      Function 00426319 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: send
                                                      • String ID:
                                                      • API String ID: 2809346765-0
                                                      • Opcode ID: 733b60b5868be77d00c88bb6e02a93299a3caf11162c6b1e2887e039244bfe1f
                                                      • Instruction ID: aaa3dbc129b5069e484ee587900df28e469ef685d0a3e158187009c9450646dc
                                                      • Opcode Fuzzy Hash: 733b60b5868be77d00c88bb6e02a93299a3caf11162c6b1e2887e039244bfe1f
                                                      • Instruction Fuzzy Hash: 30B09279118302BFCA051B60CC0887A7EB6ABC9381B108C2CB546611B0DE37C490EB36

                                                      Non-executed Functions

                                                      Function 00406F06 Relevance: 48.1, APIs: 10, Strings: 17, Instructions: 849filesleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetEvent.KERNEL32(?,?), ref: 00406F28
                                                      • GetFileAttributesW.KERNEL32(00000000,00000000,00000000), ref: 00406FF8
                                                      • DeleteFileW.KERNEL32(00000000), ref: 00407018
                                                        • Part of subcall function 0041B63A: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,004752F0,00475308), ref: 0041B694
                                                        • Part of subcall function 0041B63A: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,004752F0,00475308), ref: 0041B6C6
                                                        • Part of subcall function 0041B63A: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,004752F0,00475308), ref: 0041B717
                                                        • Part of subcall function 0041B63A: FindClose.KERNEL32(00000000,?,?,?,?,?,?,004752F0,00475308), ref: 0041B76C
                                                        • Part of subcall function 0041B63A: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,004752F0,00475308), ref: 0041B773
                                                        • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                        • Part of subcall function 00406BE9: CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00466454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                                        • Part of subcall function 00406BE9: WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                                        • Part of subcall function 00406BE9: CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                                        • Part of subcall function 00406BE9: MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                                        • Part of subcall function 0041A891: GetLocalTime.KERNEL32(00000000), ref: 0041A8AB
                                                        • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(00000330,00000000,{NAL,?,?,00000004,?,?,00000004,00474EE0,004755B0,00000000), ref: 0040450E
                                                        • Part of subcall function 00404468: SetEvent.KERNEL32(00000330,?,?,00000004,?,?,00000004,00474EE0,004755B0,00000000,?,?,?,?,?,00414E7B), ref: 0040453C
                                                      • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407416
                                                      • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004074F5
                                                      • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 0040773A
                                                      • DeleteFileA.KERNEL32(?), ref: 004078CC
                                                        • Part of subcall function 00407A8C: __EH_prolog.LIBCMT ref: 00407A91
                                                        • Part of subcall function 00407A8C: FindFirstFileW.KERNEL32(00000000,?,00466AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                                        • Part of subcall function 00407A8C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                                      • Sleep.KERNEL32(000007D0), ref: 00407976
                                                      • StrToIntA.SHLWAPI(00000000,00000000), ref: 004079BA
                                                        • Part of subcall function 0041BD82: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BE77
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: File$Find$AttributesCloseDeleteDirectoryEventFirstNextRemove$CreateDriveExecuteH_prologHandleInfoLocalLogicalMoveObjectParametersShellSingleSleepStringsSystemTimeWaitWritesend
                                                      • String ID: @PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $TdF$Unable to delete: $Unable to rename file!$VNG$open$pPG$pPG$pPG$pPG$NG
                                                      • API String ID: 2918587301-2537973685
                                                      • Opcode ID: 8c9b85b3cc5fd76c67877238ae870cf5e1538384d5724b3e5923403a166763a5
                                                      • Instruction ID: 1d2e2627ec10ef381271a766c0004beadc8049fa085ae304c46d09a1b017b010
                                                      • Opcode Fuzzy Hash: 8c9b85b3cc5fd76c67877238ae870cf5e1538384d5724b3e5923403a166763a5
                                                      • Instruction Fuzzy Hash: 0F42A271A043005BC614FB76C8979AE76A59F90708F40493FF946771E2EE3CAA09C6DB
                                                      Function 00405042 Relevance: 47.5, APIs: 15, Strings: 12, Instructions: 280pipesleepfileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __Init_thread_footer.LIBCMT ref: 0040508E
                                                        • Part of subcall function 004336DA: EnterCriticalSection.KERNEL32(00471D18,00476D54,?,0040AEAC,00476D54,00456FA7,?,00000000,00000000), ref: 004336E4
                                                        • Part of subcall function 004336DA: LeaveCriticalSection.KERNEL32(00471D18,?,0040AEAC,00476D54,00456FA7,?,00000000,00000000), ref: 00433717
                                                        • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                      • __Init_thread_footer.LIBCMT ref: 004050CB
                                                      • CreatePipe.KERNEL32(00476D14,00476CFC,00476C20,00000000,0046656C,00000000), ref: 0040515E
                                                      • CreatePipe.KERNEL32(00476D00,00476D1C,00476C20,00000000), ref: 00405174
                                                      • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476C30,00476D04), ref: 004051E7
                                                        • Part of subcall function 00433724: EnterCriticalSection.KERNEL32(00471D18,?,00476D54,?,0040AE8B,00476D54,?,00000000,00000000), ref: 0043372F
                                                        • Part of subcall function 00433724: LeaveCriticalSection.KERNEL32(00471D18,?,0040AE8B,00476D54,?,00000000,00000000), ref: 0043376C
                                                      • Sleep.KERNEL32(0000012C,00000093,?), ref: 0040523F
                                                      • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00405264
                                                      • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 00405291
                                                        • Part of subcall function 00433AB0: __onexit.LIBCMT ref: 00433AB6
                                                      • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90,00466570,00000062,00466554), ref: 0040538E
                                                      • Sleep.KERNEL32(00000064,00000062,00466554), ref: 004053A8
                                                      • TerminateProcess.KERNEL32(00000000), ref: 004053C1
                                                      • CloseHandle.KERNEL32 ref: 004053CD
                                                      • CloseHandle.KERNEL32 ref: 004053D5
                                                      • CloseHandle.KERNEL32 ref: 004053E7
                                                      • CloseHandle.KERNEL32 ref: 004053EF
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CloseCriticalHandleSection$CreatePipe$EnterFileInit_thread_footerLeaveProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                      • String ID: lG$ mG$ mG$ mG$0lG$SystemDrive$cmd.exe$xlG$xlG$xlG$xlG$xlG
                                                      • API String ID: 3815868655-3731297122
                                                      • Opcode ID: 68d87144457253b08b549f4ac4b550c69573f0e79a638d518ea1dc6d308e707a
                                                      • Instruction ID: f3d75f47542da312923ddfb9c6ddab2c5323933c8a72fe1ed5abf95ef94fff6a
                                                      • Opcode Fuzzy Hash: 68d87144457253b08b549f4ac4b550c69573f0e79a638d518ea1dc6d308e707a
                                                      • Instruction Fuzzy Hash: 3491C571600605AFC610BB65ED42A6F3BAAEB84344F01443FF949A22E2DF7D9C448F6D
                                                      Function 0041100E Relevance: 33.5, APIs: 7, Strings: 12, Instructions: 238threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentProcessId.KERNEL32 ref: 0041101D
                                                        • Part of subcall function 004128AD: RegCreateKeyA.ADVAPI32(80000001,00000000,TeF), ref: 004128BB
                                                        • Part of subcall function 004128AD: RegSetValueExA.KERNEL32(TeF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004670E0,00000001,000000AF,00466554), ref: 004128D6
                                                        • Part of subcall function 004128AD: RegCloseKey.KERNEL32(?,?,?,?,0040B94C,004670E0,00000001,000000AF,00466554), ref: 004128E1
                                                      • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00411059
                                                      • CreateThread.KERNEL32(00000000,00000000,0041170F,00000000,00000000,00000000), ref: 004110BE
                                                        • Part of subcall function 0041258F: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004125AF
                                                        • Part of subcall function 0041258F: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,00475308), ref: 004125CD
                                                        • Part of subcall function 0041258F: RegCloseKey.KERNEL32(?), ref: 004125D8
                                                      • CloseHandle.KERNEL32(00000000), ref: 00411068
                                                        • Part of subcall function 0041A891: GetLocalTime.KERNEL32(00000000), ref: 0041A8AB
                                                      • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00411332
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CloseOpen$CreateProcessValue$CurrentHandleLocalMutexQueryThreadTime
                                                      • String ID: 0TG$Remcos restarted by watchdog!$TdF$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                                                      • API String ID: 65172268-4169584339
                                                      • Opcode ID: 372d1b824043999fb3ea61122839910be527bab052fefb095489169812ad4faf
                                                      • Instruction ID: de889ccbd4d484bbc366ed6bf297281231fcf4352047712fae5372da0dd81bf3
                                                      • Opcode Fuzzy Hash: 372d1b824043999fb3ea61122839910be527bab052fefb095489169812ad4faf
                                                      • Instruction Fuzzy Hash: 3D717E3160420157C214FB72CC579AE77A8AF94719F40053FF986A21E2EF7C9A49C6AF
                                                      Function 0040B335 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 145fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B3B4
                                                      • FindClose.KERNEL32(00000000), ref: 0040B3CE
                                                      • FindNextFileA.KERNEL32(00000000,?), ref: 0040B4F1
                                                      • FindClose.KERNEL32(00000000), ref: 0040B517
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Find$CloseFile$FirstNext
                                                      • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                      • API String ID: 1164774033-3681987949
                                                      • Opcode ID: 6c2aa191b7658a53db036245a9cdec4fec9e324b839b32eec9595b3f4300475a
                                                      • Instruction ID: 4260ee55bd24f38cfaff6d718e7bb7aae0563b8f0cd35122f003610daf392ab1
                                                      • Opcode Fuzzy Hash: 6c2aa191b7658a53db036245a9cdec4fec9e324b839b32eec9595b3f4300475a
                                                      • Instruction Fuzzy Hash: 0A510B319042195ADB14F7A2DC96AEE7764EF50318F50017FF806B30E2EF789A45CA9D
                                                      Function 0040B53A Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 130fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B5B2
                                                      • FindClose.KERNEL32(00000000), ref: 0040B5CC
                                                      • FindNextFileA.KERNEL32(00000000,?), ref: 0040B68C
                                                      • FindClose.KERNEL32(00000000), ref: 0040B6B2
                                                      • FindClose.KERNEL32(00000000), ref: 0040B6D1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Find$Close$File$FirstNext
                                                      • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                      • API String ID: 3527384056-432212279
                                                      • Opcode ID: c29a3aa1853b92e95312d94e519dd42d8e7ed5a614533796f0446510dfd501b9
                                                      • Instruction ID: 1e8de758c2b97f43aed4804fc6a56dd8ce4d3e4bc3adeefe5a602588f19c01c2
                                                      • Opcode Fuzzy Hash: c29a3aa1853b92e95312d94e519dd42d8e7ed5a614533796f0446510dfd501b9
                                                      • Instruction Fuzzy Hash: F4412C319042196ACB14F7A5EC569EE7768EE11318F50017FF802B31E2EF399A458A9E
                                                      Function 00415B5E Relevance: 18.1, APIs: 12, Instructions: 80clipboardmemoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • OpenClipboard.USER32 ref: 00415B5F
                                                      • EmptyClipboard.USER32 ref: 00415B6D
                                                      • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 00415B8D
                                                      • GlobalLock.KERNEL32(00000000), ref: 00415B96
                                                      • GlobalUnlock.KERNEL32(00000000), ref: 00415BCC
                                                      • SetClipboardData.USER32(0000000D,00000000), ref: 00415BD5
                                                      • CloseClipboard.USER32 ref: 00415BF2
                                                      • OpenClipboard.USER32 ref: 00415BF9
                                                      • GetClipboardData.USER32(0000000D), ref: 00415C09
                                                      • GlobalLock.KERNEL32(00000000), ref: 00415C12
                                                      • GlobalUnlock.KERNEL32(00000000), ref: 00415C1B
                                                      • CloseClipboard.USER32 ref: 00415C21
                                                        • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                      • String ID:
                                                      • API String ID: 3520204547-0
                                                      • Opcode ID: b6601ed24abfed9cf7fe240a2c5566a7417a315aa523f1e37220b92a7528f2ec
                                                      • Instruction ID: a6dc46a1ac747b1df6f49b20b287b9a63e2ec98da8de7deae82efe0a0170cbcd
                                                      • Opcode Fuzzy Hash: b6601ed24abfed9cf7fe240a2c5566a7417a315aa523f1e37220b92a7528f2ec
                                                      • Instruction Fuzzy Hash: A82137711047009BC714BBB1DC5AAAF7669AF94B06F00443FF907A61E2EF38C945C76A
                                                      Function 0040E2F1 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 212processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,?,?,004750FC), ref: 0040E30B
                                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,004750FC), ref: 0040E336
                                                      • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040E352
                                                      • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E3D5
                                                      • CloseHandle.KERNEL32(00000000,?,?,004750FC), ref: 0040E3E4
                                                        • Part of subcall function 004128AD: RegCreateKeyA.ADVAPI32(80000001,00000000,TeF), ref: 004128BB
                                                        • Part of subcall function 004128AD: RegSetValueExA.KERNEL32(TeF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004670E0,00000001,000000AF,00466554), ref: 004128D6
                                                        • Part of subcall function 004128AD: RegCloseKey.KERNEL32(?,?,?,?,0040B94C,004670E0,00000001,000000AF,00466554), ref: 004128E1
                                                      • CloseHandle.KERNEL32(00000000,?,?,004750FC), ref: 0040E449
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Close$CreateHandleProcess32$FileFirstModuleNameNextSnapshotToolhelp32Value
                                                      • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
                                                      • API String ID: 726551946-1743721670
                                                      • Opcode ID: fe7551fdfbdcf3ebe62b75ae427e45e4e23c61079ab323ff6510b1fdea246979
                                                      • Instruction ID: 57de327b15d82dbd2eac346b6cac6cdabb084366653080b34320caf9a24139d1
                                                      • Opcode Fuzzy Hash: fe7551fdfbdcf3ebe62b75ae427e45e4e23c61079ab323ff6510b1fdea246979
                                                      • Instruction Fuzzy Hash: A17150311043419BC714FB62D8529AFB7A5AFD1358F400D3EF986631E2EF389919CA9A
                                                      Function 0044804A Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 370timeCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • _free.LIBCMT ref: 004480CC
                                                      • _free.LIBCMT ref: 004480F0
                                                      • _free.LIBCMT ref: 00448277
                                                      • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045E478), ref: 00448289
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,0047279C,000000FF,00000000,0000003F,00000000,?,?), ref: 00448301
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,004727F0,000000FF,?,0000003F,00000000,?), ref: 0044832E
                                                      • _free.LIBCMT ref: 00448443
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                      • String ID: xE$xE
                                                      • API String ID: 314583886-1741595589
                                                      • Opcode ID: d596b97672170a59560d370264e130457457ea9fa8a9b0ba60a97bf2640f5a79
                                                      • Instruction ID: 53eab31d398634ed2913b9f897b2f59caf849b5b19a8cc02276c673e3ebcc531
                                                      • Opcode Fuzzy Hash: d596b97672170a59560d370264e130457457ea9fa8a9b0ba60a97bf2640f5a79
                                                      • Instruction Fuzzy Hash: 24C14731904205ABFB249F698D81AAF7BB8EF41310F2441AFE88497351EF798E42C75C
                                                      Function 0041894A Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 197COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 0$1$2$3$4$5$6$7
                                                      • API String ID: 0-3177665633
                                                      • Opcode ID: 52b676760061c84767d297b93dc47341045c93b1f976ba96d1747faf8790e9a2
                                                      • Instruction ID: a206eb20bee8e87b23b85030021c48398d73e585fead2f4b7fd4ae1d02439eb2
                                                      • Opcode Fuzzy Hash: 52b676760061c84767d297b93dc47341045c93b1f976ba96d1747faf8790e9a2
                                                      • Instruction Fuzzy Hash: EA61D5B4108301AEDB00EF21C862FEA77E4AF95750F44485EF591672E2DF78AA48C797
                                                      Function 00409B10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 108keyboardthreadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetForegroundWindow.USER32(?,?,00475108), ref: 00409B3F
                                                      • GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                                      • GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                                      • GetKeyState.USER32(00000010), ref: 00409B5C
                                                      • GetKeyboardState.USER32(?,?,00475108), ref: 00409B67
                                                      • ToUnicodeEx.USER32(0047515C,00000000,?,?,00000010,00000000,00000000), ref: 00409B8A
                                                      • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                                      • ToUnicodeEx.USER32(0047515C,?,?,?,00000010,00000000,00000000), ref: 00409C1C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                                      • String ID: `kG
                                                      • API String ID: 1888522110-3643241581
                                                      • Opcode ID: c97b305c4e5192c039be4b57959f7d148ad44e176559ca20096398a0f42faa8b
                                                      • Instruction ID: 5852d3e9e60d78bbc7fecef5f6baa999b7b2ba0a9f64a262714a670a3ee03c46
                                                      • Opcode Fuzzy Hash: c97b305c4e5192c039be4b57959f7d148ad44e176559ca20096398a0f42faa8b
                                                      • Instruction Fuzzy Hash: 3B318F72504308AFD700DF91DC45FDBB7ECEB88715F01083AB645D61A1DBB5E9488B9A
                                                      Function 00406764 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 55COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _wcslen.LIBCMT ref: 00406788
                                                      • CoGetObject.OLE32(?,00000024,004669B0,00000000), ref: 004067E9
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Object_wcslen
                                                      • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                      • API String ID: 240030777-3166923314
                                                      • Opcode ID: 37d5bffcbb8f4b2cbb961f9636bb3800fd08e5c8d40d037755d6192962cbe9cf
                                                      • Instruction ID: 6c9b37094527eb08cc4748ecdfbd23cbc672ad5faa28133fe458ce4522bc368c
                                                      • Opcode Fuzzy Hash: 37d5bffcbb8f4b2cbb961f9636bb3800fd08e5c8d40d037755d6192962cbe9cf
                                                      • Instruction Fuzzy Hash: B11133B29011186ADB10FAA58955A9E77BCDB48714F11047FF905F3281E77C9A0486BD
                                                      Function 00419AB8 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,00475920), ref: 00419ACE
                                                      • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00419B1D
                                                      • GetLastError.KERNEL32 ref: 00419B2B
                                                      • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 00419B63
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                      • String ID:
                                                      • API String ID: 3587775597-0
                                                      • Opcode ID: b6999ea4fecf3263421b7913bbd2d185f7a70e8b7a5c33fd228c391ba2809cc5
                                                      • Instruction ID: 410433f0f292194423399e5208e7b63ee2478b974df0930e3a7ace9da88798fe
                                                      • Opcode Fuzzy Hash: b6999ea4fecf3263421b7913bbd2d185f7a70e8b7a5c33fd228c391ba2809cc5
                                                      • Instruction Fuzzy Hash: C28142311043049BC314FB21DC95DAFB7A8BF94718F50492EF582621D2EF78EA09CB9A
                                                      Function 0041B63A Relevance: 13.6, APIs: 9, Instructions: 105fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,004752F0,00475308), ref: 0041B694
                                                      • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,004752F0,00475308), ref: 0041B6C6
                                                      • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,004752F0,00475308), ref: 0041B734
                                                      • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,004752F0,00475308), ref: 0041B741
                                                        • Part of subcall function 0041B63A: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,004752F0,00475308), ref: 0041B717
                                                      • FindClose.KERNEL32(00000000,?,?,?,?,?,?,004752F0,00475308), ref: 0041B76C
                                                      • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,004752F0,00475308), ref: 0041B773
                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,004752F0,00475308), ref: 0041B77B
                                                      • FindClose.KERNEL32(00000000,?,?,?,?,?,?,004752F0,00475308), ref: 0041B78E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                      • String ID:
                                                      • API String ID: 2341273852-0
                                                      • Opcode ID: 29d361786a175de539fdf9d753c964fcdbe74632238a9f507c15aa3fc292f646
                                                      • Instruction ID: 009c1ade3c0c7cd9a9baeecb78710ce3116f293085b5e5d3e47bbce280e6f24a
                                                      • Opcode Fuzzy Hash: 29d361786a175de539fdf9d753c964fcdbe74632238a9f507c15aa3fc292f646
                                                      • Instruction Fuzzy Hash: 2931937180521CAACB20E7B19C89FDA777CAF55304F0404EBF515E2181EF799AC4CB69
                                                      Function 0041301D Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 391registrylibraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 004130F2
                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 004130FE
                                                        • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                      • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004132C5
                                                      • GetProcAddress.KERNEL32(00000000), ref: 004132CC
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressCloseCreateLibraryLoadProcsend
                                                      • String ID: SHDeleteKeyW$Shlwapi.dll
                                                      • API String ID: 2127411465-314212984
                                                      • Opcode ID: f9d3c1334e6b58d2f1d69f0e1f1c65ab6f379f9836b455ed853577fe27a59fe1
                                                      • Instruction ID: 0508f95716d3db9771c6b78d28bd3d55684df0f5bc265fe56362dad8d88080f3
                                                      • Opcode Fuzzy Hash: f9d3c1334e6b58d2f1d69f0e1f1c65ab6f379f9836b455ed853577fe27a59fe1
                                                      • Instruction Fuzzy Hash: CEB1A371A043006BC614FA76CC979BE76695F9471CF40063FF846B31E2EE7C9A48869B
                                                      Function 00418E5F Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 245fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindFirstFileW.KERNEL32(00000000,?), ref: 004190B5
                                                      • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419181
                                                        • Part of subcall function 0041B825: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B83E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: File$Find$CreateFirstNext
                                                      • String ID: PSG$NG$VG$VG
                                                      • API String ID: 341183262-216422830
                                                      • Opcode ID: 83c192f71006e540b44aec1a451125091b4ed41390244d5e4dd7200b9adb984b
                                                      • Instruction ID: 0b04574543ffaf1c42473f802d0f517b04b5d48d9dde9d4f65c428d20583ff9f
                                                      • Opcode Fuzzy Hash: 83c192f71006e540b44aec1a451125091b4ed41390244d5e4dd7200b9adb984b
                                                      • Instruction Fuzzy Hash: AF8150315042405AC314FB71C8A6EEF73A8AFD0718F50493FF946671E2EF389A49C69A
                                                      Function 004515C7 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 188COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 004470CF: GetLastError.KERNEL32(?,?,0043952C,?,00000000,?,0043BB65,00000000,00000000), ref: 004470D3
                                                        • Part of subcall function 004470CF: _free.LIBCMT ref: 00447106
                                                        • Part of subcall function 004470CF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00447147
                                                        • Part of subcall function 004470CF: _abort.LIBCMT ref: 0044714D
                                                        • Part of subcall function 004470CF: _free.LIBCMT ref: 0044712E
                                                        • Part of subcall function 004470CF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 0044713B
                                                      • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 004516D3
                                                      • IsValidCodePage.KERNEL32(00000000), ref: 0045172E
                                                      • IsValidLocale.KERNEL32(?,00000001), ref: 0045173D
                                                      • GetLocaleInfoW.KERNEL32(?,00001001,00443EFC,00000040,?,0044401C,00000055,00000000,?,?,00000055,00000000), ref: 00451785
                                                      • GetLocaleInfoW.KERNEL32(?,00001002,00443F7C,00000040), ref: 004517A4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                      • String ID: (E
                                                      • API String ID: 745075371-542121585
                                                      • Opcode ID: a84efe1a2cce186fb5bbf2749623e7c2965abdb2206941bc4280497163ca2dcb
                                                      • Instruction ID: 0c55cced660072bbdea70b00f38c40adf5ab32faa3293abc4b1f14fb3cf6f882
                                                      • Opcode Fuzzy Hash: a84efe1a2cce186fb5bbf2749623e7c2965abdb2206941bc4280497163ca2dcb
                                                      • Instruction Fuzzy Hash: EB5193719002059BDB10EFA5CC41BBF77B8AF04706F18056BFD11EB262DB789949CB69
                                                      Function 0040B21B Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040B257
                                                      • GetLastError.KERNEL32 ref: 0040B261
                                                      Strings
                                                      • UserProfile, xrefs: 0040B227
                                                      • [Chrome StoredLogins found, cleared!], xrefs: 0040B287
                                                      • [Chrome StoredLogins not found], xrefs: 0040B27B
                                                      • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040B222
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: DeleteErrorFileLast
                                                      • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                      • API String ID: 2018770650-1062637481
                                                      • Opcode ID: 485085ca9485ae7de43c789173eb7e4eeafaf3e498a45dc593bc2edb8373611b
                                                      • Instruction ID: af3d5975f8ef5736f4e1f689bc2271043fd855ebe8bb8600121af3fad6928989
                                                      • Opcode Fuzzy Hash: 485085ca9485ae7de43c789173eb7e4eeafaf3e498a45dc593bc2edb8373611b
                                                      • Instruction Fuzzy Hash: 5C01D63168010597CA0476B6DC6F8AF3B24E921708B10017FF802731E2FF3A9905C6DE
                                                      Function 00416C9D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 32COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentProcess.KERNEL32(00000028,?), ref: 00416CAA
                                                      • OpenProcessToken.ADVAPI32(00000000), ref: 00416CB1
                                                      • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416CC3
                                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416CE2
                                                      • GetLastError.KERNEL32 ref: 00416CE8
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                      • String ID: SeShutdownPrivilege
                                                      • API String ID: 3534403312-3733053543
                                                      • Opcode ID: 594fceb9dcf720018193b7af68db4771e8a957862718425d2e1bf0ede3cec24e
                                                      • Instruction ID: cb90277d3e2bb8506008076be0b211c0c8a285b816e0fe18bd298ac82c07c5c8
                                                      • Opcode Fuzzy Hash: 594fceb9dcf720018193b7af68db4771e8a957862718425d2e1bf0ede3cec24e
                                                      • Instruction Fuzzy Hash: EEF0DA75901229BBDB109B91DC4DEEF7EBCEF05656F110065B805B20A2DE748A08CAA5
                                                      Function 00453110 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: __floor_pentium4
                                                      • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                      • API String ID: 4168288129-2761157908
                                                      • Opcode ID: 1bf5a653629e57a1f7b5c3ded9cb374cb4a646758b38e4d76f229b2a49b28d64
                                                      • Instruction ID: c7cd0fe6fb368e325f13a714a82e3d7b4865f9b831a19f2b9b664dd372279c0a
                                                      • Opcode Fuzzy Hash: 1bf5a653629e57a1f7b5c3ded9cb374cb4a646758b38e4d76f229b2a49b28d64
                                                      • Instruction Fuzzy Hash: 58C27171D046288FDB25CE28DD407EAB3B5EB84346F1541EBD84DE7242E778AE898F44
                                                      Function 004089A9 Relevance: 9.3, APIs: 6, Instructions: 288fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __EH_prolog.LIBCMT ref: 004089AE
                                                        • Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212
                                                        • Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5
                                                      • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00408A8D
                                                      • FindNextFileW.KERNEL32(00000000,?), ref: 00408AE0
                                                      • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00408AF7
                                                        • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(00000330,00000000,{NAL,?,?,00000004,?,?,00000004,00474EE0,004755B0,00000000), ref: 0040450E
                                                        • Part of subcall function 00404468: SetEvent.KERNEL32(00000330,?,?,00000004,?,?,00000004,00474EE0,004755B0,00000000,?,?,?,?,?,00414E7B), ref: 0040453C
                                                        • Part of subcall function 004047EB: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 004047FD
                                                        • Part of subcall function 004047EB: SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404808
                                                        • Part of subcall function 004047EB: CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404811
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00408DA1
                                                        • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Find$CloseEventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsendsocket
                                                      • String ID:
                                                      • API String ID: 4043647387-0
                                                      • Opcode ID: e8707b4ec4f65b3daa3568d955911baa256536beff12142bcc10b341d26decda
                                                      • Instruction ID: d6647de2ed81915fd1100427b9b1f0ab8477674b12134c2b00fdd843198b9521
                                                      • Opcode Fuzzy Hash: e8707b4ec4f65b3daa3568d955911baa256536beff12142bcc10b341d26decda
                                                      • Instruction Fuzzy Hash: 0DA16E719001089BCB14EBA1DD92AEDB779AF54318F10427FF506B71D2EF385E498B98
                                                      Function 00419DBA Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,?,?,00419A10,00000000,00000000), ref: 00419DC3
                                                      • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,00419A10,00000000,00000000), ref: 00419DD8
                                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,00419A10,00000000,00000000), ref: 00419DE5
                                                      • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,00419A10,00000000,00000000), ref: 00419DF0
                                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,00419A10,00000000,00000000), ref: 00419E02
                                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,00419A10,00000000,00000000), ref: 00419E05
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Service$CloseHandle$Open$ManagerStart
                                                      • String ID:
                                                      • API String ID: 276877138-0
                                                      • Opcode ID: cfc7b607e36d21359a02d5afcedae3f84f405620953c8a7715537af6fd2295c5
                                                      • Instruction ID: bfab90d9ddd5c2d56401b7e15998ac1c6a079cb4321381bf248b2ffa9e014974
                                                      • Opcode Fuzzy Hash: cfc7b607e36d21359a02d5afcedae3f84f405620953c8a7715537af6fd2295c5
                                                      • Instruction Fuzzy Hash: 60F0E9715403146FD2115B31EC88DBF2A6CDF85BB2B01002EF442A3191CF78CD4995B5
                                                      Function 00450C8F Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 236COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 004470CF: GetLastError.KERNEL32(?,?,0043952C,?,00000000,?,0043BB65,00000000,00000000), ref: 004470D3
                                                        • Part of subcall function 004470CF: _free.LIBCMT ref: 00447106
                                                        • Part of subcall function 004470CF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00447147
                                                        • Part of subcall function 004470CF: _abort.LIBCMT ref: 0044714D
                                                      • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00443F03,?,?,?,?,?,?,00000004), ref: 00450D71
                                                      • _wcschr.LIBVCRUNTIME ref: 00450E01
                                                      • _wcschr.LIBVCRUNTIME ref: 00450E0F
                                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00443F03,00000000,00444023), ref: 00450EB2
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                      • String ID: (E
                                                      • API String ID: 4212172061-542121585
                                                      • Opcode ID: 59e7985f3c02f7c10489d8edf0480172058bbcb387fbadea5ac0dcfc1ce8ddaa
                                                      • Instruction ID: 16e6850baad922d2e300dda2121b2fdf61a8ef58a3873fa5b3432b878cecddba
                                                      • Opcode Fuzzy Hash: 59e7985f3c02f7c10489d8edf0480172058bbcb387fbadea5ac0dcfc1ce8ddaa
                                                      • Instruction Fuzzy Hash: A361FC7A500306AAD725AB75CC42ABB73A8EF44316F14082FFD05D7243EB78E949C769
                                                      Function 00415A51 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00416C9D: GetCurrentProcess.KERNEL32(00000028,?), ref: 00416CAA
                                                        • Part of subcall function 00416C9D: OpenProcessToken.ADVAPI32(00000000), ref: 00416CB1
                                                        • Part of subcall function 00416C9D: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416CC3
                                                        • Part of subcall function 00416C9D: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416CE2
                                                        • Part of subcall function 00416C9D: GetLastError.KERNEL32 ref: 00416CE8
                                                      • ExitWindowsEx.USER32(00000000,00000001), ref: 00415AF3
                                                      • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00415B08
                                                      • GetProcAddress.KERNEL32(00000000), ref: 00415B0F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                      • String ID: PowrProf.dll$SetSuspendState
                                                      • API String ID: 1589313981-1420736420
                                                      • Opcode ID: e283aed8030f222677e32f677a5842ddb3918d5861ff5db7f0a7df2b8037313d
                                                      • Instruction ID: be3657bdb4b9c596b700244bf1edaf45c421fe256a6f88bebcc25452880e9c8a
                                                      • Opcode Fuzzy Hash: e283aed8030f222677e32f677a5842ddb3918d5861ff5db7f0a7df2b8037313d
                                                      • Instruction Fuzzy Hash: 84215E71644741A6CB14FBB198A6AFF22599F80748F40483FB442771D2EF7CE889865E
                                                      Function 004513F3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,00451712,?,00000000), ref: 0045148C
                                                      • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,00451712,?,00000000), ref: 004514B5
                                                      • GetACP.KERNEL32(?,?,00451712,?,00000000), ref: 004514CA
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: InfoLocale
                                                      • String ID: ACP$OCP
                                                      • API String ID: 2299586839-711371036
                                                      • Opcode ID: 7de529321666405c3dbd177549b20e94864b34fdb637d578d31b634f87125a95
                                                      • Instruction ID: 27270ea0035267e4249f05f4639a08e7e92d7e6a6a5113c6df6fa5280cb26525
                                                      • Opcode Fuzzy Hash: 7de529321666405c3dbd177549b20e94864b34fdb637d578d31b634f87125a95
                                                      • Instruction Fuzzy Hash: 0821C731600100B7DB308F54C901FA773A6AF52B67F5A9566EC0AD7223EB3ADD49C399
                                                      Function 0041A84A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041A85B
                                                      • LoadResource.KERNEL32(00000000,?,?,0040E25B,00000000), ref: 0041A86F
                                                      • LockResource.KERNEL32(00000000,?,?,0040E25B,00000000), ref: 0041A876
                                                      • SizeofResource.KERNEL32(00000000,?,?,0040E25B,00000000), ref: 0041A885
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Resource$FindLoadLockSizeof
                                                      • String ID: SETTINGS
                                                      • API String ID: 3473537107-594951305
                                                      • Opcode ID: af91fd7a50235684c3f0857021386823e2c7131a01440ecb0520647964aa65c6
                                                      • Instruction ID: 1fe06f9b0c9a023904624b9b61caa7bd4c13f92b8b5c35c0d543cfa28092256f
                                                      • Opcode Fuzzy Hash: af91fd7a50235684c3f0857021386823e2c7131a01440ecb0520647964aa65c6
                                                      • Instruction Fuzzy Hash: DAE01A76240720ABCB211BA1BD4CD073E39F7867637000039F549A2221CE75CC52CB29
                                                      Function 00407A8C Relevance: 7.7, APIs: 5, Instructions: 183fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __EH_prolog.LIBCMT ref: 00407A91
                                                      • FindFirstFileW.KERNEL32(00000000,?,00466AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                                      • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                                      • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407C76
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Find$File$CloseFirstH_prologNext
                                                      • String ID:
                                                      • API String ID: 1157919129-0
                                                      • Opcode ID: 44beeb7efd5a27b9ae6b5ed8b1b3fbc2cf3811c381e0606dcb53b55a88831ffb
                                                      • Instruction ID: e1cc7e471fba1e38487cd482a49156f4879f85d64aa43a49cb1f79655cfb0c65
                                                      • Opcode Fuzzy Hash: 44beeb7efd5a27b9ae6b5ed8b1b3fbc2cf3811c381e0606dcb53b55a88831ffb
                                                      • Instruction Fuzzy Hash: 325162729001085ACB14FBA5DD969ED7B78AF50318F50417FB806B31D2EF3CAB498B99
                                                      Function 00406128 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406234
                                                      • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 00406318
                                                      Strings
                                                      • open, xrefs: 0040622E
                                                      • C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe, xrefs: 0040627F, 004063A7
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: DownloadExecuteFileShell
                                                      • String ID: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe$open
                                                      • API String ID: 2825088817-1264904375
                                                      • Opcode ID: ad4cd8f0b1742ba2f271eadf04a78ea359f7dd7c98a1af5993a1802d316398a1
                                                      • Instruction ID: e32f65eb076a11421f0b28df520d432f118a03887cfea0ef8c7e4d0a3f62d172
                                                      • Opcode Fuzzy Hash: ad4cd8f0b1742ba2f271eadf04a78ea359f7dd7c98a1af5993a1802d316398a1
                                                      • Instruction Fuzzy Hash: E361CF3160430067CA14FA76D8569BE37A59F81718F01493FBC46772E6EF3CAA05C69B
                                                      Function 00406AC2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406ADD
                                                      • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406BA5
                                                        • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FileFind$FirstNextsend
                                                      • String ID: pPG$pPG
                                                      • API String ID: 4113138495-3204143781
                                                      • Opcode ID: 04cbaa432c918a42c53807cd0f2a3c10c6dd4e32f952d56d9836a960f393f504
                                                      • Instruction ID: b94dab712156e78be0f8cc3bef15d45c6a114b58aade1ae888b20ae253cfdc5a
                                                      • Opcode Fuzzy Hash: 04cbaa432c918a42c53807cd0f2a3c10c6dd4e32f952d56d9836a960f393f504
                                                      • Instruction Fuzzy Hash: F42187715043015BC714FB61DC95DEF77A8AF90318F40093EF996A31E1EF38AA08CA9A
                                                      Function 0041BD82 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BE77
                                                        • Part of subcall function 004127AA: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004127B9
                                                        • Part of subcall function 004127AA: RegSetValueExA.KERNEL32(?,XwF,00000000,?,00000000,00000000,00475308,?,?,0040E6D3,00467758,6.0.0 Pro), ref: 004127E1
                                                        • Part of subcall function 004127AA: RegCloseKey.KERNEL32(?,?,?,0040E6D3,00467758,6.0.0 Pro), ref: 004127EC
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CloseCreateInfoParametersSystemValue
                                                      • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                      • API String ID: 4127273184-3576401099
                                                      • Opcode ID: 6c22d536f9cf41db2e3193d33a149bd53ec698417932bdd12186eb798744da75
                                                      • Instruction ID: 3b74369dcb7a8544f1b55df16a592c3d868ba554001bd6a4c71ed5c97b6fc17b
                                                      • Opcode Fuzzy Hash: 6c22d536f9cf41db2e3193d33a149bd53ec698417932bdd12186eb798744da75
                                                      • Instruction Fuzzy Hash: F5112132B8035033D518313A5E67BBF2816D34AB60F55415FB6066A6CAFADE4AA103DF
                                                      Function 00408DA7 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __EH_prolog.LIBCMT ref: 00408DAC
                                                      • FindFirstFileW.KERNEL32(00000000,?), ref: 00408E24
                                                      • FindNextFileW.KERNEL32(00000000,?), ref: 00408E4D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FileFind$FirstH_prologNext
                                                      • String ID:
                                                      • API String ID: 301083792-0
                                                      • Opcode ID: 51940071d9f0d9280fa3336faee050b72c9abacde1575dd18f02a12ebdfc1b05
                                                      • Instruction ID: 402ed7a5658d2f2a6adb961a0daa6f616ba37c5e7974c2bf040f6c8ce137202a
                                                      • Opcode Fuzzy Hash: 51940071d9f0d9280fa3336faee050b72c9abacde1575dd18f02a12ebdfc1b05
                                                      • Instruction Fuzzy Hash: 127141728001199BCB15EBA1DC919EE7778AF54314F10427FE846B71E2EF385E49CB98
                                                      Function 0045107A Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 004470CF: GetLastError.KERNEL32(?,?,0043952C,?,00000000,?,0043BB65,00000000,00000000), ref: 004470D3
                                                        • Part of subcall function 004470CF: _free.LIBCMT ref: 00447106
                                                        • Part of subcall function 004470CF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00447147
                                                        • Part of subcall function 004470CF: _abort.LIBCMT ref: 0044714D
                                                        • Part of subcall function 004470CF: _free.LIBCMT ref: 0044712E
                                                        • Part of subcall function 004470CF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 0044713B
                                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004510CE
                                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0045111F
                                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004511DF
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorInfoLastLocale$_free$_abort
                                                      • String ID:
                                                      • API String ID: 2829624132-0
                                                      • Opcode ID: dd837d4aabf90151236531eaa8a7eeaa8db7e820d6096a7a5c305d7033fab590
                                                      • Instruction ID: aee342ac21436657f5846041838c3bd09d84a4d920a4c2a145562aed062da8a9
                                                      • Opcode Fuzzy Hash: dd837d4aabf90151236531eaa8a7eeaa8db7e820d6096a7a5c305d7033fab590
                                                      • Instruction Fuzzy Hash: F661D8719005079BDB289F25CC82B7677A8EF04306F1041BBFD05D66A2EB78D949DB58
                                                      Function 0043A86D Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • IsDebuggerPresent.KERNEL32(?,?,?,?,?,0000000A), ref: 0043A965
                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0000000A), ref: 0043A96F
                                                      • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,0000000A), ref: 0043A97C
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                      • String ID:
                                                      • API String ID: 3906539128-0
                                                      • Opcode ID: af6e046c0509c32b3386d0bc76265e00dd1467fe013a3816057f721e951f2d82
                                                      • Instruction ID: 2e36d9e0b5662236be867d7d52d6a22dc3a0b47d07fc7de068387a758ceea7c7
                                                      • Opcode Fuzzy Hash: af6e046c0509c32b3386d0bc76265e00dd1467fe013a3816057f721e951f2d82
                                                      • Instruction Fuzzy Hash: E731D6B491131CABCB21DF24D98978DB7B8BF08311F5051EAE80CA7251EB749F818F49
                                                      Function 00442764 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentProcess.KERNEL32(?,?,0044273A,?,0046EAF0,0000000C,00442891,?,00000002,00000000), ref: 00442785
                                                      • TerminateProcess.KERNEL32(00000000,?,0044273A,?,0046EAF0,0000000C,00442891,?,00000002,00000000), ref: 0044278C
                                                      • ExitProcess.KERNEL32 ref: 0044279E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Process$CurrentExitTerminate
                                                      • String ID:
                                                      • API String ID: 1703294689-0
                                                      • Opcode ID: 580307e7f9ed19ccdf9c10412063d8ea8bc62da0884c48fe7532ae208af4f440
                                                      • Instruction ID: c8bd48e99420b6c7b8697c64d03bd4ba31791432aa3bec6fd876c0c539ce8582
                                                      • Opcode Fuzzy Hash: 580307e7f9ed19ccdf9c10412063d8ea8bc62da0884c48fe7532ae208af4f440
                                                      • Instruction Fuzzy Hash: 7EE04F31000704AFEF016F10DD099493F29EF50396F448469F90896132CF79DC42CA48
                                                      Function 0041AECC Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,0041525B,00000000), ref: 0041AED7
                                                      • NtSuspendProcess.NTDLL(00000000), ref: 0041AEE4
                                                      • CloseHandle.KERNEL32(00000000,?,?,0041525B,00000000), ref: 0041AEED
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Process$CloseHandleOpenSuspend
                                                      • String ID:
                                                      • API String ID: 1999457699-0
                                                      • Opcode ID: 3b5e723eaf058cf4912863f44fffedc3e3ae8a4bfc071aeb07fd662f2e304fa3
                                                      • Instruction ID: cbdad53ed629db76d40e0897fbdb217e77766e02faa6d5bf56048ccc5fb15ac5
                                                      • Opcode Fuzzy Hash: 3b5e723eaf058cf4912863f44fffedc3e3ae8a4bfc071aeb07fd662f2e304fa3
                                                      • Instruction Fuzzy Hash: 80D05E32500222638220176A7C0D997EE68DBC1AB2702416AF404D22219E30C88186A9
                                                      Function 0041AEF8 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,00415280,00000000), ref: 0041AF03
                                                      • NtResumeProcess.NTDLL(00000000), ref: 0041AF10
                                                      • CloseHandle.KERNEL32(00000000,?,?,00415280,00000000), ref: 0041AF19
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Process$CloseHandleOpenResume
                                                      • String ID:
                                                      • API String ID: 3614150671-0
                                                      • Opcode ID: 6d31317880465a65d63f867429a7c123c2a1788788c54349cbb6221ea43f3537
                                                      • Instruction ID: 5834692e6dbfc7302e0627ffd9745f57241b902771746b5adb28784224297b78
                                                      • Opcode Fuzzy Hash: 6d31317880465a65d63f867429a7c123c2a1788788c54349cbb6221ea43f3537
                                                      • Instruction Fuzzy Hash: 7CD05E32504121638220176A6C0D997ED68DBC5AB3702422AF504D22219E30C881C6A8
                                                      Function 0044D7F9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: .
                                                      • API String ID: 0-248832578
                                                      • Opcode ID: 90d0b4729825bd90b6a9b0e481f721cabe6d10aefd9ef70f2d231800c5ca14c4
                                                      • Instruction ID: eafca5d3f29716c6c78e4e4ea3ad02361a474eaab44c7f235df41bcab4a95e78
                                                      • Opcode Fuzzy Hash: 90d0b4729825bd90b6a9b0e481f721cabe6d10aefd9ef70f2d231800c5ca14c4
                                                      • Instruction Fuzzy Hash: 3431F472D00249ABEB249E79CC85EFB7BBDDB85314F0401AEF419D7251E6349E418B54
                                                      Function 004477A7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004477FA
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: InfoLocale
                                                      • String ID: GetLocaleInfoEx
                                                      • API String ID: 2299586839-2904428671
                                                      • Opcode ID: 6bd799bfac9af36fd133eb5d72b5b36b41e76e7aabeb18fd4f2c376b7933ddb9
                                                      • Instruction ID: 58a0a1dc03b065be57d87c6409a63545e464c60cfee5b8c381720ea1698dad41
                                                      • Opcode Fuzzy Hash: 6bd799bfac9af36fd133eb5d72b5b36b41e76e7aabeb18fd4f2c376b7933ddb9
                                                      • Instruction Fuzzy Hash: A0F0F631640318B7DB056F61CC06F6E7B64DB04712F10019AFC0467252CF75AB119A9D
                                                      Function 00441030 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 49a3bfabf79a65c690f97e76fe456cb77f79ea6cd6c50daa38502d700b1f7d22
                                                      • Instruction ID: e2cf6eb340ac48f4c2d61266dea52d41f096047f3e1279b99095df37311d6468
                                                      • Opcode Fuzzy Hash: 49a3bfabf79a65c690f97e76fe456cb77f79ea6cd6c50daa38502d700b1f7d22
                                                      • Instruction Fuzzy Hash: 6A023D71E002199BEF14CFA9C9806AEB7F1FF48314F15826AD919E7354D734AE41CB94
                                                      Function 004522E2 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,004522DD,?,?,00000008,?,?,00455622,00000000), ref: 0045250F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ExceptionRaise
                                                      • String ID:
                                                      • API String ID: 3997070919-0
                                                      • Opcode ID: d07e5f888e39d313e61fc9618f59c4e8dd55f143eba3426c2705e6c45139c68f
                                                      • Instruction ID: f5116c66f7d103febd2a8608562706e5703b7900b8c4b7f838cfdcb30f3e5b5c
                                                      • Opcode Fuzzy Hash: d07e5f888e39d313e61fc9618f59c4e8dd55f143eba3426c2705e6c45139c68f
                                                      • Instruction Fuzzy Hash: A3B19D312106089FD714CF28C586B557BE0FF06366F29865AEC9ACF2A2C379D986CB44
                                                      Function 00432C54 Relevance: 1.8, Strings: 1, Instructions: 500COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 0
                                                      • API String ID: 0-4108050209
                                                      • Opcode ID: b6bf49add14664c6f8016bf54831dc2d1fc9c90be302da46ea9abcdaf86f1ea8
                                                      • Instruction ID: 31134252bc459ed72560d692cedbd99cf1c15514e9e569b0755b2466d1e16266
                                                      • Opcode Fuzzy Hash: b6bf49add14664c6f8016bf54831dc2d1fc9c90be302da46ea9abcdaf86f1ea8
                                                      • Instruction Fuzzy Hash: 0B0285327083418BD714DF29D951B2EF3E1BFCC768F15892EF4899B381DA78A8058B85
                                                      Function 004512CA Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 004470CF: GetLastError.KERNEL32(?,?,0043952C,?,00000000,?,0043BB65,00000000,00000000), ref: 004470D3
                                                        • Part of subcall function 004470CF: _free.LIBCMT ref: 00447106
                                                        • Part of subcall function 004470CF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00447147
                                                        • Part of subcall function 004470CF: _abort.LIBCMT ref: 0044714D
                                                        • Part of subcall function 004470CF: _free.LIBCMT ref: 0044712E
                                                        • Part of subcall function 004470CF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 0044713B
                                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0045131E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorLast$_free$InfoLocale_abort
                                                      • String ID:
                                                      • API String ID: 1663032902-0
                                                      • Opcode ID: bc85fdc09d4fce3dfbe50538f39d64f32c4b6099e2a05669c9b1daebb1f6e385
                                                      • Instruction ID: 0b21b5069fbf1db5bec531630a8d3eee6f1f474d64bb54c6a1c44a3d8e2cc721
                                                      • Opcode Fuzzy Hash: bc85fdc09d4fce3dfbe50538f39d64f32c4b6099e2a05669c9b1daebb1f6e385
                                                      • Instruction Fuzzy Hash: 2221D372501206ABEB24AB25CC61B7B77ACEB04316F10017BFD01D6663EB78AD49CB58
                                                      Function 00450F52 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 004470CF: GetLastError.KERNEL32(?,?,0043952C,?,00000000,?,0043BB65,00000000,00000000), ref: 004470D3
                                                        • Part of subcall function 004470CF: _free.LIBCMT ref: 00447106
                                                        • Part of subcall function 004470CF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00447147
                                                        • Part of subcall function 004470CF: _abort.LIBCMT ref: 0044714D
                                                      • EnumSystemLocalesW.KERNEL32(0045107A,00000001,00000000,?,00443EFC,?,004516A7,00000000,?,?,?), ref: 00450FC4
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                      • String ID:
                                                      • API String ID: 1084509184-0
                                                      • Opcode ID: 2806d9e87b91580947c38d8a0617f63d2b95e775220bf3e675df36a013b02c7b
                                                      • Instruction ID: 451a354658792f2252a151bea30e2a99c0585190810680eeac5085bd3c0c80bb
                                                      • Opcode Fuzzy Hash: 2806d9e87b91580947c38d8a0617f63d2b95e775220bf3e675df36a013b02c7b
                                                      • Instruction Fuzzy Hash: FD11293B2007019FDB28AF39C8916BABB92FF8435AB14442DE94747B41D7B9B847C744
                                                      Function 004514FA Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 004470CF: GetLastError.KERNEL32(?,?,0043952C,?,00000000,?,0043BB65,00000000,00000000), ref: 004470D3
                                                        • Part of subcall function 004470CF: _free.LIBCMT ref: 00447106
                                                        • Part of subcall function 004470CF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00447147
                                                        • Part of subcall function 004470CF: _abort.LIBCMT ref: 0044714D
                                                      • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00451298,00000000,00000000,?), ref: 00451526
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorLast$InfoLocale_abort_free
                                                      • String ID:
                                                      • API String ID: 2692324296-0
                                                      • Opcode ID: e61a00dc03fcb481ae1f4eaad0348555d58099959c5ffac150b0217cf8aecc77
                                                      • Instruction ID: d2fe2c3fce417e68b0623dfb5eb434355baf81d8c10f12b7a8aa08190ad777f0
                                                      • Opcode Fuzzy Hash: e61a00dc03fcb481ae1f4eaad0348555d58099959c5ffac150b0217cf8aecc77
                                                      • Instruction Fuzzy Hash: 4AF0F9326102197BDB289A258C46BBB7758EB80755F04046AEC07A3251FA78FD45C6D4
                                                      Function 00450FED Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 004470CF: GetLastError.KERNEL32(?,?,0043952C,?,00000000,?,0043BB65,00000000,00000000), ref: 004470D3
                                                        • Part of subcall function 004470CF: _free.LIBCMT ref: 00447106
                                                        • Part of subcall function 004470CF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00447147
                                                        • Part of subcall function 004470CF: _abort.LIBCMT ref: 0044714D
                                                      • EnumSystemLocalesW.KERNEL32(004512CA,00000001,?,?,00443EFC,?,0045166B,00443EFC,?,?,?,?,?,00443EFC,?,?), ref: 00451039
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                      • String ID:
                                                      • API String ID: 1084509184-0
                                                      • Opcode ID: 1383e35cddf71846be5f04bfb451628eb58ff654fdb94fb85b79533aadb6d968
                                                      • Instruction ID: 969c50ee721750b2a7664082bdad3607fc28c6e2ba06475257799e5d9796a5a7
                                                      • Opcode Fuzzy Hash: 1383e35cddf71846be5f04bfb451628eb58ff654fdb94fb85b79533aadb6d968
                                                      • Instruction Fuzzy Hash: 19F028363003045FDB245F76DC81B7B7B95EF8075DF04442EFD4187A92D6B99C828604
                                                      Function 004472BE Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00444CDC: EnterCriticalSection.KERNEL32(-00472558,?,0044246B,00000000,0046EAD0,0000000C,00442426,0000000A,?,?,00448949,0000000A,?,00447184,00000001,00000364), ref: 00444CEB
                                                      • EnumSystemLocalesW.KERNEL32(00447278,00000001,0046EC58,0000000C), ref: 004472F6
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CriticalEnterEnumLocalesSectionSystem
                                                      • String ID:
                                                      • API String ID: 1272433827-0
                                                      • Opcode ID: ce5d864c7127ce76761e0cbea026e968eb5e88cd2d94c9e55423b39c5525c7e8
                                                      • Instruction ID: acebf021cc54f47487df9b00313a15cc1bfd22b3d47c3c45ccbcf72c34342655
                                                      • Opcode Fuzzy Hash: ce5d864c7127ce76761e0cbea026e968eb5e88cd2d94c9e55423b39c5525c7e8
                                                      • Instruction Fuzzy Hash: 97F06236620200DFEB10EF79DE46B5D37E0EB44715F10816AF414DB2A1CBB89981DB4D
                                                      Function 00450F07 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 004470CF: GetLastError.KERNEL32(?,?,0043952C,?,00000000,?,0043BB65,00000000,00000000), ref: 004470D3
                                                        • Part of subcall function 004470CF: _free.LIBCMT ref: 00447106
                                                        • Part of subcall function 004470CF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00447147
                                                        • Part of subcall function 004470CF: _abort.LIBCMT ref: 0044714D
                                                      • EnumSystemLocalesW.KERNEL32(00450E5E,00000001,?,?,?,004516C9,00443EFC,?,?,?,?,?,00443EFC,?,?,?), ref: 00450F3E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                      • String ID:
                                                      • API String ID: 1084509184-0
                                                      • Opcode ID: c0752d91e59c0ec8caa35cedbb84099f1f2f8e555a7fabae98b3644acfac0ab5
                                                      • Instruction ID: 7585e2e2e927d60b614fbbb7cbec4ece609ea7599c31e6a5607aeddcbc8761df
                                                      • Opcode Fuzzy Hash: c0752d91e59c0ec8caa35cedbb84099f1f2f8e555a7fabae98b3644acfac0ab5
                                                      • Instruction Fuzzy Hash: 89F0E53A30020557CB28AF35D845B6A7F94EFC1715B16449EFE098B252C67AD886C794
                                                      Function 00433EE2 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetUnhandledExceptionFilter.KERNEL32(Function_00033EEE,00433BBC), ref: 00433EE7
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ExceptionFilterUnhandled
                                                      • String ID:
                                                      • API String ID: 3192549508-0
                                                      • Opcode ID: e588410f7d772084ad9b5e6a201b2d06307ba3208cc6e1757a1b1bd45e9a1e30
                                                      • Instruction ID: 9bcc487b38fe881941be7e97ad5738302595bcb4dafebc2e14986f4c0a09dd7d
                                                      • Opcode Fuzzy Hash: e588410f7d772084ad9b5e6a201b2d06307ba3208cc6e1757a1b1bd45e9a1e30
                                                      • Instruction Fuzzy Hash:
                                                      Function 0042707E Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: @
                                                      • API String ID: 0-2766056989
                                                      • Opcode ID: 277f5b14ebfb31d9acdfcb19b599133ffeee57438103c682c3dacb2c81b16d7f
                                                      • Instruction ID: 918b0ebc11a623be2c3a075c7dacafa9f372a23f1c3751216f0e188bc6ec1ae1
                                                      • Opcode Fuzzy Hash: 277f5b14ebfb31d9acdfcb19b599133ffeee57438103c682c3dacb2c81b16d7f
                                                      • Instruction Fuzzy Hash: 75416771A087158FC314CE29C48162BFBE1FFC8310F648A1EF98693350D679E984CB86
                                                      Function 00437360 Relevance: 1.3, Strings: 1, Instructions: 76COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: NG
                                                      • API String ID: 0-1651712548
                                                      • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                      • Instruction ID: 1c32571a3dfe778fa5c185cf8bc6913e7641393edb8458615b62c9d9f031e262
                                                      • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                      • Instruction Fuzzy Hash: AA11E6F724C08243D635862DC4B46BBA795EBCD321F2C626BDCC24B758D23AA945F908
                                                      Function 0044EB3E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: HeapProcess
                                                      • String ID:
                                                      • API String ID: 54951025-0
                                                      • Opcode ID: 92e8274eb45f99ac31ca5a7841fd9c067bc26919afa491827186e59168ab32af
                                                      • Instruction ID: 07883168748708d5871df038b293f30180ed36dce4f2d3eb69edcdcf819b44e4
                                                      • Opcode Fuzzy Hash: 92e8274eb45f99ac31ca5a7841fd9c067bc26919afa491827186e59168ab32af
                                                      • Instruction Fuzzy Hash: 8EA01130202202CBA3008F32AB0A20A3BA8AA00AA23028038A00AC02A0EE2080808A08
                                                      Function 0044C949 Relevance: .6, Instructions: 637COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: daa15e32a72831e46b3c61932d047b022fcf8146eeed5cebd1c5d41c65fd85a6
                                                      • Instruction ID: 9a438bc9e2fc22055b190f670ef66c3370438dec1b294d2ef7e2678560d22162
                                                      • Opcode Fuzzy Hash: daa15e32a72831e46b3c61932d047b022fcf8146eeed5cebd1c5d41c65fd85a6
                                                      • Instruction Fuzzy Hash: BE325721D29F014DE7279A35C8623366689AFBB3C5F14D737F819B5AA6EF2CC5830105
                                                      Function 0041E7EA Relevance: .6, Instructions: 606COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7f4af8b37f4defc4199b161d53b4d96f103fc90b589b5ac19ca4300a5eebd0f3
                                                      • Instruction ID: c1435a2baeed09a5a3259e0536aa218d1a742a19b3e0efe55a8499c03c4c3cac
                                                      • Opcode Fuzzy Hash: 7f4af8b37f4defc4199b161d53b4d96f103fc90b589b5ac19ca4300a5eebd0f3
                                                      • Instruction Fuzzy Hash: C332A1756087569BC715DF2AC4807ABB7E1BF84304F044A2EFC958B381D778DD868B8A
                                                      Function 004269D6 Relevance: .4, Instructions: 437COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 49923ba0373965d58fe21e3a4a04a2e805efb906394084f823fc6768166e364a
                                                      • Instruction ID: ba505550dfe6ff667973af58f2e26a28558ab2450a604d8934fff0a0de9d4b4c
                                                      • Opcode Fuzzy Hash: 49923ba0373965d58fe21e3a4a04a2e805efb906394084f823fc6768166e364a
                                                      • Instruction Fuzzy Hash: E002A071B145528FE318CF2EEC90536B7E1AB8D301745867EE486C7381EB74E922CB99
                                                      Function 0042645F Relevance: .4, Instructions: 377COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 14f2c04f30688e9b56e2fb3764798841ed8a236a41f0f424bf7fd8b45a1b82b0
                                                      • Instruction ID: 5a71f349ba3f9fd68778d37660bff7a0658bdf00a392eb754e277e7013b3f26f
                                                      • Opcode Fuzzy Hash: 14f2c04f30688e9b56e2fb3764798841ed8a236a41f0f424bf7fd8b45a1b82b0
                                                      • Instruction Fuzzy Hash: 01F17171A142558FD304DF1DE89187B73E4FB89301B44092EF183D7391DA74EA19CBAA
                                                      Function 00431582 Relevance: .4, Instructions: 371COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a8269e18aa3b2fd96c1213e9b8022c4c073f53bdae2f6b844dfaaafdf28db3f1
                                                      • Instruction ID: a41bb019b54bfded01c7b41d156f95a2cbb072d1dd28d49048bf85c092e0f3ee
                                                      • Opcode Fuzzy Hash: a8269e18aa3b2fd96c1213e9b8022c4c073f53bdae2f6b844dfaaafdf28db3f1
                                                      • Instruction Fuzzy Hash: 27D191B1A083158BC721DE69C490A5FB7E4BF88354F445A2EF8D597321E738DE09CB86
                                                      Function 0041D27C Relevance: .3, Instructions: 276COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e7326b31f45d4e50c8c50174bee11f9882207dfed74e31d12f4697374e1987de
                                                      • Instruction ID: 3c41eba25cca95e3826e3c7b6cd4dae3ec9239a5c93a684b18aa23140a28fc10
                                                      • Opcode Fuzzy Hash: e7326b31f45d4e50c8c50174bee11f9882207dfed74e31d12f4697374e1987de
                                                      • Instruction Fuzzy Hash: A9B184795142998ACB05EF68C4913F63BA1EF6A300F0851B9EC9CCF757D3398506EB64
                                                      Function 00436C9D Relevance: .3, Instructions: 254COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                      • Instruction ID: ead0cef3b0fda5c4522f49b9ed51e98e8a5165699e21cbc4f344a2de8f03cfd9
                                                      • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                      • Instruction Fuzzy Hash: FF9198722090A35DDB29423E843403FFFE15A563A1B1B679FE4F3CB2C5ED28C5699624
                                                      Function 00436F58 Relevance: .2, Instructions: 244COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                                      • Instruction ID: 3a5f3f28e05ced0c476ae62a9fbfc87eb2deb37e5825eaa5068885373994e230
                                                      • Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                                      • Instruction Fuzzy Hash: 5B9154B310C0E349DB3D4639847403FFEF15A563A1B1A679FE4F2CA2C5EE288565D624
                                                      Function 004369D6 Relevance: .2, Instructions: 240COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                      • Instruction ID: eb820b35a2641912eb9ff5d16cdfa81a50ceb30e04b2f4d47c9798fb0fa66f46
                                                      • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                      • Instruction Fuzzy Hash: 3491A7722090A31DDB2D4639843403FFFE15A563A1B1BA79FD4F2CB2C5ED28D964DA24
                                                      Function 0043D04B Relevance: .2, Instructions: 237COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 364cc13a289dc0ce81a78afd7db0cdc41a28cfc106a277fbe5b23d2174104350
                                                      • Instruction ID: 3cf18c0d826463afbe89e475a5c7b17f33369b7a6d620af3ef40d0ad4ead64e4
                                                      • Opcode Fuzzy Hash: 364cc13a289dc0ce81a78afd7db0cdc41a28cfc106a277fbe5b23d2174104350
                                                      • Instruction Fuzzy Hash: 10615771E0060867EE386968B856BBF23A4AF4DB18F14341BE843DB385D65DDD43835E
                                                      Function 0043D2A8 Relevance: .2, Instructions: 237COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e08550926610149d2907a64cdab228bdd5846e9e2727ceec6c104fc9914690c2
                                                      • Instruction ID: b9fa1b0b40c6464c7c23e4f783a2c4cc8d7b3f542efc6a4ce67a7e3fa50c54dc
                                                      • Opcode Fuzzy Hash: e08550926610149d2907a64cdab228bdd5846e9e2727ceec6c104fc9914690c2
                                                      • Instruction Fuzzy Hash: 596136B1E0060896DB385A28B8967BF2398EB5D304F14351BEC83DB381D66DED46875F
                                                      Function 0043672C Relevance: .2, Instructions: 232COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                      • Instruction ID: 7b3a2e63247afe9edf549f88f25df29c5744deddbf3acd7c38ddff1b86da152b
                                                      • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                      • Instruction Fuzzy Hash: A081C9B21090A31DDB2D423A853413FFFE15E553A1B1BA79FD4F2CA2C5EE28C564D624
                                                      Function 0043CBED Relevance: .2, Instructions: 214COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                                      • Instruction ID: cee5e8aa058cab72f47c1252862074b7a33edcf92ba99b8242ad85c8d79f7feb
                                                      • Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                                      • Instruction Fuzzy Hash: 6A51787160060857DB395A6885D67BF2B899B0E344F18742FE48BFB382C60DED12D39E
                                                      Function 0043CE1C Relevance: .2, Instructions: 214COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                                      • Instruction ID: a1764f4878c0090f3dddee11b9fa4dd44c6bcaf443cdbc9a7423fc55b8fdb92d
                                                      • Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                                      • Instruction Fuzzy Hash: 285138616407049BDB38856884DB7BF679A9B5E704F18390FE486F73C2C60DEE06875E
                                                      Function 004271B8 Relevance: .2, Instructions: 186COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1c779f12f611b8dda6e5ae50ec22da61f8b8ae12354eff81384336edfcffc5bc
                                                      • Instruction ID: b54697577a8b4caa58ab057165119fb3c01a9d9d25aa48dfc33613f80cd324c0
                                                      • Opcode Fuzzy Hash: 1c779f12f611b8dda6e5ae50ec22da61f8b8ae12354eff81384336edfcffc5bc
                                                      • Instruction Fuzzy Hash: D2616D32A0C3059FC308DF75E581A5BB7E5BFCC718F910D1EF4899A151E634EA088B96
                                                      Function 00418195 Relevance: 52.8, APIs: 29, Strings: 1, Instructions: 324windowmemoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004181AF
                                                      • CreateCompatibleDC.GDI32(00000000), ref: 004181BA
                                                        • Part of subcall function 00418648: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00418678
                                                      • CreateCompatibleBitmap.GDI32(?,00000000), ref: 0041823B
                                                      • DeleteDC.GDI32(?), ref: 00418253
                                                      • DeleteDC.GDI32(00000000), ref: 00418256
                                                      • SelectObject.GDI32(00000000,00000000), ref: 00418261
                                                      • StretchBlt.GDI32(00000000,00000000,00000000,00000000,?,?,?,?,00000000,?,00CC0020), ref: 00418289
                                                      • GetCursorInfo.USER32(?), ref: 004182AB
                                                      • GetIconInfo.USER32(?,?), ref: 004182C1
                                                      • DeleteObject.GDI32(?), ref: 004182F0
                                                      • DeleteObject.GDI32(?), ref: 004182FD
                                                      • DrawIcon.USER32(00000000,?,?,?), ref: 0041830A
                                                      • BitBlt.GDI32(00000000,00000000,00000000,00000000,?,?,00000000,00000000,00660046), ref: 0041833A
                                                      • GetObjectA.GDI32(?,00000018,?), ref: 00418369
                                                      • LocalAlloc.KERNEL32(00000040,00000028), ref: 004183B2
                                                      • LocalAlloc.KERNEL32(00000040,00000001), ref: 004183D5
                                                      • GlobalAlloc.KERNEL32(00000000,?), ref: 0041843E
                                                      • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00418461
                                                      • DeleteDC.GDI32(?), ref: 00418475
                                                      • DeleteDC.GDI32(00000000), ref: 00418478
                                                      • DeleteObject.GDI32(00000000), ref: 0041847B
                                                      • GlobalFree.KERNEL32(00CC0020), ref: 00418486
                                                      • DeleteObject.GDI32(00000000), ref: 0041853A
                                                      • GlobalFree.KERNEL32(?), ref: 00418541
                                                      • DeleteDC.GDI32(?), ref: 00418551
                                                      • DeleteDC.GDI32(00000000), ref: 0041855C
                                                      • DeleteDC.GDI32(?), ref: 0041858E
                                                      • DeleteDC.GDI32(00000000), ref: 00418591
                                                      • DeleteObject.GDI32(?), ref: 00418597
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Delete$Object$AllocCreateGlobal$CompatibleFreeIconInfoLocal$BitmapBitsCursorDisplayDrawEnumSelectSettingsStretch
                                                      • String ID: DISPLAY
                                                      • API String ID: 1352755160-865373369
                                                      • Opcode ID: f43b31cd191835719c67feef2a51a2d06668b937d994ffc7dcc294679b32e0a8
                                                      • Instruction ID: a1654617e6feb41a21483335bab58d6c80918fdf06c9fa75f2eb3c48c5790805
                                                      • Opcode Fuzzy Hash: f43b31cd191835719c67feef2a51a2d06668b937d994ffc7dcc294679b32e0a8
                                                      • Instruction Fuzzy Hash: EFC16C31504344AFD7209F21CC44BABBBE9EF88751F44482EF989A32A1DF34E945CB5A
                                                      Function 0041742B Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 290libraryloaderthreadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00417472
                                                      • GetProcAddress.KERNEL32(00000000), ref: 00417475
                                                      • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00417486
                                                      • GetProcAddress.KERNEL32(00000000), ref: 00417489
                                                      • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041749A
                                                      • GetProcAddress.KERNEL32(00000000), ref: 0041749D
                                                      • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004174AE
                                                      • GetProcAddress.KERNEL32(00000000), ref: 004174B1
                                                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00417552
                                                      • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041756A
                                                      • GetThreadContext.KERNEL32(?,00000000), ref: 00417580
                                                      • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004175A6
                                                      • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00417626
                                                      • TerminateProcess.KERNEL32(?,00000000), ref: 0041763A
                                                      • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00417671
                                                      • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0041773E
                                                      • SetThreadContext.KERNEL32(?,00000000), ref: 0041775B
                                                      • ResumeThread.KERNEL32(?), ref: 00417768
                                                      • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00417780
                                                      • GetCurrentProcess.KERNEL32(?), ref: 0041778B
                                                      • TerminateProcess.KERNEL32(?,00000000), ref: 004177A5
                                                      • GetLastError.KERNEL32 ref: 004177AD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                                      • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                                      • API String ID: 4188446516-3035715614
                                                      • Opcode ID: ca58d074774f4cb3cec8caed2bdcc8ae3fb1cd477b48ba63cf2103ffe40dc484
                                                      • Instruction ID: 9d7e092ec3b05a7a521957261ed1896ff906ab06cfb84d00d3f911d9ff722cfe
                                                      • Opcode Fuzzy Hash: ca58d074774f4cb3cec8caed2bdcc8ae3fb1cd477b48ba63cf2103ffe40dc484
                                                      • Instruction Fuzzy Hash: C3A16D71508304AFD710DF65CD89B6B7BF8FB48345F00082EF699962A1DB75E884CB6A
                                                      Function 0040C28E Relevance: 47.5, APIs: 6, Strings: 21, Instructions: 282registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00411771: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E748), ref: 00411781
                                                        • Part of subcall function 00411771: WaitForSingleObject.KERNEL32(000000FF), ref: 00411794
                                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040C38B
                                                      • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C39E
                                                      • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040C3B7
                                                      • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040C3E7
                                                        • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(004099A9,00000000,00475308,pth_unenc,0040BF26,004752F0,00475308,?,pth_unenc), ref: 0040AFC9
                                                        • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(00475108), ref: 0040AFD5
                                                        • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(Function_00009993,00000000,?,pth_unenc), ref: 0040AFE3
                                                        • Part of subcall function 0041B79A: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466900,00000000,00000000,0040C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041B7D9
                                                      • ShellExecuteW.SHELL32(00000000,open,00000000,00466900,00466900,00000000), ref: 0040C632
                                                      • ExitProcess.KERNEL32 ref: 0040C63E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                      • String ID: SG$ SG$ SG$""", 0$")$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$PSG$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                                      • API String ID: 1861856835-1415323999
                                                      • Opcode ID: 8e9550d2a36138100e1c2fc1d5f82ae9fdcfc18a7661daa6d71ec6f3d761d588
                                                      • Instruction ID: 61d23169d088639e971774d7266815e56d2523c1fe05d3951d40341dc357c42d
                                                      • Opcode Fuzzy Hash: 8e9550d2a36138100e1c2fc1d5f82ae9fdcfc18a7661daa6d71ec6f3d761d588
                                                      • Instruction Fuzzy Hash: F891A3316042005AC314FB21D852AAF7799AF90318F50453FF88AB71E2EF7CAD49C69E
                                                      Function 0040BF04 Relevance: 44.0, APIs: 6, Strings: 19, Instructions: 260registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00411771: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E748), ref: 00411781
                                                        • Part of subcall function 00411771: WaitForSingleObject.KERNEL32(000000FF), ref: 00411794
                                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,00475308,?,pth_unenc), ref: 0040C013
                                                      • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C026
                                                      • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,00475308,?,pth_unenc), ref: 0040C056
                                                      • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00475308,?,pth_unenc), ref: 0040C065
                                                        • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(004099A9,00000000,00475308,pth_unenc,0040BF26,004752F0,00475308,?,pth_unenc), ref: 0040AFC9
                                                        • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(00475108), ref: 0040AFD5
                                                        • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(Function_00009993,00000000,?,pth_unenc), ref: 0040AFE3
                                                        • Part of subcall function 0041AD43: GetCurrentProcessId.KERNEL32(00000000,75923530,00000000,?,?,?,?,00466900,0040C07B,.vbs,?,?,?,?,?,00475308), ref: 0041AD6A
                                                      • ShellExecuteW.SHELL32(00000000,open,00000000,00466900,00466900,00000000), ref: 0040C280
                                                      • ExitProcess.KERNEL32 ref: 0040C287
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                      • String ID: SG$ SG$")$.vbs$On Error Resume Next$PSG$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
                                                      • API String ID: 3797177996-899740633
                                                      • Opcode ID: 45352128316decb50fa812bea07fa27229c4ed24509ec15bd5d086fbabda10ef
                                                      • Instruction ID: 3970d62be7f9f5e1fdb580af11360c5c0218cddba346a3e39168d22276c4a34b
                                                      • Opcode Fuzzy Hash: 45352128316decb50fa812bea07fa27229c4ed24509ec15bd5d086fbabda10ef
                                                      • Instruction Fuzzy Hash: 838194316042005BC315FB21D852AAF7799AF91708F10453FF986A72E2EF7C9D49C69E
                                                      Function 0041138D Relevance: 43.9, APIs: 17, Strings: 8, Instructions: 189synchronizationsleepfileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateMutexA.KERNEL32(00000000,00000001,00000000,00475308,?,00000000), ref: 004113AC
                                                      • ExitProcess.KERNEL32 ref: 004115F5
                                                        • Part of subcall function 00412735: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,00475308), ref: 00412751
                                                        • Part of subcall function 00412735: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 0041276A
                                                        • Part of subcall function 00412735: RegCloseKey.KERNEL32(00000000), ref: 00412775
                                                        • Part of subcall function 0041B825: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B83E
                                                      • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000), ref: 00411433
                                                      • OpenProcess.KERNEL32(00100000,00000000,,@,?,?,?,?,00000000), ref: 00411442
                                                      • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 0041144D
                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 00411454
                                                      • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 0041145A
                                                        • Part of subcall function 004128AD: RegCreateKeyA.ADVAPI32(80000001,00000000,TeF), ref: 004128BB
                                                        • Part of subcall function 004128AD: RegSetValueExA.KERNEL32(TeF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004670E0,00000001,000000AF,00466554), ref: 004128D6
                                                        • Part of subcall function 004128AD: RegCloseKey.KERNEL32(?,?,?,?,0040B94C,004670E0,00000001,000000AF,00466554), ref: 004128E1
                                                      • PathFileExistsW.SHLWAPI(?,?,?,?,?,00000000), ref: 0041148B
                                                      • GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000000), ref: 004114E7
                                                      • GetTempFileNameW.KERNEL32(?,temp_,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00411501
                                                      • lstrcatW.KERNEL32(?,.exe,?,?,?,?,?,?,?,00000000), ref: 00411513
                                                        • Part of subcall function 0041B79A: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041B7F6
                                                        • Part of subcall function 0041B79A: WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041B80A
                                                        • Part of subcall function 0041B79A: CloseHandle.KERNEL32(00000000), ref: 0041B817
                                                      • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0041155B
                                                      • Sleep.KERNEL32(000001F4,?,?,?,?,00000000), ref: 0041159C
                                                      • OpenProcess.KERNEL32(00100000,00000000,?,?,?,?,?,00000000), ref: 004115B1
                                                      • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 004115BC
                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 004115C3
                                                      • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 004115C9
                                                        • Part of subcall function 0041B79A: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466900,00000000,00000000,0040C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041B7D9
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: File$CloseCreateProcess$HandleOpen$CurrentObjectPathSingleTempValueWait$ExecuteExistsExitMutexNamePointerQueryShellSleepWritelstrcat
                                                      • String ID: ,@$.exe$0TG$PSG$WDH$exepath$open$temp_
                                                      • API String ID: 4250697656-4136069298
                                                      • Opcode ID: db40e97701d6933eb01dc6137a2f1fe71b6556f31fe51939fd8c3e0f7f5558e8
                                                      • Instruction ID: 17001e37a1d7cf9a3413e78a7a022695eb621cd558d1591dce66fb7483b9d66c
                                                      • Opcode Fuzzy Hash: db40e97701d6933eb01dc6137a2f1fe71b6556f31fe51939fd8c3e0f7f5558e8
                                                      • Instruction Fuzzy Hash: 7551B571A00315BBDB00A7A09C46EFE736E9B44715F10416BF906B71E2EF788E858A9D
                                                      Function 0041A3B1 Relevance: 42.2, APIs: 12, Strings: 12, Instructions: 180synchronizationCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041A4A8
                                                      • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041A4BC
                                                      • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00466554), ref: 0041A4E4
                                                      • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00474EE0,00000000), ref: 0041A4F5
                                                      • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041A536
                                                      • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041A54E
                                                      • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041A563
                                                      • SetEvent.KERNEL32 ref: 0041A580
                                                      • WaitForSingleObject.KERNEL32(000001F4), ref: 0041A591
                                                      • CloseHandle.KERNEL32 ref: 0041A5A1
                                                      • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041A5C3
                                                      • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041A5CD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                      • String ID: alias audio$" type $TeF$close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
                                                      • API String ID: 738084811-3504112074
                                                      • Opcode ID: 487eb8d61853791132be4fc542b0a4356c39d735bd1ee74e7e5f7e21231ae993
                                                      • Instruction ID: 23b594f260307180257043fa1e2d6aa1707bafa700398656917524c484c431be
                                                      • Opcode Fuzzy Hash: 487eb8d61853791132be4fc542b0a4356c39d735bd1ee74e7e5f7e21231ae993
                                                      • Instruction Fuzzy Hash: A251B1716442046AD214BB32EC92EBF3B9DAB90758F10443FF445621E2EE789D48866F
                                                      Function 0040BC67 Relevance: 37.0, APIs: 12, Strings: 9, Instructions: 203fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _wcslen.LIBCMT ref: 0040BC75
                                                      • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,004750FC,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040BC8E
                                                      • CopyFileW.KERNEL32(C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe,00000000,00000000,00000000,00000000,00000000,?,004750FC,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040BD3E
                                                      • _wcslen.LIBCMT ref: 0040BD54
                                                      • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040BDDC
                                                      • CopyFileW.KERNEL32(C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe,00000000,00000000), ref: 0040BDF2
                                                      • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE31
                                                      • _wcslen.LIBCMT ref: 0040BE34
                                                      • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE4B
                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004750FC,0000000E), ref: 0040BE9B
                                                      • ShellExecuteW.SHELL32(00000000,open,00000000,00466900,00466900,00000001), ref: 0040BEB9
                                                      • ExitProcess.KERNEL32 ref: 0040BED0
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                                      • String ID: SG$ SG$ SG$ SG$ SG$6$C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe$del$open
                                                      • API String ID: 1579085052-2286748684
                                                      • Opcode ID: 0585f1678bb5d4e8e7e6530c04c4a9b567f933f53f733ffc91d09e89a9b2ad51
                                                      • Instruction ID: cada26950b0f91ffbe9684419e497f708478a0192fdd3dd39558b78de3226dfb
                                                      • Opcode Fuzzy Hash: 0585f1678bb5d4e8e7e6530c04c4a9b567f933f53f733ffc91d09e89a9b2ad51
                                                      • Instruction Fuzzy Hash: 0B51C1316046006BD609B722EC52E7F77889F81719F50443FF985A62E2DF7CAD4582EE
                                                      Function 00401BE8 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                                      • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401C7E
                                                      • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401C8E
                                                      • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401C9E
                                                      • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401CAE
                                                      • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401CBE
                                                      • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401CCF
                                                      • WriteFile.KERNEL32(00000000,00472B02,00000002,00000000,00000000), ref: 00401CE0
                                                      • WriteFile.KERNEL32(00000000,00472B04,00000004,00000000,00000000), ref: 00401CF0
                                                      • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401D00
                                                      • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401D11
                                                      • WriteFile.KERNEL32(00000000,00472B0E,00000002,00000000,00000000), ref: 00401D22
                                                      • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401D32
                                                      • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401D42
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: File$Write$Create
                                                      • String ID: RIFF$WAVE$data$fmt
                                                      • API String ID: 1602526932-4212202414
                                                      • Opcode ID: d86e0a11b62900f44300c56c570c8f4c6d29e182ebfed168058ac3948617b838
                                                      • Instruction ID: 459023fa40bd80d73c97eac26e4027242e7445eca248bff5dcea5bec94493f3f
                                                      • Opcode Fuzzy Hash: d86e0a11b62900f44300c56c570c8f4c6d29e182ebfed168058ac3948617b838
                                                      • Instruction Fuzzy Hash: 85411C726443187AE210DE51DD86FBB7FACEB85B54F40081AF644E6080D7A5E909DBB3
                                                      Function 004064E0 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe,00000001,004068B2,C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe,00000003,004068DA,004752F0,00406933), ref: 004064F4
                                                      • GetProcAddress.KERNEL32(00000000), ref: 004064FD
                                                      • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 0040650E
                                                      • GetProcAddress.KERNEL32(00000000), ref: 00406511
                                                      • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 00406522
                                                      • GetProcAddress.KERNEL32(00000000), ref: 00406525
                                                      • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00406536
                                                      • GetProcAddress.KERNEL32(00000000), ref: 00406539
                                                      • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 0040654A
                                                      • GetProcAddress.KERNEL32(00000000), ref: 0040654D
                                                      • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040655E
                                                      • GetProcAddress.KERNEL32(00000000), ref: 00406561
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressHandleModuleProc
                                                      • String ID: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                                      • API String ID: 1646373207-362752046
                                                      • Opcode ID: ef23c6471a2b46cbb5b12a679159521cca5d22753a6c35f36816646c352fbe50
                                                      • Instruction ID: d8392adca69ca7380431791802c09c3f057f20abbaf47be00649cb9a46baa942
                                                      • Opcode Fuzzy Hash: ef23c6471a2b46cbb5b12a679159521cca5d22753a6c35f36816646c352fbe50
                                                      • Instruction Fuzzy Hash: D20171A4E40B1635CB206F7B7C94D17AEAC9E503503160837A406F32A1EEBCD400CD7D
                                                      Function 0041B3C6 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • lstrlenW.KERNEL32(?), ref: 0041B3E1
                                                      • _memcmp.LIBVCRUNTIME ref: 0041B3F9
                                                      • lstrlenW.KERNEL32(?), ref: 0041B412
                                                      • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041B44D
                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041B460
                                                      • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041B4A4
                                                      • lstrcmpW.KERNEL32(?,?), ref: 0041B4BF
                                                      • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041B4D7
                                                      • _wcslen.LIBCMT ref: 0041B4E6
                                                      • FindVolumeClose.KERNEL32(?), ref: 0041B506
                                                      • GetLastError.KERNEL32 ref: 0041B51E
                                                      • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041B54B
                                                      • lstrcatW.KERNEL32(?,?), ref: 0041B564
                                                      • lstrcpyW.KERNEL32(?,?), ref: 0041B573
                                                      • GetLastError.KERNEL32 ref: 0041B57B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                      • String ID: ?
                                                      • API String ID: 3941738427-1684325040
                                                      • Opcode ID: ab6c0a2e820866b083e3708fbad612f297667e297ed8968616fd37775c99846c
                                                      • Instruction ID: f0577cbf519c1fbc76aa3138d797bbd7c283cc622b072e5c2a83b2d98bec9820
                                                      • Opcode Fuzzy Hash: ab6c0a2e820866b083e3708fbad612f297667e297ed8968616fd37775c99846c
                                                      • Instruction Fuzzy Hash: 8441A071504705ABC720DF61E8489EBB7E8EB48705F00482FF541D2262EF78D989CBDA
                                                      Function 0044E41E Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _free$EnvironmentVariable$_wcschr
                                                      • String ID:
                                                      • API String ID: 3899193279-0
                                                      • Opcode ID: 0e1a8f8bbfaf70a5321281e28d07a2b80f4a7f922fdb1718459ded84c8fb4435
                                                      • Instruction ID: a8aac0df7486383d9a181904d39d16e24afc3d72eb934652fe50c6e09291e228
                                                      • Opcode Fuzzy Hash: 0e1a8f8bbfaf70a5321281e28d07a2b80f4a7f922fdb1718459ded84c8fb4435
                                                      • Instruction Fuzzy Hash: 5DD12771D00310AFFB21AF77888166E7BA4BF01368F45416FF945A7381EA399E418B9D
                                                      Function 00411D59 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 479sleepfileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00411D72
                                                        • Part of subcall function 0041AD43: GetCurrentProcessId.KERNEL32(00000000,75923530,00000000,?,?,?,?,00466900,0040C07B,.vbs,?,?,?,?,?,00475308), ref: 0041AD6A
                                                        • Part of subcall function 0041789C: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00466324), ref: 004178B2
                                                        • Part of subcall function 0041789C: CloseHandle.KERNEL32($cF,?,?,00403AB9,00466324), ref: 004178BB
                                                      • Sleep.KERNEL32(0000000A,00466324), ref: 00411EC4
                                                      • Sleep.KERNEL32(0000000A,00466324,00466324), ref: 00411F66
                                                      • Sleep.KERNEL32(0000000A,00466324,00466324,00466324), ref: 00412008
                                                      • DeleteFileW.KERNEL32(00000000,00466324,00466324,00466324), ref: 00412069
                                                      • DeleteFileW.KERNEL32(00000000,00466324,00466324,00466324), ref: 004120A0
                                                      • DeleteFileW.KERNEL32(00000000,00466324,00466324,00466324), ref: 004120DC
                                                      • Sleep.KERNEL32(000001F4,00466324,00466324,00466324), ref: 004120F6
                                                      • Sleep.KERNEL32(00000064), ref: 00412138
                                                        • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                      • String ID: /stext "$HTG$HTG$NG$NG
                                                      • API String ID: 1223786279-556891652
                                                      • Opcode ID: dc2d48520b73d896eeb902e8487fecec8a65e375c022621813084e4261d1f7f8
                                                      • Instruction ID: b666a026b41db1aee680f36e7b950d376c2ae40a85d54f66cdb5da2431d4b1f1
                                                      • Opcode Fuzzy Hash: dc2d48520b73d896eeb902e8487fecec8a65e375c022621813084e4261d1f7f8
                                                      • Instruction Fuzzy Hash: F00224315083414AD324FB61D891BEFB7D5AFD4308F50493EF88A931E2EF785A49C69A
                                                      Function 0041CCA9 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 73windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041CCF4
                                                      • GetCursorPos.USER32(?), ref: 0041CD03
                                                      • SetForegroundWindow.USER32(?), ref: 0041CD0C
                                                      • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041CD26
                                                      • Shell_NotifyIconA.SHELL32(00000002,00474B50), ref: 0041CD77
                                                      • ExitProcess.KERNEL32 ref: 0041CD7F
                                                      • CreatePopupMenu.USER32 ref: 0041CD85
                                                      • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041CD9A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                      • String ID: Close
                                                      • API String ID: 1657328048-3535843008
                                                      • Opcode ID: bed582d39fc96e8479943e4d89b527f8ff9ef20370aed2009df63d45acb158b0
                                                      • Instruction ID: 460fc807693895ecf387abb2373bcbc61375cccb84b7011694e880842115b21a
                                                      • Opcode Fuzzy Hash: bed582d39fc96e8479943e4d89b527f8ff9ef20370aed2009df63d45acb158b0
                                                      • Instruction Fuzzy Hash: F321F831140205EFDB054FA4FD4DBAA3F65EB04702F004539FA0AA41B1DBB6ED91EB59
                                                      Function 0044514D Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _free$Info
                                                      • String ID:
                                                      • API String ID: 2509303402-0
                                                      • Opcode ID: 39c5139744f4540f523a9af4ed2fa8afb712fe0565144d4bd577e3f50ea1b080
                                                      • Instruction ID: de18a1b700a064f56ed707831433d851a0809218b1b1d193042f08ca5b0df7c8
                                                      • Opcode Fuzzy Hash: 39c5139744f4540f523a9af4ed2fa8afb712fe0565144d4bd577e3f50ea1b080
                                                      • Instruction Fuzzy Hash: 59B190719006059FEF11DF69C881BEEBBF4FF09304F14406EF895AB252DA799C459B24
                                                      Function 00407DEF Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 325fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00407F4C
                                                      • GetFileSizeEx.KERNEL32(00000000,00000000), ref: 00407FC2
                                                      • __aulldiv.LIBCMT ref: 00407FE9
                                                      • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 0040810D
                                                      • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408128
                                                      • CloseHandle.KERNEL32(00000000), ref: 00408200
                                                      • CloseHandle.KERNEL32(00000000,00000052,00000000,?), ref: 0040821A
                                                      • CloseHandle.KERNEL32(00000000), ref: 00408256
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: File$CloseHandle$CreatePointerReadSize__aulldiv
                                                      • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $NG
                                                      • API String ID: 1884690901-2582957567
                                                      • Opcode ID: 51cee8c69b7389e8a28f069381dc337d69fe878f182ed45289c66d2e756e5a1e
                                                      • Instruction ID: fe8c5194ffe86d3827a7b181bfbb3d0fd3c62202293e6b84b2d5449ede98e066
                                                      • Opcode Fuzzy Hash: 51cee8c69b7389e8a28f069381dc337d69fe878f182ed45289c66d2e756e5a1e
                                                      • Instruction Fuzzy Hash: 73B182716083409BC614FB25C892BAFB7E5AFD4314F40492EF889632D2EF789945C79B
                                                      Function 00413F0F Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 109libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413F5E
                                                      • LoadLibraryA.KERNEL32(?), ref: 00413FA0
                                                      • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413FC0
                                                      • FreeLibrary.KERNEL32(00000000), ref: 00413FC7
                                                      • LoadLibraryA.KERNEL32(?), ref: 00413FFF
                                                      • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414011
                                                      • FreeLibrary.KERNEL32(00000000), ref: 00414018
                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 00414027
                                                      • FreeLibrary.KERNEL32(00000000), ref: 0041403E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                      • String ID: \ws2_32$\wship6$getaddrinfo
                                                      • API String ID: 2490988753-3078833738
                                                      • Opcode ID: a1ebb0e7ad90273c6050595515f5be941597b1bff8e5ee6fc120c50391cee153
                                                      • Instruction ID: be6955175b5ce73d91635d8a52bfbd354ab09fdd92d7e760b1966c561f7cb5d0
                                                      • Opcode Fuzzy Hash: a1ebb0e7ad90273c6050595515f5be941597b1bff8e5ee6fc120c50391cee153
                                                      • Instruction Fuzzy Hash: B33117B280131567D320EF55DC84EDB7BDCAF89745F01092AFA88A3201D73CD98587AE
                                                      Function 0045027D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • ___free_lconv_mon.LIBCMT ref: 004502C1
                                                        • Part of subcall function 0044F4F3: _free.LIBCMT ref: 0044F510
                                                        • Part of subcall function 0044F4F3: _free.LIBCMT ref: 0044F522
                                                        • Part of subcall function 0044F4F3: _free.LIBCMT ref: 0044F534
                                                        • Part of subcall function 0044F4F3: _free.LIBCMT ref: 0044F546
                                                        • Part of subcall function 0044F4F3: _free.LIBCMT ref: 0044F558
                                                        • Part of subcall function 0044F4F3: _free.LIBCMT ref: 0044F56A
                                                        • Part of subcall function 0044F4F3: _free.LIBCMT ref: 0044F57C
                                                        • Part of subcall function 0044F4F3: _free.LIBCMT ref: 0044F58E
                                                        • Part of subcall function 0044F4F3: _free.LIBCMT ref: 0044F5A0
                                                        • Part of subcall function 0044F4F3: _free.LIBCMT ref: 0044F5B2
                                                        • Part of subcall function 0044F4F3: _free.LIBCMT ref: 0044F5C4
                                                        • Part of subcall function 0044F4F3: _free.LIBCMT ref: 0044F5D6
                                                        • Part of subcall function 0044F4F3: _free.LIBCMT ref: 0044F5E8
                                                      • _free.LIBCMT ref: 004502B6
                                                        • Part of subcall function 00446CD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FC60,0000000A,00000000,0000000A,00000000,?,0044FF04,0000000A,00000007,0000000A,?,00450415,0000000A), ref: 00446CEB
                                                        • Part of subcall function 00446CD5: GetLastError.KERNEL32(0000000A,?,0044FC60,0000000A,00000000,0000000A,00000000,?,0044FF04,0000000A,00000007,0000000A,?,00450415,0000000A,0000000A), ref: 00446CFD
                                                      • _free.LIBCMT ref: 004502D8
                                                      • _free.LIBCMT ref: 004502ED
                                                      • _free.LIBCMT ref: 004502F8
                                                      • _free.LIBCMT ref: 0045031A
                                                      • _free.LIBCMT ref: 0045032D
                                                      • _free.LIBCMT ref: 0045033B
                                                      • _free.LIBCMT ref: 00450346
                                                      • _free.LIBCMT ref: 0045037E
                                                      • _free.LIBCMT ref: 00450385
                                                      • _free.LIBCMT ref: 004503A2
                                                      • _free.LIBCMT ref: 004503BA
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                      • String ID:
                                                      • API String ID: 161543041-0
                                                      • Opcode ID: 0aefceb04b648aea5efd53e91dec8318d050154b6956abd82aee10787160205d
                                                      • Instruction ID: 8d5a52dc196ca223d521196e0170462af54da78aea2ffa7a7b46d1c1532e12ca
                                                      • Opcode Fuzzy Hash: 0aefceb04b648aea5efd53e91dec8318d050154b6956abd82aee10787160205d
                                                      • Instruction Fuzzy Hash: 57316F355003009FEB20AA79D84AB5B73E9EF01365F51445FF88AD7652DF38AC48D719
                                                      Function 0040C66D Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 147COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00411771: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E748), ref: 00411781
                                                        • Part of subcall function 00411771: WaitForSingleObject.KERNEL32(000000FF), ref: 00411794
                                                        • Part of subcall function 00412735: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,00475308), ref: 00412751
                                                        • Part of subcall function 00412735: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 0041276A
                                                        • Part of subcall function 00412735: RegCloseKey.KERNEL32(00000000), ref: 00412775
                                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C6C7
                                                      • ShellExecuteW.SHELL32(00000000,open,00000000,00466900,00466900,00000000), ref: 0040C826
                                                      • ExitProcess.KERNEL32 ref: 0040C832
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                      • String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$PSG$Temp$exepath$open
                                                      • API String ID: 1913171305-1605470806
                                                      • Opcode ID: e25f8157e9f350052b0f4595ec8701be29ea22bdce4a73478e308fb1e33702c0
                                                      • Instruction ID: 0a59ab1ac2652dc6c4b0de1f1bfb113b457f9f33def171b9a9917dadcc9857af
                                                      • Opcode Fuzzy Hash: e25f8157e9f350052b0f4595ec8701be29ea22bdce4a73478e308fb1e33702c0
                                                      • Instruction Fuzzy Hash: 2E416D329101185ACB14F761DC56DFE7779AF50708F10417FF806B31E2EE786A8ACA98
                                                      Function 0044F5F1 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _free
                                                      • String ID:
                                                      • API String ID: 269201875-0
                                                      • Opcode ID: b030283a6c0ce51ba92dd09d555ed862ebb201d4cb761b5ee972a13664eb7e13
                                                      • Instruction ID: 986e8a668492dbee8f9f46891c6c86f5dcf9ebf43b9fca0c5b911ed3811bef24
                                                      • Opcode Fuzzy Hash: b030283a6c0ce51ba92dd09d555ed862ebb201d4cb761b5ee972a13664eb7e13
                                                      • Instruction Fuzzy Hash: 1FC15371D40204BBEB20EAA8CC82FEE77B89B08704F15416AFE45FB282D6749D459768
                                                      Function 004047EB Relevance: 18.1, APIs: 12, Instructions: 66synchronizationCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 004047FD
                                                      • SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404808
                                                      • CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404811
                                                      • closesocket.WS2_32(000000FF), ref: 0040481F
                                                      • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404856
                                                      • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404867
                                                      • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040486E
                                                      • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404880
                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404885
                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040488A
                                                      • SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404895
                                                      • CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 0040489A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                      • String ID:
                                                      • API String ID: 3658366068-0
                                                      • Opcode ID: 0962e5985aceae85a5c94cde7029e24ad356a8ace8c6bfbca5ef33fdb60659b2
                                                      • Instruction ID: bab6184e8302d1d457a53eef1949a11c31841f7ba2aeead181e9cd14b25d2afd
                                                      • Opcode Fuzzy Hash: 0962e5985aceae85a5c94cde7029e24ad356a8ace8c6bfbca5ef33fdb60659b2
                                                      • Instruction Fuzzy Hash: 21212C71100F149FC6216B26DC05A17BBE1EF40325F104A6EE2A622AF2CF35F851DB4C
                                                      Function 00454B92 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00454860: CreateFileW.KERNEL32(00000000,?,?,;LE,?,?,00000000,?,00454C3B,00000000,0000000C), ref: 0045487D
                                                      • GetLastError.KERNEL32 ref: 00454CA6
                                                      • __dosmaperr.LIBCMT ref: 00454CAD
                                                      • GetFileType.KERNEL32(00000000), ref: 00454CB9
                                                      • GetLastError.KERNEL32 ref: 00454CC3
                                                      • __dosmaperr.LIBCMT ref: 00454CCC
                                                      • CloseHandle.KERNEL32(00000000), ref: 00454CEC
                                                      • CloseHandle.KERNEL32(?), ref: 00454E36
                                                      • GetLastError.KERNEL32 ref: 00454E68
                                                      • __dosmaperr.LIBCMT ref: 00454E6F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                      • String ID: H
                                                      • API String ID: 4237864984-2852464175
                                                      • Opcode ID: 7241ecee4a5f1f89fc763009d89c6ec11b2c57897b1f7dc41199f6beedf99759
                                                      • Instruction ID: a1ee14646c220e05fb339a94c39d658440f80e8cb8884f5184f0ba1168eb6fd8
                                                      • Opcode Fuzzy Hash: 7241ecee4a5f1f89fc763009d89c6ec11b2c57897b1f7dc41199f6beedf99759
                                                      • Instruction Fuzzy Hash: EBA126319045489FDF19DF68D8427AE7BB1EB46329F14015EEC01AF392CB398896CB5A
                                                      Function 0041931E Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 174sleeptimeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __EH_prolog.LIBCMT ref: 00419323
                                                      • GdiplusStartup.GDIPLUS(00474AF4,?,00000000), ref: 00419355
                                                      • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 004193E1
                                                      • Sleep.KERNEL32(000003E8), ref: 00419463
                                                      • GetLocalTime.KERNEL32(?), ref: 00419472
                                                      • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041955B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                                      • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$VG$VG
                                                      • API String ID: 489098229-455837001
                                                      • Opcode ID: 500acf9a494ada26150f229ae3ebd5d047cc9a7eea70b6fe6913e98e6c89e00a
                                                      • Instruction ID: fd6a6a94d4e700b4a78141c9ee43bb9ee9cebd21b8d39b126fa21a823fd8be24
                                                      • Opcode Fuzzy Hash: 500acf9a494ada26150f229ae3ebd5d047cc9a7eea70b6fe6913e98e6c89e00a
                                                      • Instruction Fuzzy Hash: 9F517B71A002449ACB14BBB5C866AFE7BA9AB55308F40403FF845B71D2EF3C5E85C799
                                                      Function 00413D3F Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 155COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 65535$udp
                                                      • API String ID: 0-1267037602
                                                      • Opcode ID: ca54308d78d3c4eee7f7b8de95e44a5f1974b5ba6ce0b2e83d9cd08af329ba0f
                                                      • Instruction ID: c3bfc2202edcb816331f8b78e042012e01f064b481147a6b300cfea58c86e196
                                                      • Opcode Fuzzy Hash: ca54308d78d3c4eee7f7b8de95e44a5f1974b5ba6ce0b2e83d9cd08af329ba0f
                                                      • Instruction Fuzzy Hash: E241F4716093029BD7209F28D905BBB3BA4EB84742F04042FF98593391EB6DDEC1866E
                                                      Function 0041700D Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 107filesynchronizationCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00466554), ref: 0041710A
                                                      • CloseHandle.KERNEL32(00000000), ref: 00417113
                                                      • DeleteFileA.KERNEL32(00000000), ref: 00417122
                                                      • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 004170D6
                                                        • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
                                                      • String ID: <$@$HVG$HVG$TeF$Temp
                                                      • API String ID: 1107811701-3258348784
                                                      • Opcode ID: d902a6d54ce373eeaba4fe26e471b4facccc04bacbce4bf5cb3c6a9bc09dc6e7
                                                      • Instruction ID: 91e4b2e714ed18abe86730f534b33d619c8c8851ecafca63038a632c75497fc1
                                                      • Opcode Fuzzy Hash: d902a6d54ce373eeaba4fe26e471b4facccc04bacbce4bf5cb3c6a9bc09dc6e7
                                                      • Instruction Fuzzy Hash: 00319C31A00209ABCB04FBA1DC56AEE7775AF50308F40417EF506761E2EF785A89CB99
                                                      Function 00439571 Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004395C9
                                                      • GetLastError.KERNEL32(?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004395D6
                                                      • __dosmaperr.LIBCMT ref: 004395DD
                                                      • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439609
                                                      • GetLastError.KERNEL32(?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439613
                                                      • __dosmaperr.LIBCMT ref: 0043961A
                                                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401AD8,?), ref: 0043965D
                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439667
                                                      • __dosmaperr.LIBCMT ref: 0043966E
                                                      • _free.LIBCMT ref: 0043967A
                                                      • _free.LIBCMT ref: 00439681
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                      • String ID:
                                                      • API String ID: 2441525078-0
                                                      • Opcode ID: 7d25b48f924a9fae5a5881453bd469cfe57fd0c2e6412707544dbbd620f0408d
                                                      • Instruction ID: 4e2bc3e06b1619faa1414a7a2c806c5d1514cda6e297fdc8b1054bbcfea92265
                                                      • Opcode Fuzzy Hash: 7d25b48f924a9fae5a5881453bd469cfe57fd0c2e6412707544dbbd620f0408d
                                                      • Instruction Fuzzy Hash: D431E27280560ABFDF11AFA5DC459AF3B68EF09324F10015EF81066251DB39CD50DBAA
                                                      Function 00404E52 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetEvent.KERNEL32(?,?), ref: 00404E71
                                                      • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00404F21
                                                      • TranslateMessage.USER32(?), ref: 00404F30
                                                      • DispatchMessageA.USER32(?), ref: 00404F3B
                                                      • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00404FF3
                                                      • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 0040502B
                                                        • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                      • String ID: CloseChat$DisplayMessage$GetMessage
                                                      • API String ID: 2956720200-749203953
                                                      • Opcode ID: 96316b140588b7c4ada28055f90010ccda92cd34d6d0a69490f2829ee7134a41
                                                      • Instruction ID: 290a0909c372499a911e5ffd519e5407deecd3e64339803c74491ead196e324c
                                                      • Opcode Fuzzy Hash: 96316b140588b7c4ada28055f90010ccda92cd34d6d0a69490f2829ee7134a41
                                                      • Instruction Fuzzy Hash: A441B1726043016BC614FB75DC568AF7BA8ABC1714F00093EF906A31E6EF38DA05C79A
                                                      Function 00406616 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 98COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentProcess.KERNEL32(00475A50,00000000,004752F0,00003000,00000004,00000000,00000001), ref: 00406647
                                                      • GetCurrentProcess.KERNEL32(00475A50,00000000,00008000,?,00000000,00000001,00000000,004068BB,C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe), ref: 00406705
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CurrentProcess
                                                      • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$peF$windir
                                                      • API String ID: 2050909247-369753874
                                                      • Opcode ID: 3d4dde61fac8f932cecf13147f1715ad91c8a5d9075df555c2e0fc840e87cdfb
                                                      • Instruction ID: 2a8ac338152687dbadce55b3d6de3572d7837fd421bef744f3a625c24d449dc1
                                                      • Opcode Fuzzy Hash: 3d4dde61fac8f932cecf13147f1715ad91c8a5d9075df555c2e0fc840e87cdfb
                                                      • Instruction Fuzzy Hash: B231B671600700AFD300AF65DC8AF5677A8FB44709F11053EF50ABB6E1EBB9A8548B6D
                                                      Function 00419E7B Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,?,?,?,?,?,?,004197EE,00000000,00000000), ref: 00419E8A
                                                      • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,004197EE,00000000,00000000), ref: 00419EA1
                                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004197EE,00000000,00000000), ref: 00419EAE
                                                      • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004197EE,00000000,00000000), ref: 00419EBD
                                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004197EE,00000000,00000000), ref: 00419ECE
                                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004197EE,00000000,00000000), ref: 00419ED1
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Service$CloseHandle$Open$ControlManager
                                                      • String ID:
                                                      • API String ID: 221034970-0
                                                      • Opcode ID: d8ee8a8803e7433114f97b69310c3a8ddf5ffb6cd74ebe626055e8ac32cb8db8
                                                      • Instruction ID: 401ec45fa9dd23e1a78cca63bf6ad54db5d4c9b9326c405a7ffc92fc58cb3c60
                                                      • Opcode Fuzzy Hash: d8ee8a8803e7433114f97b69310c3a8ddf5ffb6cd74ebe626055e8ac32cb8db8
                                                      • Instruction Fuzzy Hash: 4211A331941218BBD711AB64DC85DFF3B6CDB45BA1B05002AF902A21D2DF64CD4A9AB5
                                                      Function 00446FDB Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _free.LIBCMT ref: 00446FEF
                                                        • Part of subcall function 00446CD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FC60,0000000A,00000000,0000000A,00000000,?,0044FF04,0000000A,00000007,0000000A,?,00450415,0000000A), ref: 00446CEB
                                                        • Part of subcall function 00446CD5: GetLastError.KERNEL32(0000000A,?,0044FC60,0000000A,00000000,0000000A,00000000,?,0044FF04,0000000A,00000007,0000000A,?,00450415,0000000A,0000000A), ref: 00446CFD
                                                      • _free.LIBCMT ref: 00446FFB
                                                      • _free.LIBCMT ref: 00447006
                                                      • _free.LIBCMT ref: 00447011
                                                      • _free.LIBCMT ref: 0044701C
                                                      • _free.LIBCMT ref: 00447027
                                                      • _free.LIBCMT ref: 00447032
                                                      • _free.LIBCMT ref: 0044703D
                                                      • _free.LIBCMT ref: 00447048
                                                      • _free.LIBCMT ref: 00447056
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _free$ErrorFreeHeapLast
                                                      • String ID:
                                                      • API String ID: 776569668-0
                                                      • Opcode ID: 6cab9f7d569f345c7814ae43f5c160195df6b64f63ea78a6b18b8aa73aee7787
                                                      • Instruction ID: 9fec27c2adf71536e74eabd4120179072dbaa777ef3671cded9c13d0800a1e4b
                                                      • Opcode Fuzzy Hash: 6cab9f7d569f345c7814ae43f5c160195df6b64f63ea78a6b18b8aa73aee7787
                                                      • Instruction Fuzzy Hash: 86119B7550011CBFDB05EF55C882CDD3BB5EF05364B9240AAF9494F222DA35DE50EB49
                                                      Function 0041BA2F Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 214registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041BA51
                                                      • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041BA95
                                                      • RegCloseKey.ADVAPI32(?), ref: 0041BD5F
                                                      Strings
                                                      • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0041BA47
                                                      • DisplayName, xrefs: 0041BADC
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CloseEnumOpen
                                                      • String ID: DisplayName$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                      • API String ID: 1332880857-3614651759
                                                      • Opcode ID: 403d69b7d6150682721d806f011c6d0cce43ad32a20d27b465eebd232eb4432d
                                                      • Instruction ID: 1bcbf0a3cc417a03c0c35e29071d92a42b6db1fb54f2f7a4c144fc0fa0a0a3c2
                                                      • Opcode Fuzzy Hash: 403d69b7d6150682721d806f011c6d0cce43ad32a20d27b465eebd232eb4432d
                                                      • Instruction Fuzzy Hash: 43813F311082409FD324EB11D951AEFB7E8FFD4314F10493FB586921E1EF34AA59CA9A
                                                      Function 004103EC Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 192COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Eventinet_ntoa
                                                      • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
                                                      • API String ID: 3578746661-3604713145
                                                      • Opcode ID: 755815a8590020fe67a5e007faf453d0433b6e07d610cf032f2efe3dd928df76
                                                      • Instruction ID: 73c74054356758d85ec5353b0407031f458931cc5dd6312d5a4dd957febfbb04
                                                      • Opcode Fuzzy Hash: 755815a8590020fe67a5e007faf453d0433b6e07d610cf032f2efe3dd928df76
                                                      • Instruction Fuzzy Hash: 5851A4316043005BCA14FB75D95AAAE36A59B84318F00453FF809972E1DFBC9D85C78E
                                                      Function 004167E2 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 103sleepfileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00416842
                                                        • Part of subcall function 0041B825: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B83E
                                                      • Sleep.KERNEL32(00000064), ref: 0041686E
                                                      • DeleteFileW.KERNEL32(00000000), ref: 004168A2
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: File$CreateDeleteExecuteShellSleep
                                                      • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                      • API String ID: 1462127192-2001430897
                                                      • Opcode ID: 30589525983727894ad073842d04d74b43d138f664415db5492ece07a2d42c30
                                                      • Instruction ID: c4be9e9118a59201799f54b99a9a171b680bb642a7e99c3b30ff6139130205e5
                                                      • Opcode Fuzzy Hash: 30589525983727894ad073842d04d74b43d138f664415db5492ece07a2d42c30
                                                      • Instruction Fuzzy Hash: 1B313E719001189ADB04FBA1DC96EEE7764AF50708F00417FF946730D2EF786A8ACA9D
                                                      Function 00401A8E Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _strftime.LIBCMT ref: 00401AD3
                                                        • Part of subcall function 00401BE8: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                                      • waveInUnprepareHeader.WINMM(00472AC0,00000020,00000000,?), ref: 00401B85
                                                      • waveInPrepareHeader.WINMM(00472AC0,00000020), ref: 00401BC3
                                                      • waveInAddBuffer.WINMM(00472AC0,00000020), ref: 00401BD2
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                      • String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
                                                      • API String ID: 3809562944-243156785
                                                      • Opcode ID: 8bc7c709b81e80b1cd26a8133e5bfa918e3c280da4f8c48c3ca11c29a62aef04
                                                      • Instruction ID: b0e15ff03f11dcb3e5bfd7c1448581b7ace3962aa9bffbd159c0990beee9d81b
                                                      • Opcode Fuzzy Hash: 8bc7c709b81e80b1cd26a8133e5bfa918e3c280da4f8c48c3ca11c29a62aef04
                                                      • Instruction Fuzzy Hash: 7E315E315043019FC324EB21DC56A9E77A4FB94314F00493EF559A21F1EFB8AA89CB9A
                                                      Function 0041CB7A Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47windowstringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041CB93
                                                        • Part of subcall function 0041CC2A: RegisterClassExA.USER32(00000030), ref: 0041CC77
                                                        • Part of subcall function 0041CC2A: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CC92
                                                        • Part of subcall function 0041CC2A: GetLastError.KERNEL32 ref: 0041CC9C
                                                      • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041CBCA
                                                      • lstrcpynA.KERNEL32(00474B68,Remcos,00000080), ref: 0041CBE4
                                                      • Shell_NotifyIconA.SHELL32(00000000,00474B50), ref: 0041CBFA
                                                      • TranslateMessage.USER32(?), ref: 0041CC06
                                                      • DispatchMessageA.USER32(?), ref: 0041CC10
                                                      • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041CC1D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                      • String ID: Remcos
                                                      • API String ID: 1970332568-165870891
                                                      • Opcode ID: 7a949f86bc247f3cbdd076edfe2cda77560b6c3ffe772df9fdb29a851d56ec4a
                                                      • Instruction ID: 6591afd7fea275f101bd811abb8745f55115b26a2df550b070e187602390ba30
                                                      • Opcode Fuzzy Hash: 7a949f86bc247f3cbdd076edfe2cda77560b6c3ffe772df9fdb29a851d56ec4a
                                                      • Instruction Fuzzy Hash: 130112B1940344ABD7109BA5EC4DFEABBBCA7C5B05F004029E615A2061EFB8E585CB6D
                                                      Function 0044B660 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b79e0bacf68e79f56bbfbff6a95aeb92d11d955db7cfd18af0a5c0e52fbe5259
                                                      • Instruction ID: 8081305e108bfff8a8e14cd18a234b42858a69a1a1930647e7f2335dd99175ec
                                                      • Opcode Fuzzy Hash: b79e0bacf68e79f56bbfbff6a95aeb92d11d955db7cfd18af0a5c0e52fbe5259
                                                      • Instruction Fuzzy Hash: 44C105B0D04249AFEF11DFA9C8417BEBBB4EF09314F04415AE544A7392C738D941CBA9
                                                      Function 00452D3A Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,00453013,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00452DE6
                                                      • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,00453013,00000000,00000000,?,00000001,?,?,?,?), ref: 00452E69
                                                      • __alloca_probe_16.LIBCMT ref: 00452EA1
                                                      • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,00453013,?,00453013,00000000,00000000,?,00000001,?,?,?,?), ref: 00452EFC
                                                      • __alloca_probe_16.LIBCMT ref: 00452F4B
                                                      • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00453013,00000000,00000000,?,00000001,?,?,?,?), ref: 00452F13
                                                        • Part of subcall function 00446D0F: RtlAllocateHeap.NTDLL(00000000,00434613,?,?,00437437,?,?,?,?,?,0040CD5A,00434613,?,?,?,?), ref: 00446D41
                                                      • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00453013,00000000,00000000,?,00000001,?,?,?,?), ref: 00452F8F
                                                      • __freea.LIBCMT ref: 00452FBA
                                                      • __freea.LIBCMT ref: 00452FC6
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                                      • String ID:
                                                      • API String ID: 201697637-0
                                                      • Opcode ID: 636d8ee8978a4b28d28c899fe5287c94f7ea3d2e518637072967bc6aea0c1ce5
                                                      • Instruction ID: e285173fe66e9ab68cc8b5f7bb46492c032c90826bba7407019ac45f59d87ef3
                                                      • Opcode Fuzzy Hash: 636d8ee8978a4b28d28c899fe5287c94f7ea3d2e518637072967bc6aea0c1ce5
                                                      • Instruction Fuzzy Hash: E991D572E002169BDF208E64DA41AEFBBB5AF0A312F14055BFC05E7242D778DC48C768
                                                      Function 00444609 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 004470CF: GetLastError.KERNEL32(?,?,0043952C,?,00000000,?,0043BB65,00000000,00000000), ref: 004470D3
                                                        • Part of subcall function 004470CF: _free.LIBCMT ref: 00447106
                                                        • Part of subcall function 004470CF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00447147
                                                        • Part of subcall function 004470CF: _abort.LIBCMT ref: 0044714D
                                                      • _memcmp.LIBVCRUNTIME ref: 004448B3
                                                      • _free.LIBCMT ref: 00444924
                                                      • _free.LIBCMT ref: 0044493D
                                                      • _free.LIBCMT ref: 0044496F
                                                      • _free.LIBCMT ref: 00444978
                                                      • _free.LIBCMT ref: 00444984
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _free$ErrorLast$_abort_memcmp
                                                      • String ID: C
                                                      • API String ID: 1679612858-1037565863
                                                      • Opcode ID: 614205798ad6061f3d9420df6d0f7eb30440e43e095dda7afa9147f4421e103d
                                                      • Instruction ID: ce46d41f1d9e01bafc0896c2bb0d2adb680072b6a59d341745b23d3028246374
                                                      • Opcode Fuzzy Hash: 614205798ad6061f3d9420df6d0f7eb30440e43e095dda7afa9147f4421e103d
                                                      • Instruction Fuzzy Hash: 24B14975A012199FEB24DF18C884BAEB7B4FF49314F1045AEE849A7351D738AE90CF48
                                                      Function 00413A9F Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 228COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: tcp$udp
                                                      • API String ID: 0-3725065008
                                                      • Opcode ID: af4d639371690cb8637a3a63659cf8324f890a8ac4b6ebd8bb2dc9423f2fa13d
                                                      • Instruction ID: 641150f3fd0ea6af627c79cdc5c75230aa36f57d28899e04d0661f3c05bf373f
                                                      • Opcode Fuzzy Hash: af4d639371690cb8637a3a63659cf8324f890a8ac4b6ebd8bb2dc9423f2fa13d
                                                      • Instruction Fuzzy Hash: 0D71D1716083528FDB24CF1994846ABB7E0AF84746F14442FF885A7352E77CDE81CB8A
                                                      Function 0044821F Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 171timeCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045E478), ref: 00448289
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,0047279C,000000FF,00000000,0000003F,00000000,?,?), ref: 00448301
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,004727F0,000000FF,?,0000003F,00000000,?), ref: 0044832E
                                                      • _free.LIBCMT ref: 00448277
                                                        • Part of subcall function 00446CD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FC60,0000000A,00000000,0000000A,00000000,?,0044FF04,0000000A,00000007,0000000A,?,00450415,0000000A), ref: 00446CEB
                                                        • Part of subcall function 00446CD5: GetLastError.KERNEL32(0000000A,?,0044FC60,0000000A,00000000,0000000A,00000000,?,0044FF04,0000000A,00000007,0000000A,?,00450415,0000000A,0000000A), ref: 00446CFD
                                                      • _free.LIBCMT ref: 00448443
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                      • String ID: xE$xE
                                                      • API String ID: 1286116820-1741595589
                                                      • Opcode ID: 1f630aa574f8f032912558e332746922b811222e22d4e5e5c8fa9a473f36de46
                                                      • Instruction ID: 82a604bb7294b81f3f73b5ad664ce4632eb81d562d18d3de5c52697f85b56542
                                                      • Opcode Fuzzy Hash: 1f630aa574f8f032912558e332746922b811222e22d4e5e5c8fa9a473f36de46
                                                      • Instruction Fuzzy Hash: 43510871900219ABEB14EF698D819AE77BCEF44B14F1002AFF854A3291EF788D418B5C
                                                      Function 00412D60 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 135registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00412D99
                                                        • Part of subcall function 00412A82: RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412AF5
                                                        • Part of subcall function 00412A82: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412B24
                                                        • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                      • RegCloseKey.ADVAPI32(TeFTeF,00466554,00466554,00466900,00466900,00000071), ref: 00412F09
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CloseEnumInfoOpenQuerysend
                                                      • String ID: TeF$TeFTeF$NG$TG$TG
                                                      • API String ID: 3114080316-3278504382
                                                      • Opcode ID: 21c71a250b61d8481e14fb29f658506147abfbd5a14f52d08b2dadadcd8e3add
                                                      • Instruction ID: 217e792c851e8857c64f97df11b7492b8bc11e7bd79a931969a0b124146415da
                                                      • Opcode Fuzzy Hash: 21c71a250b61d8481e14fb29f658506147abfbd5a14f52d08b2dadadcd8e3add
                                                      • Instruction Fuzzy Hash: ED41A1316042005BD224F725D8A2AEF7395AFD0308F50843FF94A671E2EF7C5D4986AE
                                                      Function 00406BE9 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00466454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                                      • WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                                        • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                      • CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                                      • MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                                      • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D08
                                                      • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D18
                                                        • Part of subcall function 0040455B: WaitForSingleObject.KERNEL32(?,000000FF,?,?,0040460E,00000000,?,?), ref: 0040456A
                                                        • Part of subcall function 0040455B: SetEvent.KERNEL32(?,?,?,0040460E,00000000,?,?), ref: 00404588
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                      • String ID: .part
                                                      • API String ID: 1303771098-3499674018
                                                      • Opcode ID: b78f9c0dad55f8f19791313ae5084cf2035b383ecf8786089be001690557f36c
                                                      • Instruction ID: 7eae26b3d9efd85ab9a821acf87acbbc445967fcd6ce231ca79d13f55b5b668b
                                                      • Opcode Fuzzy Hash: b78f9c0dad55f8f19791313ae5084cf2035b383ecf8786089be001690557f36c
                                                      • Instruction Fuzzy Hash: C631A4715083019FD210EF21DD459AFB7A8FB84755F40093EF9C6B21A1DF38AA48CB9A
                                                      Function 0040B6EA Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 85COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 004125EB: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 0041260F
                                                        • Part of subcall function 004125EB: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 0041262C
                                                        • Part of subcall function 004125EB: RegCloseKey.KERNEL32(?), ref: 00412637
                                                      • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040B76C
                                                      • PathFileExistsA.SHLWAPI(?), ref: 0040B779
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                      • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders$TeF
                                                      • API String ID: 1133728706-3101562037
                                                      • Opcode ID: f8e7fb648c548857668710dd0e9519a80c5674c84583f57a4e2fba272261da1f
                                                      • Instruction ID: 7ed93d3ebd4d115a7197ccd8f2df160251767479400bef64a6787df62d4369c8
                                                      • Opcode Fuzzy Hash: f8e7fb648c548857668710dd0e9519a80c5674c84583f57a4e2fba272261da1f
                                                      • Instruction Fuzzy Hash: 29215C31A1410966CB04F7B2CCA69EE7764AE94318F40013FA902771D2EF789A4986DE
                                                      Function 0040196B Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040197B
                                                      • waveInOpen.WINMM(00472AF8,000000FF,00472B00,Function_00001A8E,00000000,00000000,00000024), ref: 00401A11
                                                      • waveInPrepareHeader.WINMM(00472AC0,00000020,00000000), ref: 00401A66
                                                      • waveInAddBuffer.WINMM(00472AC0,00000020), ref: 00401A75
                                                      • waveInStart.WINMM ref: 00401A81
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                      • String ID: dMG$|MG
                                                      • API String ID: 1356121797-1683252805
                                                      • Opcode ID: 77e1d5555118943626de1adf0eca28b59d42989bc3a47fc9702db746b9fc2c03
                                                      • Instruction ID: 140f40b68b7a2e7574469051551963e155d477b90c1392cdc23a62cf20397fe9
                                                      • Opcode Fuzzy Hash: 77e1d5555118943626de1adf0eca28b59d42989bc3a47fc9702db746b9fc2c03
                                                      • Instruction Fuzzy Hash: 52215C316002019BC725DF66EE1996A7BA6FB84710B00883EF50DE76B0DBF898C0CB5C
                                                      Function 0041C0BB Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • AllocConsole.KERNEL32(004750FC), ref: 0041C0C4
                                                      • GetConsoleWindow.KERNEL32 ref: 0041C0CA
                                                      • ShowWindow.USER32(00000000,00000000), ref: 0041C0DD
                                                      • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041C102
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Console$Window$AllocOutputShow
                                                      • String ID: Remcos v$6.0.0 Pro$CONOUT$
                                                      • API String ID: 4067487056-3561919337
                                                      • Opcode ID: 51f71f4df576cdb042b408fdcee2c306aad9b55f4cf694b49fe88f2f6d88a06c
                                                      • Instruction ID: 9cd6404a4583bb7861016a5e8077681a34a6ce6b29b6da971a73374578d830bb
                                                      • Opcode Fuzzy Hash: 51f71f4df576cdb042b408fdcee2c306aad9b55f4cf694b49fe88f2f6d88a06c
                                                      • Instruction Fuzzy Hash: 750121B1A80304BADA10F7F19D4BF9976AC6B14B09F500426BA05A70C2EEB8A554462D
                                                      Function 00449B60 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0043D774,0043D774,?,?,?,00449DB1,00000001,00000001,1AE85006), ref: 00449BBA
                                                      • __alloca_probe_16.LIBCMT ref: 00449BF2
                                                      • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00449DB1,00000001,00000001,1AE85006,?,?,?), ref: 00449C40
                                                      • __alloca_probe_16.LIBCMT ref: 00449CD7
                                                      • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,1AE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00449D3A
                                                      • __freea.LIBCMT ref: 00449D47
                                                        • Part of subcall function 00446D0F: RtlAllocateHeap.NTDLL(00000000,00434613,?,?,00437437,?,?,?,?,?,0040CD5A,00434613,?,?,?,?), ref: 00446D41
                                                      • __freea.LIBCMT ref: 00449D50
                                                      • __freea.LIBCMT ref: 00449D75
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                      • String ID:
                                                      • API String ID: 3864826663-0
                                                      • Opcode ID: 45550f184a61a9f8ddf17f24dc0c1f131df532b020593bc4805c091103afbf88
                                                      • Instruction ID: b9264d00d576e3e69c3e593975f72d59ef517f4fd458bc34bb1ef2c80a576446
                                                      • Opcode Fuzzy Hash: 45550f184a61a9f8ddf17f24dc0c1f131df532b020593bc4805c091103afbf88
                                                      • Instruction Fuzzy Hash: 3651F8B2A10206AFFB258F65DC82EBF77A9EB44754F15462EFC05DB240EB38DC409658
                                                      Function 00418CB4 Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendInput.USER32 ref: 00418CFE
                                                      • SendInput.USER32(00000001,?,0000001C), ref: 00418D26
                                                      • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418D4D
                                                      • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418D6B
                                                      • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418D8B
                                                      • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418DB0
                                                      • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418DD2
                                                      • SendInput.USER32(00000001,?,0000001C), ref: 00418DF5
                                                        • Part of subcall function 00418CA7: MapVirtualKeyA.USER32(00000000,00000000), ref: 00418CAD
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: InputSend$Virtual
                                                      • String ID:
                                                      • API String ID: 1167301434-0
                                                      • Opcode ID: 03d106074c487e793b96b2f05eb270ad55284c326fdeb905245ef2a17d2a5417
                                                      • Instruction ID: 141eef32e971302722b3407f09031bac5ba220a7556c2b6a6b809b2d6bbc12e7
                                                      • Opcode Fuzzy Hash: 03d106074c487e793b96b2f05eb270ad55284c326fdeb905245ef2a17d2a5417
                                                      • Instruction Fuzzy Hash: 2D318031258349A9E210DF65DC41FDFBBECAFC9B08F04080FB58457191EAA4858C87AB
                                                      Function 00415BDD Relevance: 12.0, APIs: 8, Instructions: 46clipboardCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • OpenClipboard.USER32 ref: 00415BDE
                                                      • EmptyClipboard.USER32 ref: 00415BEC
                                                      • CloseClipboard.USER32 ref: 00415BF2
                                                      • OpenClipboard.USER32 ref: 00415BF9
                                                      • GetClipboardData.USER32(0000000D), ref: 00415C09
                                                      • GlobalLock.KERNEL32(00000000), ref: 00415C12
                                                      • GlobalUnlock.KERNEL32(00000000), ref: 00415C1B
                                                      • CloseClipboard.USER32 ref: 00415C21
                                                        • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                      • String ID:
                                                      • API String ID: 2172192267-0
                                                      • Opcode ID: c3bbb9bbde72810014a30b189257db169a48326f431590227c3d1d8f527ca17d
                                                      • Instruction ID: 369576e1793333014f6cd695595c81a654a0099a6e7e621b1e9fba3c04e1709a
                                                      • Opcode Fuzzy Hash: c3bbb9bbde72810014a30b189257db169a48326f431590227c3d1d8f527ca17d
                                                      • Instruction Fuzzy Hash: EE0152322003009FC350BF71DC59AAE77A5AF80B42F00443FFD06A61A2EF35C949C659
                                                      Function 00446369 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: __freea$__alloca_probe_16
                                                      • String ID: a/p$am/pm$hD
                                                      • API String ID: 3509577899-3668228793
                                                      • Opcode ID: 44ea5ac924aea223c25ec6af7a156dea15db996b08b3c9c3fe5b3e61d2d79652
                                                      • Instruction ID: deb853d5fd6adf3918d69246e21912660bd894b39407ab32d9d7da7685977c7a
                                                      • Opcode Fuzzy Hash: 44ea5ac924aea223c25ec6af7a156dea15db996b08b3c9c3fe5b3e61d2d79652
                                                      • Instruction Fuzzy Hash: 1CD111719002069AFB289F68C9857BBB7B0FF06708F26415BE9019B355D33D9D81CB6B
                                                      Function 0044FA16 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _free
                                                      • String ID:
                                                      • API String ID: 269201875-0
                                                      • Opcode ID: 1d80ecd898b2873860388bfd90a69a91c38572b88f559cfcb1da031a1a01905e
                                                      • Instruction ID: 0b2e84c71dbf843dbcc2e99f9f8dbab27ea7d8a4e4ef3fbdb467abc62f582456
                                                      • Opcode Fuzzy Hash: 1d80ecd898b2873860388bfd90a69a91c38572b88f559cfcb1da031a1a01905e
                                                      • Instruction Fuzzy Hash: E061E271D00244AFEB20DF69C842BAABBF4EB4A320F24407BED45EB251D734AD45DB58
                                                      Function 0044418B Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00446D0F: RtlAllocateHeap.NTDLL(00000000,00434613,?,?,00437437,?,?,?,?,?,0040CD5A,00434613,?,?,?,?), ref: 00446D41
                                                      • _free.LIBCMT ref: 00444296
                                                      • _free.LIBCMT ref: 004442AD
                                                      • _free.LIBCMT ref: 004442CC
                                                      • _free.LIBCMT ref: 004442E7
                                                      • _free.LIBCMT ref: 004442FE
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _free$AllocateHeap
                                                      • String ID: Z9D
                                                      • API String ID: 3033488037-3781130823
                                                      • Opcode ID: 1e396c4f324de9ddb7b01a7129941a49517c4d4e7f7401902ff7e7d19c1db4b4
                                                      • Instruction ID: 86c8eacfe83d9672290f1135950403671a27bde0e5aa55c461cabd1b4ee88ac5
                                                      • Opcode Fuzzy Hash: 1e396c4f324de9ddb7b01a7129941a49517c4d4e7f7401902ff7e7d19c1db4b4
                                                      • Instruction Fuzzy Hash: D551B171A00304AFEB20DF6AC881B6A77F4FF95724B1446AEF809D7650E779DA01CB48
                                                      Function 0044A2D3 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0044AA48,?,00000000,00000000,00000000,00000000,0000000C), ref: 0044A315
                                                      • __fassign.LIBCMT ref: 0044A390
                                                      • __fassign.LIBCMT ref: 0044A3AB
                                                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0044A3D1
                                                      • WriteFile.KERNEL32(?,00000000,00000000,0044AA48,00000000,?,?,?,?,?,?,?,?,?,0044AA48,?), ref: 0044A3F0
                                                      • WriteFile.KERNEL32(?,?,00000001,0044AA48,00000000,?,?,?,?,?,?,?,?,?,0044AA48,?), ref: 0044A429
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                      • String ID:
                                                      • API String ID: 1324828854-0
                                                      • Opcode ID: 19793b4b6baa09b5fac30a83039e1f9c1b1fc09f5707b87a30c95e6118fc2717
                                                      • Instruction ID: 781c03a50f1c813746d4e14bf3c61566c92396d5579059589c4d950ed669b936
                                                      • Opcode Fuzzy Hash: 19793b4b6baa09b5fac30a83039e1f9c1b1fc09f5707b87a30c95e6118fc2717
                                                      • Instruction Fuzzy Hash: 6551C474E002499FDB10CFA8D845AEEBBF4EF09300F14412BE955E7291E774A951CB6A
                                                      Function 00401768 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 142threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ExitThread.KERNEL32 ref: 004017F4
                                                        • Part of subcall function 00433724: EnterCriticalSection.KERNEL32(00471D18,?,00476D54,?,0040AE8B,00476D54,?,00000000,00000000), ref: 0043372F
                                                        • Part of subcall function 00433724: LeaveCriticalSection.KERNEL32(00471D18,?,0040AE8B,00476D54,?,00000000,00000000), ref: 0043376C
                                                      • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00474EE0,00000000), ref: 00401902
                                                        • Part of subcall function 00433AB0: __onexit.LIBCMT ref: 00433AB6
                                                      • __Init_thread_footer.LIBCMT ref: 004017BC
                                                        • Part of subcall function 004336DA: EnterCriticalSection.KERNEL32(00471D18,00476D54,?,0040AEAC,00476D54,00456FA7,?,00000000,00000000), ref: 004336E4
                                                        • Part of subcall function 004336DA: LeaveCriticalSection.KERNEL32(00471D18,?,0040AEAC,00476D54,00456FA7,?,00000000,00000000), ref: 00433717
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CriticalSection$EnterLeave$ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                                      • String ID: XMG$NG$NG
                                                      • API String ID: 1596592924-1283814050
                                                      • Opcode ID: 9c93778598743552ca7cf549f7c264060170741c6fea158e9adbc4e2dfda7b39
                                                      • Instruction ID: a5e0bc9ac4bbc073a85812dd1d3adb1d2a3c84d0b98f0a89840e4e641ba94373
                                                      • Opcode Fuzzy Hash: 9c93778598743552ca7cf549f7c264060170741c6fea158e9adbc4e2dfda7b39
                                                      • Instruction Fuzzy Hash: 5341B4712042008BC329FB65DD96AAE7395EB94318F10453FF54AA31F2DF389986CB5E
                                                      Function 0040E77B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0041B366: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B377
                                                        • Part of subcall function 0041B366: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B37E
                                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E799
                                                      • Process32FirstW.KERNEL32(00000000,?), ref: 0040E7BD
                                                      • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E7CC
                                                      • CloseHandle.KERNEL32(00000000), ref: 0040E983
                                                        • Part of subcall function 0041B392: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040E5A8,00000000,?,?,004750FC), ref: 0041B3A7
                                                        • Part of subcall function 0041B392: IsWow64Process.KERNEL32(00000000,?,?,?,004750FC), ref: 0041B3B2
                                                        • Part of subcall function 0041B588: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B5A0
                                                        • Part of subcall function 0041B588: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B5B3
                                                      • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E974
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                      • String ID: `wF
                                                      • API String ID: 2180151492-1213667750
                                                      • Opcode ID: 9dc562cd00f3f50bc6e2eada1fc9f3fa230e0bea5391e794d91a9c4d3f2fe10f
                                                      • Instruction ID: eccf11dc20c1a31a83cdfd33956dcb3d749eb3f266b118f2c15681f5292a9231
                                                      • Opcode Fuzzy Hash: 9dc562cd00f3f50bc6e2eada1fc9f3fa230e0bea5391e794d91a9c4d3f2fe10f
                                                      • Instruction Fuzzy Hash: F741CF311083455BC225FB61D891AEFB7E5AFA4304F50453EF849531E1EF389A49C65A
                                                      Function 00437C90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _ValidateLocalCookies.LIBCMT ref: 00437CBB
                                                      • ___except_validate_context_record.LIBVCRUNTIME ref: 00437CC3
                                                      • _ValidateLocalCookies.LIBCMT ref: 00437D51
                                                      • __IsNonwritableInCurrentImage.LIBCMT ref: 00437D7C
                                                      • _ValidateLocalCookies.LIBCMT ref: 00437DD1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                      • String ID: csm
                                                      • API String ID: 1170836740-1018135373
                                                      • Opcode ID: e20e4e91601e7da6f84b85b393d4409c90c36ea595a33a74ae9b4edf16c34eae
                                                      • Instruction ID: 1103995f59bc857a00dd0af833384e4a9f5f4a2e3f3cb1d3a3c35a3a433dd29e
                                                      • Opcode Fuzzy Hash: e20e4e91601e7da6f84b85b393d4409c90c36ea595a33a74ae9b4edf16c34eae
                                                      • Instruction Fuzzy Hash: 4E410674A042099BCF20DF29C844AAE7BA5AF4C328F14905AEC55AB392D739DD45CF98
                                                      Function 00455B13 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cfbae8f3dcd2e5f3bdf3bcee8d3106cebccc1d81cd58107c476234e6777acd1f
                                                      • Instruction ID: 890753aa9dfb888b2a1585f98a5e225511b13b718af609ae416a1884f745cca0
                                                      • Opcode Fuzzy Hash: cfbae8f3dcd2e5f3bdf3bcee8d3106cebccc1d81cd58107c476234e6777acd1f
                                                      • Instruction Fuzzy Hash: 3A112472504A15BFDB206F729C08D3B3AACEB82736F20016EFC15D7282DE38C800C669
                                                      Function 0040FCC7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 0040FCD4
                                                      • int.LIBCPMT ref: 0040FCE7
                                                        • Part of subcall function 0040CFB3: std::_Lockit::_Lockit.LIBCPMT ref: 0040CFC4
                                                        • Part of subcall function 0040CFB3: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CFDE
                                                      • std::_Facet_Register.LIBCPMT ref: 0040FD23
                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FD49
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FD65
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                      • String ID: xkG
                                                      • API String ID: 2536120697-3406988965
                                                      • Opcode ID: 4b6f72b1e0d08092fd2688f9826419a51511b3482868562e895aff95ac9ad519
                                                      • Instruction ID: 7cf641d0f45d7e480cf6c67891cb53e845b1d2cd586d61112ae60f6436568b55
                                                      • Opcode Fuzzy Hash: 4b6f72b1e0d08092fd2688f9826419a51511b3482868562e895aff95ac9ad519
                                                      • Instruction Fuzzy Hash: 3B11F032900119A7CB14FBA5D8429DEB7689E55358F10013BF809B72D1EB3CAF49C7D9
                                                      Function 0044FEEB Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0044FC32: _free.LIBCMT ref: 0044FC5B
                                                      • _free.LIBCMT ref: 0044FF39
                                                        • Part of subcall function 00446CD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FC60,0000000A,00000000,0000000A,00000000,?,0044FF04,0000000A,00000007,0000000A,?,00450415,0000000A), ref: 00446CEB
                                                        • Part of subcall function 00446CD5: GetLastError.KERNEL32(0000000A,?,0044FC60,0000000A,00000000,0000000A,00000000,?,0044FF04,0000000A,00000007,0000000A,?,00450415,0000000A,0000000A), ref: 00446CFD
                                                      • _free.LIBCMT ref: 0044FF44
                                                      • _free.LIBCMT ref: 0044FF4F
                                                      • _free.LIBCMT ref: 0044FFA3
                                                      • _free.LIBCMT ref: 0044FFAE
                                                      • _free.LIBCMT ref: 0044FFB9
                                                      • _free.LIBCMT ref: 0044FFC4
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _free$ErrorFreeHeapLast
                                                      • String ID:
                                                      • API String ID: 776569668-0
                                                      • Opcode ID: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                      • Instruction ID: 7d3bb130547cbd64d3bc6acdbb054c191a8682768e3bc5df2cfa43195c7f437f
                                                      • Opcode Fuzzy Hash: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                      • Instruction Fuzzy Hash: 3611603158175CAAE930B7B2CC87FCB779CFF01744F804C2EB69B66052DA2CB90A5655
                                                      Function 00406815 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe), ref: 00406835
                                                        • Part of subcall function 00406764: _wcslen.LIBCMT ref: 00406788
                                                        • Part of subcall function 00406764: CoGetObject.OLE32(?,00000024,004669B0,00000000), ref: 004067E9
                                                      • CoUninitialize.OLE32 ref: 0040688E
                                                      Strings
                                                      • [+] ucmCMLuaUtilShellExecMethod, xrefs: 0040681A
                                                      • [+] before ShellExec, xrefs: 00406856
                                                      • [+] ShellExec success, xrefs: 00406873
                                                      • C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe, xrefs: 00406815, 00406818, 0040686A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: InitializeObjectUninitialize_wcslen
                                                      • String ID: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                                      • API String ID: 3851391207-2780929936
                                                      • Opcode ID: f62f8ea22737c4132ff5b3dac93a03cf3a5d885852b0606909ed978fbfad8032
                                                      • Instruction ID: bf5204b976fdd256b066cceb308157ad377b3c08e3874fea13dbf5f4dff6080c
                                                      • Opcode Fuzzy Hash: f62f8ea22737c4132ff5b3dac93a03cf3a5d885852b0606909ed978fbfad8032
                                                      • Instruction Fuzzy Hash: F20180722023117FE2287B21DC0EF7B6658DB4176AF12413FF946A71C1EAA9AC014679
                                                      Function 0040FFAA Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 0040FFB7
                                                      • int.LIBCPMT ref: 0040FFCA
                                                        • Part of subcall function 0040CFB3: std::_Lockit::_Lockit.LIBCPMT ref: 0040CFC4
                                                        • Part of subcall function 0040CFB3: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CFDE
                                                      • std::_Facet_Register.LIBCPMT ref: 00410006
                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 0041002C
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00410048
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                      • String ID: pmG
                                                      • API String ID: 2536120697-2472243355
                                                      • Opcode ID: 49ddf8ddb094ef95c775291761389dec69e80ba720e56a3ba1433f00512a79dc
                                                      • Instruction ID: 7757f8b08a06b45aa46d7f93aac2e311949306114fe400d1b3bff67def6a62fd
                                                      • Opcode Fuzzy Hash: 49ddf8ddb094ef95c775291761389dec69e80ba720e56a3ba1433f00512a79dc
                                                      • Instruction Fuzzy Hash: D911B231900419EBCB14FBA5D9429DD7B689E58358F10016FF40567191EB78AF86C789
                                                      Function 0040B2A8 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040B2E4
                                                      • GetLastError.KERNEL32 ref: 0040B2EE
                                                      Strings
                                                      • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040B2AF
                                                      • UserProfile, xrefs: 0040B2B4
                                                      • [Chrome Cookies not found], xrefs: 0040B308
                                                      • [Chrome Cookies found, cleared!], xrefs: 0040B314
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: DeleteErrorFileLast
                                                      • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                      • API String ID: 2018770650-304995407
                                                      • Opcode ID: cf451260b0bd619138d89529fe6e6a099da6595cca3d19e9fe3cb5fbfd9057d6
                                                      • Instruction ID: 9d7a183bab8cffc7e176200adf3036985cfece21d6991fc3b8afe8d0fe8b9813
                                                      • Opcode Fuzzy Hash: cf451260b0bd619138d89529fe6e6a099da6595cca3d19e9fe3cb5fbfd9057d6
                                                      • Instruction Fuzzy Hash: AB01623565010557CB0477B6DD6B9AF3628ED51718B60013FF802771E2FE3A990586DE
                                                      Function 0043980C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __allrem.LIBCMT ref: 00439999
                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004399B5
                                                      • __allrem.LIBCMT ref: 004399CC
                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004399EA
                                                      • __allrem.LIBCMT ref: 00439A01
                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00439A1F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                      • String ID:
                                                      • API String ID: 1992179935-0
                                                      • Opcode ID: b56df2ec526ecb605ad204b00dc5db07d06cb4bbbde3923a820af03cd63327b9
                                                      • Instruction ID: 5399b0f9a6461ae69e9bde9777a653eaf6085cdcce353b40ae7049a42401d5b7
                                                      • Opcode Fuzzy Hash: b56df2ec526ecb605ad204b00dc5db07d06cb4bbbde3923a820af03cd63327b9
                                                      • Instruction Fuzzy Hash: 15810B72A00706ABE724BA79CC41B6B73E89F89768F24522FF411D7781E7B8DD008758
                                                      Function 00444D4D Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: __cftoe
                                                      • String ID:
                                                      • API String ID: 4189289331-0
                                                      • Opcode ID: 59a84199312040bebd3b7080c8be9dd535ae7880d2ee6b6a8de25d9cd02a2692
                                                      • Instruction ID: 890c16c57639ce4616fdae23c1b2cf08611ffd87950db76db0bf4773250d0152
                                                      • Opcode Fuzzy Hash: 59a84199312040bebd3b7080c8be9dd535ae7880d2ee6b6a8de25d9cd02a2692
                                                      • Instruction Fuzzy Hash: 2C512972900205ABFB249BA98C41FAF77A9EFC8324F24411FF815D6292DB3DDD11966C
                                                      Function 00403DE7 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 135sleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Sleep.KERNEL32(00000000), ref: 00403E8A
                                                        • Part of subcall function 00403FCD: __EH_prolog.LIBCMT ref: 00403FD2
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: H_prologSleep
                                                      • String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
                                                      • API String ID: 3469354165-3054508432
                                                      • Opcode ID: a571c00ded84ac1c02560f50a488ee548fe76179a7eec9e921c662aaf166c676
                                                      • Instruction ID: 0fabaa65846f565374d927adde4572b2cc1454b627dc53539f04e4ca1ee376cc
                                                      • Opcode Fuzzy Hash: a571c00ded84ac1c02560f50a488ee548fe76179a7eec9e921c662aaf166c676
                                                      • Instruction Fuzzy Hash: 4641B031A0420196C614FF75C956AAD3BA59B81708F00453FF809A72E6DF7C9A85C7CF
                                                      Function 00419FE2 Relevance: 9.1, APIs: 6, Instructions: 66serviceCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,?,00000000,?,?,004196FD,00000000,00000000), ref: 00419FF2
                                                      • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,00000000,?,?,004196FD,00000000,00000000), ref: 0041A006
                                                      • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,004196FD,00000000,00000000), ref: 0041A013
                                                      • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,004196FD), ref: 0041A048
                                                      • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,004196FD,00000000,00000000), ref: 0041A05A
                                                      • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,004196FD,00000000,00000000), ref: 0041A05D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                      • String ID:
                                                      • API String ID: 493672254-0
                                                      • Opcode ID: 65b9834a0bb4e8b96eb35e8af166575ebded0736ec3647688d6b347b4d29b64b
                                                      • Instruction ID: 3721d8981427c9c50277447f2eb78ca90bee9705940f35750f03ddb94c099399
                                                      • Opcode Fuzzy Hash: 65b9834a0bb4e8b96eb35e8af166575ebded0736ec3647688d6b347b4d29b64b
                                                      • Instruction Fuzzy Hash: 28016D315062107ED2111F349C0EEBF3E1CDF567B1F00022FF522A22D2DE69CE8981AA
                                                      Function 00438016 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLastError.KERNEL32(?,?,0043800D,004379C1), ref: 00438024
                                                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00438032
                                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043804B
                                                      • SetLastError.KERNEL32(00000000,?,0043800D,004379C1), ref: 0043809D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorLastValue___vcrt_
                                                      • String ID:
                                                      • API String ID: 3852720340-0
                                                      • Opcode ID: 3d2ceef5274e4dce0ae2caf7dfaf84fccaef2f9a96c7b33c4be4e75810a8a5f0
                                                      • Instruction ID: c897193d57ecee64636fe05851fbd3cadc70b6e754ca2b2668497838eaebe06c
                                                      • Opcode Fuzzy Hash: 3d2ceef5274e4dce0ae2caf7dfaf84fccaef2f9a96c7b33c4be4e75810a8a5f0
                                                      • Instruction Fuzzy Hash: DC0190321083416DFB2823756C465377B68E709378F21123FF328515F1EF994C44514C
                                                      Function 004470CF Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLastError.KERNEL32(?,?,0043952C,?,00000000,?,0043BB65,00000000,00000000), ref: 004470D3
                                                      • _free.LIBCMT ref: 00447106
                                                      • _free.LIBCMT ref: 0044712E
                                                      • SetLastError.KERNEL32(00000000,00000000,00000000), ref: 0044713B
                                                      • SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00447147
                                                      • _abort.LIBCMT ref: 0044714D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorLast$_free$_abort
                                                      • String ID:
                                                      • API String ID: 3160817290-0
                                                      • Opcode ID: ae40a63e46beb22daa4956e078090859b5f7183b7e2bf3c5c9b8e84b2b7f2479
                                                      • Instruction ID: 03a1e9305cc52ab1e573739f72da4c843e3c1f7cd4612cbd08a2c6f68691a865
                                                      • Opcode Fuzzy Hash: ae40a63e46beb22daa4956e078090859b5f7183b7e2bf3c5c9b8e84b2b7f2479
                                                      • Instruction Fuzzy Hash: F2F0F931508B1027F612777A6C46E1B15269BC17B6B26002FF509A6392EF2C8C07911D
                                                      Function 00419E16 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,?,?,?,?,?,?,00419991,00000000,00000000), ref: 00419E25
                                                      • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,00419991,00000000,00000000), ref: 00419E39
                                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419991,00000000,00000000), ref: 00419E46
                                                      • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,00419991,00000000,00000000), ref: 00419E55
                                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419991,00000000,00000000), ref: 00419E67
                                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419991,00000000,00000000), ref: 00419E6A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Service$CloseHandle$Open$ControlManager
                                                      • String ID:
                                                      • API String ID: 221034970-0
                                                      • Opcode ID: 0c1a15e356219896acdb347c35b0c45111e5d78bcfdfe9148325f151f6ad1740
                                                      • Instruction ID: 47980c42e9b022aba05d73d81e1ae7aa31c0ed05cef52b60765f03c540efa169
                                                      • Opcode Fuzzy Hash: 0c1a15e356219896acdb347c35b0c45111e5d78bcfdfe9148325f151f6ad1740
                                                      • Instruction Fuzzy Hash: 44F062319003186BD611AB65DC89EBF3B6CDB45BA1F01002AF906A21D2DF78DD4A95F5
                                                      Function 00419F7D Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,0041988D,00000000,00000000), ref: 00419F8C
                                                      • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041988D,00000000,00000000), ref: 00419FA0
                                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041988D,00000000,00000000), ref: 00419FAD
                                                      • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041988D,00000000,00000000), ref: 00419FBC
                                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041988D,00000000,00000000), ref: 00419FCE
                                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041988D,00000000,00000000), ref: 00419FD1
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Service$CloseHandle$Open$ControlManager
                                                      • String ID:
                                                      • API String ID: 221034970-0
                                                      • Opcode ID: 5b24b4e27fffc125df5634aa0be26648fed0954f23ddfe4314b62b15434ff522
                                                      • Instruction ID: cbb6f8d25e78bf3f904679f952f169c6c08018e661e4ba535c0ca8fa304c3d8e
                                                      • Opcode Fuzzy Hash: 5b24b4e27fffc125df5634aa0be26648fed0954f23ddfe4314b62b15434ff522
                                                      • Instruction Fuzzy Hash: 68F0C2315002147BD2116B24DC49EBF3A6CDB45BA1B01002AFA06A2192DF78CE4A85B8
                                                      Function 00419F18 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,0041990F,00000000,00000000), ref: 00419F27
                                                      • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041990F,00000000,00000000), ref: 00419F3B
                                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041990F,00000000,00000000), ref: 00419F48
                                                      • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041990F,00000000,00000000), ref: 00419F57
                                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041990F,00000000,00000000), ref: 00419F69
                                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041990F,00000000,00000000), ref: 00419F6C
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Service$CloseHandle$Open$ControlManager
                                                      • String ID:
                                                      • API String ID: 221034970-0
                                                      • Opcode ID: 8b5bee833df7660f85241f437fe153c135d0241f59d488d3ebe91362aced60b6
                                                      • Instruction ID: 95d7f5aa039a93820bb4883d7663946178ed8a5ec9cf590f88e81ba893971d89
                                                      • Opcode Fuzzy Hash: 8b5bee833df7660f85241f437fe153c135d0241f59d488d3ebe91362aced60b6
                                                      • Instruction Fuzzy Hash: 7EF062715003147BD2116B65DC4AEBF3B6CDB45BA1B01002AFA06B2192DF78DD4A96B9
                                                      Function 00412A82 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 173registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412AF5
                                                      • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412B24
                                                      • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,?,00002710,?,?,?,00000000,?,?,?,?), ref: 00412BC5
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Enum$InfoQueryValue
                                                      • String ID: [regsplt]$TG
                                                      • API String ID: 3554306468-170812940
                                                      • Opcode ID: 63fafdce963b054f75e0ec9a91e8ba00106c89ff40fb0d126c08ff78ed9ae450
                                                      • Instruction ID: eeb20da9b05a32976bf12a6402f5e40020a9f6991e42d7db5c0f7bae6a1218cc
                                                      • Opcode Fuzzy Hash: 63fafdce963b054f75e0ec9a91e8ba00106c89ff40fb0d126c08ff78ed9ae450
                                                      • Instruction Fuzzy Hash: C5511E72108345AED310EF61D985DEFB7ECEF84704F00492EB585D2191EB74EA088BAA
                                                      Function 00441C91 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: E
                                                      • API String ID: 0-2089609516
                                                      • Opcode ID: 06f5741e10c63ae8bf02417847894b944428abddfdd2a378d9b946abe0f64cd5
                                                      • Instruction ID: 88518833c1d7008d36d723bd78668d328a40e80baed6ee8e3f57c0ed0377fbed
                                                      • Opcode Fuzzy Hash: 06f5741e10c63ae8bf02417847894b944428abddfdd2a378d9b946abe0f64cd5
                                                      • Instruction Fuzzy Hash: FE413AB1A00704BFE7249F39CC41BAABBA8EB84718F10412FF405DB291D379A9418788
                                                      Function 004428E4 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 116COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe,00000104), ref: 00442924
                                                      • _free.LIBCMT ref: 004429EF
                                                      • _free.LIBCMT ref: 004429F9
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _free$FileModuleName
                                                      • String ID: 8([$C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe
                                                      • API String ID: 2506810119-2511246626
                                                      • Opcode ID: e43589620df6d0a02bbe9fe69612e96b807286bf84d647a6e2c91bfdc5f7fdb4
                                                      • Instruction ID: 08a660f2d8e46f51ee0862092f41265a48d7a3eaa7bec75f040af8368b354bfd
                                                      • Opcode Fuzzy Hash: e43589620df6d0a02bbe9fe69612e96b807286bf84d647a6e2c91bfdc5f7fdb4
                                                      • Instruction Fuzzy Hash: E53193B1A00258AFEB21DF999E8199EBBBCEB85314F50406BF805A7311D6F84A41CB59
                                                      Function 0041AA28 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0041265C: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 0041267E
                                                        • Part of subcall function 0041265C: RegQueryValueExW.ADVAPI32(?,0040E18D,00000000,00000000,?,00000400), ref: 0041269D
                                                        • Part of subcall function 0041265C: RegCloseKey.ADVAPI32(?), ref: 004126A6
                                                        • Part of subcall function 0041B366: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B377
                                                        • Part of subcall function 0041B366: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B37E
                                                      • _wcslen.LIBCMT ref: 0041AB01
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
                                                      • String ID: .exe$http\shell\open\command$program files (x86)\$program files\
                                                      • API String ID: 3286818993-4246244872
                                                      • Opcode ID: 91537cc37855c4d4d30a4d4a060cf2929123fb739607bd98f20b22aa84b26542
                                                      • Instruction ID: 944f249e3467cd2310196e71108a033bc811508d99a3a404dc4e3305fa2889c9
                                                      • Opcode Fuzzy Hash: 91537cc37855c4d4d30a4d4a060cf2929123fb739607bd98f20b22aa84b26542
                                                      • Instruction Fuzzy Hash: 8621A772B001042BDB04B6B58C96EFE366D9B84318B10087FF452B71D3EE3C9D554269
                                                      Function 0040AE58 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 87COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00433724: EnterCriticalSection.KERNEL32(00471D18,?,00476D54,?,0040AE8B,00476D54,?,00000000,00000000), ref: 0043372F
                                                        • Part of subcall function 00433724: LeaveCriticalSection.KERNEL32(00471D18,?,0040AE8B,00476D54,?,00000000,00000000), ref: 0043376C
                                                        • Part of subcall function 00433AB0: __onexit.LIBCMT ref: 00433AB6
                                                      • __Init_thread_footer.LIBCMT ref: 0040AEA7
                                                        • Part of subcall function 004336DA: EnterCriticalSection.KERNEL32(00471D18,00476D54,?,0040AEAC,00476D54,00456FA7,?,00000000,00000000), ref: 004336E4
                                                        • Part of subcall function 004336DA: LeaveCriticalSection.KERNEL32(00471D18,?,0040AEAC,00476D54,00456FA7,?,00000000,00000000), ref: 00433717
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit
                                                      • String ID: [End of clipboard]$[Text copied to clipboard]$TmG$XmG
                                                      • API String ID: 2974294136-1855599884
                                                      • Opcode ID: 6be3199e03e4d79244a0686247a10a62383e0a85fc1942f24318a510031ea9ae
                                                      • Instruction ID: 2623299308dd9d50029d580546b1e3590cd03a5acc49d0be8ee118f943746456
                                                      • Opcode Fuzzy Hash: 6be3199e03e4d79244a0686247a10a62383e0a85fc1942f24318a510031ea9ae
                                                      • Instruction Fuzzy Hash: FB216131A102155ACB24FB65D8929EE7775AF54318F10403FF506772E2EF3C6E4A868D
                                                      Function 0041CC2A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegisterClassExA.USER32(00000030), ref: 0041CC77
                                                      • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CC92
                                                      • GetLastError.KERNEL32 ref: 0041CC9C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ClassCreateErrorLastRegisterWindow
                                                      • String ID: 0$MsgWindowClass
                                                      • API String ID: 2877667751-2410386613
                                                      • Opcode ID: 2bfcb1dee2ed81dd37ad325623522de50802513b554cdfc95296743f6fff5b81
                                                      • Instruction ID: c9edb97a89f7ec8dfbaa779d36c224b53f51aa00da94833f787b12e8c600820c
                                                      • Opcode Fuzzy Hash: 2bfcb1dee2ed81dd37ad325623522de50802513b554cdfc95296743f6fff5b81
                                                      • Instruction Fuzzy Hash: 2001E9B1D1021DAF8B00DF9ADCC49EFFBBDBE49355B50452AE414B6100EB708A458AA5
                                                      Function 004069BA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00406A00
                                                      • CloseHandle.KERNEL32(?), ref: 00406A0F
                                                      • CloseHandle.KERNEL32(?), ref: 00406A14
                                                      Strings
                                                      • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004069F6
                                                      • C:\Windows\System32\cmd.exe, xrefs: 004069FB
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CloseHandle$CreateProcess
                                                      • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                      • API String ID: 2922976086-4183131282
                                                      • Opcode ID: 76fab65495b0fd8f7af94722782b38f5ec20939b495d63d65361185c7f15ad50
                                                      • Instruction ID: 0865c4136dfbb59e32125d892e445ee09242962a1e3dc4bc305b740a121ed375
                                                      • Opcode Fuzzy Hash: 76fab65495b0fd8f7af94722782b38f5ec20939b495d63d65361185c7f15ad50
                                                      • Instruction Fuzzy Hash: 68F090B690029D7ACB20ABD69C0EECF7F3CEBC5B11F01046ABA04A2051DA706104CAB8
                                                      Function 004064D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • Rmc-DCXXDI, xrefs: 0040693F
                                                      • C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe, xrefs: 00406927
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: C:\Users\user\Desktop\173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe$Rmc-DCXXDI
                                                      • API String ID: 0-1773504347
                                                      • Opcode ID: 68549dc5139d56a2d1ebd5a20fc71dabf1e7981f7a57b1309e8f30a02d7c51f6
                                                      • Instruction ID: ac3f053366391772af188fc274efb03f25e4c049f181d6a95d7665767018bac5
                                                      • Opcode Fuzzy Hash: 68549dc5139d56a2d1ebd5a20fc71dabf1e7981f7a57b1309e8f30a02d7c51f6
                                                      • Instruction Fuzzy Hash: 4FF0F6B17022109BDB103B34AD1966A3A45DB40346F01807BF98BFA6E2DF7C8851C68C
                                                      Function 004427E9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044279A,?,?,0044273A,?,0046EAF0,0000000C,00442891,?,00000002), ref: 00442809
                                                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044281C
                                                      • FreeLibrary.KERNEL32(00000000,?,?,?,0044279A,?,?,0044273A,?,0046EAF0,0000000C,00442891,?,00000002,00000000), ref: 0044283F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressFreeHandleLibraryModuleProc
                                                      • String ID: CorExitProcess$mscoree.dll
                                                      • API String ID: 4061214504-1276376045
                                                      • Opcode ID: 263cd25904221f4c100099ecbb428eb8354416072efb1e7fc04c1483da550fa7
                                                      • Instruction ID: e557d05a47d06e8d32a7f66c2c4e22cdfb14d47a79db446b90f8ad9ee3cbc836
                                                      • Opcode Fuzzy Hash: 263cd25904221f4c100099ecbb428eb8354416072efb1e7fc04c1483da550fa7
                                                      • Instruction Fuzzy Hash: 8CF0A430900309FBDB119F94DD09B9EBFB4EB08753F4041B9F805A2261DF789D44CA98
                                                      Function 00404AB1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,004755B0,00414F47,00000000,00000000,00000001), ref: 00404AED
                                                      • SetEvent.KERNEL32(00000304), ref: 00404AF9
                                                      • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00404B04
                                                      • CloseHandle.KERNEL32(00000000), ref: 00404B0D
                                                        • Part of subcall function 0041A891: GetLocalTime.KERNEL32(00000000), ref: 0041A8AB
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                      • String ID: KeepAlive | Disabled
                                                      • API String ID: 2993684571-305739064
                                                      • Opcode ID: 87b3d8b3ec28cdfa47286890c680b6ef87dd714ebeb2c7092d66f3d4d30662f2
                                                      • Instruction ID: 7c4d48bbaa8a7164c3353f7df4ad5523490a6ea0f3ebe4e46dcacb08dafaa92a
                                                      • Opcode Fuzzy Hash: 87b3d8b3ec28cdfa47286890c680b6ef87dd714ebeb2c7092d66f3d4d30662f2
                                                      • Instruction Fuzzy Hash: 31F096B19047007BDB1137759D0B66B7F58AB46325F00096FF492A26F2DE39D8508B5E
                                                      Function 0041A128 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0041A891: GetLocalTime.KERNEL32(00000000), ref: 0041A8AB
                                                      • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041A15A
                                                      • PlaySoundW.WINMM(00000000,00000000), ref: 0041A168
                                                      • Sleep.KERNEL32(00002710), ref: 0041A16F
                                                      • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041A178
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: PlaySound$HandleLocalModuleSleepTime
                                                      • String ID: Alarm triggered
                                                      • API String ID: 614609389-2816303416
                                                      • Opcode ID: 4a48c68418f768cffa6c3ed767b5f5e80af739637c9128b647918063f34aba9e
                                                      • Instruction ID: 198adcd2ac8b5b4b9acde76a755fda1533c143b191b85f9fe5233f4cbfc21951
                                                      • Opcode Fuzzy Hash: 4a48c68418f768cffa6c3ed767b5f5e80af739637c9128b647918063f34aba9e
                                                      • Instruction Fuzzy Hash: 79E01A22A04261379520337B7D0FD6F3D28EAC7B65741006FF905A6192EE580811C6FB
                                                      Function 0041C07A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041C10D), ref: 0041C084
                                                      • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041C10D), ref: 0041C091
                                                      • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041C10D), ref: 0041C09E
                                                      • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041C10D), ref: 0041C0B1
                                                      Strings
                                                      • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041C0A4
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                      • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                                      • API String ID: 3024135584-2418719853
                                                      • Opcode ID: 1559ced9db44309d12e9096fc874ef99716f3117c459c374921cc59209bdbdc6
                                                      • Instruction ID: f27d36e20d2a67c690befc106ea5cafab99e09d075a2dfca7d32a9b7008c9529
                                                      • Opcode Fuzzy Hash: 1559ced9db44309d12e9096fc874ef99716f3117c459c374921cc59209bdbdc6
                                                      • Instruction Fuzzy Hash: 57E04F62604348BBD30037F6AC4EDAB3B7CE784617B10092AF612A01D3ED7484468B79
                                                      Function 004403AA Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2a796732182faefe73add1043189caf6ca4f606f7631d49291716b08cb320153
                                                      • Instruction ID: 7c1105064789ab48ae90d42f937b6a9cbc34ac1ed42c20d541c6d1c3f1a57216
                                                      • Opcode Fuzzy Hash: 2a796732182faefe73add1043189caf6ca4f606f7631d49291716b08cb320153
                                                      • Instruction Fuzzy Hash: 7671D371900216AFEF20CF54C884ABFBB75EF45310F14422BEA15A7281DB788C61CFA9
                                                      Function 00410BF1 Relevance: 7.7, APIs: 5, Instructions: 198memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00410691: SetLastError.KERNEL32(0000000D,00410C10,?,00000000), ref: 00410697
                                                      • GetNativeSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410BED), ref: 00410C9C
                                                      • GetProcessHeap.KERNEL32(00000008,00000040,?,?,00000000), ref: 00410D02
                                                      • HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410D09
                                                      • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00410E17
                                                      • SetLastError.KERNEL32(000000C1,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410BED), ref: 00410E41
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorLast$Heap$AllocInfoNativeProcessSystem
                                                      • String ID:
                                                      • API String ID: 3525466593-0
                                                      • Opcode ID: 5b761030cf84cfef50a77e8f1fc708b710696a941d42968a3fbf92de24ca1f36
                                                      • Instruction ID: e2f64966b18619331c3eea81ef564f6afd9e4387f8ea08f62d3b86939114ae32
                                                      • Opcode Fuzzy Hash: 5b761030cf84cfef50a77e8f1fc708b710696a941d42968a3fbf92de24ca1f36
                                                      • Instruction Fuzzy Hash: 8E61E570200305ABD710AF56C981BA77BA5BF84308F04451EF909CB382DBF8E8D5CB99
                                                      Function 004432A8 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _free
                                                      • String ID:
                                                      • API String ID: 269201875-0
                                                      • Opcode ID: c6d5326bb826bef7d4312f682f8fd03de73532d4ef60da68ba97a8c78ea7af64
                                                      • Instruction ID: 036c3dfb054a6f01566e3cd8d28730a68c174e79056a6e67996f15c63748089b
                                                      • Opcode Fuzzy Hash: c6d5326bb826bef7d4312f682f8fd03de73532d4ef60da68ba97a8c78ea7af64
                                                      • Instruction Fuzzy Hash: F341D636A002049FEB20DF79C881A5EB7B5FF88718F1545AEE915EB351DA35EE01CB84
                                                      Function 004500E3 Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0043E5FD,?,00000000,?,00000001,?,?,00000001,0043E5FD,?), ref: 00450130
                                                      • __alloca_probe_16.LIBCMT ref: 00450168
                                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 004501B9
                                                      • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00439BCF,?), ref: 004501CB
                                                      • __freea.LIBCMT ref: 004501D4
                                                        • Part of subcall function 00446D0F: RtlAllocateHeap.NTDLL(00000000,00434613,?,?,00437437,?,?,?,?,?,0040CD5A,00434613,?,?,?,?), ref: 00446D41
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                      • String ID:
                                                      • API String ID: 313313983-0
                                                      • Opcode ID: daed02162d7f278869bfaea3c7a8f88d5c2a2d3218cc1490f903801f97ac0c2c
                                                      • Instruction ID: d7464a72994917abc30d80f71ec8451e4cba9cf5435b4dea42e63c5c2bdc5daf
                                                      • Opcode Fuzzy Hash: daed02162d7f278869bfaea3c7a8f88d5c2a2d3218cc1490f903801f97ac0c2c
                                                      • Instruction Fuzzy Hash: 9631E132A0060AABDF249F65DC41DAF7BA5EB00311F05416AFC04E7252EB3ACD54CBA5
                                                      Function 0044E34B Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetEnvironmentStringsW.KERNEL32 ref: 0044E354
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044E377
                                                        • Part of subcall function 00446D0F: RtlAllocateHeap.NTDLL(00000000,00434613,?,?,00437437,?,?,?,?,?,0040CD5A,00434613,?,?,?,?), ref: 00446D41
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044E39D
                                                      • _free.LIBCMT ref: 0044E3B0
                                                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044E3BF
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                      • String ID:
                                                      • API String ID: 336800556-0
                                                      • Opcode ID: 1d4758ed0160ac471983c8ffd3a0470c3cf8fd4ea00c3cafbe93e28275fbbba9
                                                      • Instruction ID: 5f1b7bba735f2dc00ee4e6ee14e94985e19ed078b50b1d1b699098eccd63c47a
                                                      • Opcode Fuzzy Hash: 1d4758ed0160ac471983c8ffd3a0470c3cf8fd4ea00c3cafbe93e28275fbbba9
                                                      • Instruction Fuzzy Hash: D50171726017157F73221A776C88C7B6A6DEAC2F65315012EFD05D3241DE698C0291B9
                                                      Function 00447153 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLastError.KERNEL32(0000000A,0000000B,0000000A,00445569,00440CA8,00000000,?,?,?,?,00440E8B,00000000,0000000A,000000FF,0000000A,00000000), ref: 00447158
                                                      • _free.LIBCMT ref: 0044718D
                                                      • _free.LIBCMT ref: 004471B4
                                                      • SetLastError.KERNEL32(00000000,0000000A,00000000), ref: 004471C1
                                                      • SetLastError.KERNEL32(00000000,0000000A,00000000), ref: 004471CA
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorLast$_free
                                                      • String ID:
                                                      • API String ID: 3170660625-0
                                                      • Opcode ID: c73b76ca02ce190c9082a6036dde6ca48763b4b9e088bcde2ec0a65c3a46cc10
                                                      • Instruction ID: 9627307c59aa3692a64de8377ee3c20019e30fe80ec8d82769d3f9bfdfbdb6fb
                                                      • Opcode Fuzzy Hash: c73b76ca02ce190c9082a6036dde6ca48763b4b9e088bcde2ec0a65c3a46cc10
                                                      • Instruction Fuzzy Hash: 3E01F97624CB102BB30267B95C85D2B2A29DBC17B6726012FF509A6392EF2C8C07515D
                                                      Function 0041B588 Relevance: 7.5, APIs: 5, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B5A0
                                                      • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B5B3
                                                      • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0041B5D3
                                                      • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B5DE
                                                      • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B5E6
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Process$CloseHandleOpen$FileImageName
                                                      • String ID:
                                                      • API String ID: 2951400881-0
                                                      • Opcode ID: ef8d0d82becda269430901369212c52b3606b15fcf963f3a122b886808132bbc
                                                      • Instruction ID: 5d23c8c1f4703883972a4236376900cac23e2486f01e1b2fafccabe2f4d6955e
                                                      • Opcode Fuzzy Hash: ef8d0d82becda269430901369212c52b3606b15fcf963f3a122b886808132bbc
                                                      • Instruction Fuzzy Hash: D5F049712003167BD31167558C4AFABB66ECF40B9AF01002BF611E21A2EF74DDC146BD
                                                      Function 0044F9AD Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • _free.LIBCMT ref: 0044F9C5
                                                        • Part of subcall function 00446CD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FC60,0000000A,00000000,0000000A,00000000,?,0044FF04,0000000A,00000007,0000000A,?,00450415,0000000A), ref: 00446CEB
                                                        • Part of subcall function 00446CD5: GetLastError.KERNEL32(0000000A,?,0044FC60,0000000A,00000000,0000000A,00000000,?,0044FF04,0000000A,00000007,0000000A,?,00450415,0000000A,0000000A), ref: 00446CFD
                                                      • _free.LIBCMT ref: 0044F9D7
                                                      • _free.LIBCMT ref: 0044F9E9
                                                      • _free.LIBCMT ref: 0044F9FB
                                                      • _free.LIBCMT ref: 0044FA0D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _free$ErrorFreeHeapLast
                                                      • String ID:
                                                      • API String ID: 776569668-0
                                                      • Opcode ID: 8a0a0e5e94a0327d1776c165067cf9b9603f8d21362122b3839296c578ae3d6e
                                                      • Instruction ID: 2de1f51a18cc7960585f1cc37bbb46b0208bdbaa703fd0d38dd13c161260ee8b
                                                      • Opcode Fuzzy Hash: 8a0a0e5e94a0327d1776c165067cf9b9603f8d21362122b3839296c578ae3d6e
                                                      • Instruction Fuzzy Hash: B5F012725042107BA620DF59FAC6D1773E9EA457247A5482BF18DEBA51C738FCC0865C
                                                      Function 004434F7 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _free.LIBCMT ref: 00443515
                                                        • Part of subcall function 00446CD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FC60,0000000A,00000000,0000000A,00000000,?,0044FF04,0000000A,00000007,0000000A,?,00450415,0000000A), ref: 00446CEB
                                                        • Part of subcall function 00446CD5: GetLastError.KERNEL32(0000000A,?,0044FC60,0000000A,00000000,0000000A,00000000,?,0044FF04,0000000A,00000007,0000000A,?,00450415,0000000A,0000000A), ref: 00446CFD
                                                      • _free.LIBCMT ref: 00443527
                                                      • _free.LIBCMT ref: 0044353A
                                                      • _free.LIBCMT ref: 0044354B
                                                      • _free.LIBCMT ref: 0044355C
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _free$ErrorFreeHeapLast
                                                      • String ID:
                                                      • API String ID: 776569668-0
                                                      • Opcode ID: 5455ce8706e3ca66a7bad791c73c4693f29d9b457f563819123ce72749b06e66
                                                      • Instruction ID: bf08c2b723e6da78e2f9a692d3f9dcffc94df7bb1312aea5ebb3a1bf48e2a6b8
                                                      • Opcode Fuzzy Hash: 5455ce8706e3ca66a7bad791c73c4693f29d9b457f563819123ce72749b06e66
                                                      • Instruction Fuzzy Hash: 4EF0FEB08011219FD726AF69BE414063BA0F709764346113BF45E66B71E7790982EB8E
                                                      Function 00416937 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 182threadwindowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetWindowThreadProcessId.USER32(?,?), ref: 0041694E
                                                      • GetWindowTextW.USER32(?,?,0000012C), ref: 00416980
                                                      • IsWindowVisible.USER32(?), ref: 00416987
                                                        • Part of subcall function 0041B588: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B5A0
                                                        • Part of subcall function 0041B588: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B5B3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ProcessWindow$Open$TextThreadVisible
                                                      • String ID: 0VG
                                                      • API String ID: 3142014140-3748860515
                                                      • Opcode ID: 8040e70f99a29c17371243be5b0374263071332b934c14761d81ab03223ac4bc
                                                      • Instruction ID: a92d2c2722018a5f2df8734f3a85bf91d45912e01cb50305def5a483f7f9536a
                                                      • Opcode Fuzzy Hash: 8040e70f99a29c17371243be5b0374263071332b934c14761d81ab03223ac4bc
                                                      • Instruction Fuzzy Hash: FE71C3311082415AC335FB61D8A5ADFB3E4EFD4308F50493EB58A530E1EF74AA49CB9A
                                                      Function 0044D669 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _strpbrk.LIBCMT ref: 0044D6B8
                                                      • _free.LIBCMT ref: 0044D7D5
                                                        • Part of subcall function 0043AA64: IsProcessorFeaturePresent.KERNEL32(00000017,0043AA36,00000000,0000000A,0000000A,00000000,0041AF72,00000022,?,?,0043AA43,00000000,00000000,00000000,00000000,00000000), ref: 0043AA66
                                                        • Part of subcall function 0043AA64: GetCurrentProcess.KERNEL32(C0000417,0000000A,00000000), ref: 0043AA88
                                                        • Part of subcall function 0043AA64: TerminateProcess.KERNEL32(00000000), ref: 0043AA8F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                                      • String ID: *?$.
                                                      • API String ID: 2812119850-3972193922
                                                      • Opcode ID: a944b580e8880c8e130e00bdfc146e92b9e44dab990486ab21efc68c0a65a633
                                                      • Instruction ID: 04f9c45711fae47bd805a28d6c684d852fff3551aaaea8338e0504d4b1d9eb7e
                                                      • Opcode Fuzzy Hash: a944b580e8880c8e130e00bdfc146e92b9e44dab990486ab21efc68c0a65a633
                                                      • Instruction Fuzzy Hash: C251B175E00209AFEF14DFA9C881AAEBBB5EF58314F25416FE854E7301E6399E01CB54
                                                      Function 00404468 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92synchronizationnetworkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                      • WaitForSingleObject.KERNEL32(00000330,00000000,{NAL,?,?,00000004,?,?,00000004,00474EE0,004755B0,00000000), ref: 0040450E
                                                      • SetEvent.KERNEL32(00000330,?,?,00000004,?,?,00000004,00474EE0,004755B0,00000000,?,?,?,?,?,00414E7B), ref: 0040453C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: EventObjectSingleWaitsend
                                                      • String ID: {NAL
                                                      • API String ID: 3963590051-1903569844
                                                      • Opcode ID: 438a4a486c613dad8f91b4ef8ef70ced317a48407eae681756782b40dc658345
                                                      • Instruction ID: 09920f02ef31e30e393b68ef0c8285e211ae926702cc5adcda46913b737bad1c
                                                      • Opcode Fuzzy Hash: 438a4a486c613dad8f91b4ef8ef70ced317a48407eae681756782b40dc658345
                                                      • Instruction Fuzzy Hash: 552137B29005156BCF04ABA5DC96DEE777CBF54358B00413EF916B21E1EE78A504C6E4
                                                      Function 00403A10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92sleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00403A2A
                                                        • Part of subcall function 0041AD43: GetCurrentProcessId.KERNEL32(00000000,75923530,00000000,?,?,?,?,00466900,0040C07B,.vbs,?,?,?,?,?,00475308), ref: 0041AD6A
                                                        • Part of subcall function 0041789C: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00466324), ref: 004178B2
                                                        • Part of subcall function 0041789C: CloseHandle.KERNEL32($cF,?,?,00403AB9,00466324), ref: 004178BB
                                                        • Part of subcall function 0041B825: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B83E
                                                      • Sleep.KERNEL32(000000FA,00466324), ref: 00403AFC
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                      • String ID: /sort "Visit Time" /stext "$0NG
                                                      • API String ID: 368326130-3219657780
                                                      • Opcode ID: b9ea6b50cec41ec040a9f76ae8369c1ad19d6b37305134aedebb5ccf8f56233d
                                                      • Instruction ID: 03df4c4d2d4284c33795d9a7a6d048d6c9d09091ba23d5cef523323604a75e49
                                                      • Opcode Fuzzy Hash: b9ea6b50cec41ec040a9f76ae8369c1ad19d6b37305134aedebb5ccf8f56233d
                                                      • Instruction Fuzzy Hash: 88319531A0011456CB14FB76DC969EE7779AF80318F00007FF906B31D2EF385A4AC699
                                                      Function 0044837A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • _free.LIBCMT ref: 004483ED
                                                      • _free.LIBCMT ref: 00448443
                                                        • Part of subcall function 0044821F: _free.LIBCMT ref: 00448277
                                                        • Part of subcall function 0044821F: GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045E478), ref: 00448289
                                                        • Part of subcall function 0044821F: WideCharToMultiByte.KERNEL32(00000000,00000000,0047279C,000000FF,00000000,0000003F,00000000,?,?), ref: 00448301
                                                        • Part of subcall function 0044821F: WideCharToMultiByte.KERNEL32(00000000,00000000,004727F0,000000FF,?,0000003F,00000000,?), ref: 0044832E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                      • String ID: xE
                                                      • API String ID: 314583886-407097786
                                                      • Opcode ID: 9c637a4c831fe7eeac3cdc02b43c82e31c030d80d9709743783fb0f8cc9b1dbe
                                                      • Instruction ID: 75d3a8e9ed6c4df3bbb87a82b1f0f54536a25ed198edf9988c125f258b025633
                                                      • Opcode Fuzzy Hash: 9c637a4c831fe7eeac3cdc02b43c82e31c030d80d9709743783fb0f8cc9b1dbe
                                                      • Instruction Fuzzy Hash: 90213B3280013957F730A7259C46DEF7378DB41724F1102AFEC98A2191EF784DC189AD
                                                      Function 0040A876 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
                                                      • wsprintfW.USER32 ref: 0040A905
                                                        • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,?,0040AF3F,?,?,?,?,?,00000000), ref: 00409D84
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: EventLocalTimewsprintf
                                                      • String ID: [%04i/%02i/%02i %02i:%02i:%02i $]
                                                      • API String ID: 1497725170-1359877963
                                                      • Opcode ID: 2c1e205bf1f5052a51d4638fd4dd379fe1f7b993f8f7852f87f4d6bf88a020b2
                                                      • Instruction ID: eacaba0d290b76b22f399a57737f65b18f8a023abca8575ba11697f47f6457b1
                                                      • Opcode Fuzzy Hash: 2c1e205bf1f5052a51d4638fd4dd379fe1f7b993f8f7852f87f4d6bf88a020b2
                                                      • Instruction Fuzzy Hash: F1115172500118AACB18FB96EC56CFF77B8AE48715B00013FF542621D1EF7C5A86C6E9
                                                      Function 0040A611 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
                                                        • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                        • Part of subcall function 0041A891: GetLocalTime.KERNEL32(00000000), ref: 0041A8AB
                                                      • CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040A691
                                                      • CreateThread.KERNEL32(00000000,00000000,Function_000099B5,?,00000000,00000000), ref: 0040A69D
                                                      • CreateThread.KERNEL32(00000000,00000000,004099C1,?,00000000,00000000), ref: 0040A6A9
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CreateThread$LocalTime$wsprintf
                                                      • String ID: Online Keylogger Started
                                                      • API String ID: 112202259-1258561607
                                                      • Opcode ID: e51d8b7f57c875fd14822fa47be4c1fb55d37c331493fca39a38941afd0278ea
                                                      • Instruction ID: 13545b77b67cc4507d33d8d8c8ff512a749ba16b8a43449315e0da64450a8124
                                                      • Opcode Fuzzy Hash: e51d8b7f57c875fd14822fa47be4c1fb55d37c331493fca39a38941afd0278ea
                                                      • Instruction Fuzzy Hash: E80161A1A003193AE62076768C86DBF7A6DCA813A8F41043EF541662C3EA7D5D5582FA
                                                      Function 0044AC83 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • CloseHandle.KERNEL32(00000000,00000000,8@,?,0044ABA1,8@,0046ED38,0000000C), ref: 0044ACD9
                                                      • GetLastError.KERNEL32(?,0044ABA1,8@,0046ED38,0000000C), ref: 0044ACE3
                                                      • __dosmaperr.LIBCMT ref: 0044AD0E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CloseErrorHandleLast__dosmaperr
                                                      • String ID: 8@
                                                      • API String ID: 2583163307-819625340
                                                      • Opcode ID: f11388ad4d481d826d75519938a9a20661ac3afaecb278e3b0e3570ed3326013
                                                      • Instruction ID: 727ae4bd5dc399200e14d16721253afac520870d53d00e52bc8525c117eb1139
                                                      • Opcode Fuzzy Hash: f11388ad4d481d826d75519938a9a20661ac3afaecb278e3b0e3570ed3326013
                                                      • Instruction Fuzzy Hash: 6F018836640A100BF3212634688573F67498B91B39F29022FF804872D2CE2D8CC1919F
                                                      Function 00404B29 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47synchronizationCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00404B26), ref: 00404B40
                                                      • CloseHandle.KERNEL32(?,?,?,?,00404B26), ref: 00404B98
                                                      • SetEvent.KERNEL32(?,?,?,?,00404B26), ref: 00404BA7
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CloseEventHandleObjectSingleWait
                                                      • String ID: Connection Timeout
                                                      • API String ID: 2055531096-499159329
                                                      • Opcode ID: c54170f10c28a2d70f0f06c2367e9daa17625b27f18bd79627845602b5625e1d
                                                      • Instruction ID: 3c9b6871d48b6b3111a672927d5bafc1cfd46058a166b60e959a8cf6be3f516d
                                                      • Opcode Fuzzy Hash: c54170f10c28a2d70f0f06c2367e9daa17625b27f18bd79627845602b5625e1d
                                                      • Instruction Fuzzy Hash: 1601F5B1900B41AFD325BB3A8C4255ABFE4AB45315740053FE293A2BA2DE38E440CB5E
                                                      Function 0041284C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegCreateKeyW.ADVAPI32(80000001,00000000,004752F0), ref: 00412857
                                                      • RegSetValueExW.ADVAPI32(004752F0,?,00000000,00000001,00000000,00000000,00475308,?,0040E6A3,pth_unenc,004752F0), ref: 00412885
                                                      • RegCloseKey.ADVAPI32(004752F0,?,0040E6A3,pth_unenc,004752F0), ref: 00412890
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CloseCreateValue
                                                      • String ID: pth_unenc
                                                      • API String ID: 1818849710-4028850238
                                                      • Opcode ID: b3a4cd364a4f7c7358af441d7ba84bfe6998b6fc3540b8922562f2b11cb0be87
                                                      • Instruction ID: ab464752906d06cf6e422ab9fb9c42b8cedad3247386a7cb387aa37f92243dc4
                                                      • Opcode Fuzzy Hash: b3a4cd364a4f7c7358af441d7ba84bfe6998b6fc3540b8922562f2b11cb0be87
                                                      • Instruction Fuzzy Hash: 2DF09071500218BBDF50AFA0EE46FEE376CEF40B55F10452AF902B60A1EF75DA08DA94
                                                      Function 0040CE91 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 0040CE9C
                                                      • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CEDB
                                                        • Part of subcall function 004349CD: _Yarn.LIBCPMT ref: 004349EC
                                                        • Part of subcall function 004349CD: _Yarn.LIBCPMT ref: 00434A10
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0040CEFF
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                      • String ID: bad locale name
                                                      • API String ID: 3628047217-1405518554
                                                      • Opcode ID: 010949cb006bc602daa897d098c336462d98aae1940c118575e4f0b09407aa79
                                                      • Instruction ID: d3fe92e39fe1a76843bdcbebe92e6b3b15f8dcb0f99b50ce5c9cc2ba4b618b17
                                                      • Opcode Fuzzy Hash: 010949cb006bc602daa897d098c336462d98aae1940c118575e4f0b09407aa79
                                                      • Instruction Fuzzy Hash: FEF03171004214AAC768FB62D853ADE77A4AF14758F504B3FF046224D2AF7CB619C688
                                                      Function 0041534A Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041538C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ExecuteShell
                                                      • String ID: /C $cmd.exe$open
                                                      • API String ID: 587946157-3896048727
                                                      • Opcode ID: ee5632475eb46ff15070bdf5b556040dc051f9dd48e26135e6c52f0a98a02d4f
                                                      • Instruction ID: 200bce0b0309f38ec9064e519a9a4578f5a600b3ca3b701a036ea6d1077247ba
                                                      • Opcode Fuzzy Hash: ee5632475eb46ff15070bdf5b556040dc051f9dd48e26135e6c52f0a98a02d4f
                                                      • Instruction Fuzzy Hash: F1E0C0B11043406AC708FB65DC96DBF77AC9A90749F10483FB582621E2EE78A949865E
                                                      Function 0040AFBA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • TerminateThread.KERNEL32(004099A9,00000000,00475308,pth_unenc,0040BF26,004752F0,00475308,?,pth_unenc), ref: 0040AFC9
                                                      • UnhookWindowsHookEx.USER32(00475108), ref: 0040AFD5
                                                      • TerminateThread.KERNEL32(Function_00009993,00000000,?,pth_unenc), ref: 0040AFE3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: TerminateThread$HookUnhookWindows
                                                      • String ID: pth_unenc
                                                      • API String ID: 3123878439-4028850238
                                                      • Opcode ID: 5ce168509fd4f53ac483e5472d8910f69c83d539265d002f33f874c0df2e9344
                                                      • Instruction ID: 19faee7e247875c6ed4f8509c992ad96cda0262a64c11258bcf204109443e34b
                                                      • Opcode Fuzzy Hash: 5ce168509fd4f53ac483e5472d8910f69c83d539265d002f33f874c0df2e9344
                                                      • Instruction Fuzzy Hash: BEE01DB1245715DFD3101F545C94825BB99EB44746324087FF6C165252CD798C14C759
                                                      Function 00448F1B Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: __alldvrm$_strrchr
                                                      • String ID:
                                                      • API String ID: 1036877536-0
                                                      • Opcode ID: af13233f64bff1d952fd16752439a8415c6481e4108584e155c4282d62de78f9
                                                      • Instruction ID: 0b1f6a9dfc50a2d3a5cef35921af3bd2f2baba9a31ad448e356136b6fbdd55d0
                                                      • Opcode Fuzzy Hash: af13233f64bff1d952fd16752439a8415c6481e4108584e155c4282d62de78f9
                                                      • Instruction Fuzzy Hash: 3AA14532A042869FFB258E18C8817AFBBA1EF15354F1841AFE8859B382C67C8D41D758
                                                      Function 00455BDA Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _free
                                                      • String ID:
                                                      • API String ID: 269201875-0
                                                      • Opcode ID: 74ece5ab94bf9e1454a637eee9e3d981c9d933d52cb43566ce5b815ebd6edde4
                                                      • Instruction ID: 0bd1fcef5d7791e57e96aa6a4775832058b0444fd7bffa6098b49987863132bf
                                                      • Opcode Fuzzy Hash: 74ece5ab94bf9e1454a637eee9e3d981c9d933d52cb43566ce5b815ebd6edde4
                                                      • Instruction Fuzzy Hash: 64415D31900F00ABEF227AB98C9667F3A75DF01775F14411FFC1896293D63C890986AA
                                                      Function 0040B806 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      • [Cleared browsers logins and cookies.], xrefs: 0040B8DE
                                                      • Cleared browsers logins and cookies., xrefs: 0040B8EF
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Sleep
                                                      • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                      • API String ID: 3472027048-1236744412
                                                      • Opcode ID: 974243172e929ecbed863af11f3888abaeff5056eaa34a0c48e853e7952ed2f5
                                                      • Instruction ID: 247d09dce9e3c977c7e86e48a76dae703d52755688f8fe644b587970fcea700c
                                                      • Opcode Fuzzy Hash: 974243172e929ecbed863af11f3888abaeff5056eaa34a0c48e853e7952ed2f5
                                                      • Instruction Fuzzy Hash: FE31A81124C38069CA117B7514167AB6F958A93754F08847FE8C4273E3DB7A480883EF
                                                      Function 0041AB95 Relevance: 6.1, APIs: 4, Instructions: 78timesleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: SystemTimes$Sleep__aulldiv
                                                      • String ID:
                                                      • API String ID: 188215759-0
                                                      • Opcode ID: a7e496ea74412c4f74dd561fc1d9e5efe2a930fde01781876ab294e7da94f75c
                                                      • Instruction ID: 7cb4eddd506215a21d9c44be4850b318e12e80d273729b61be08d6c7a3dfdc1e
                                                      • Opcode Fuzzy Hash: a7e496ea74412c4f74dd561fc1d9e5efe2a930fde01781876ab294e7da94f75c
                                                      • Instruction Fuzzy Hash: 9A216D725043009FC304EF65D9858AFB7E8EFC8714F044A2EF58593251EA38EA49CBA7
                                                      Function 00409C4B Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0041B8F1: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041B901
                                                        • Part of subcall function 0041B8F1: GetWindowTextLengthW.USER32(00000000), ref: 0041B90A
                                                        • Part of subcall function 0041B8F1: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041B934
                                                      • Sleep.KERNEL32(000001F4), ref: 00409C95
                                                      • Sleep.KERNEL32(00000064), ref: 00409D1F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Window$SleepText$ForegroundLength
                                                      • String ID: [ $ ]
                                                      • API String ID: 3309952895-93608704
                                                      • Opcode ID: a49d20d3ecb8acddbd4132256805943c56c930b2d695a3c4727dac55219dcbc1
                                                      • Instruction ID: 7bed66d096a43dd94c2219bc8d3cdd3a5a7df98386a17a5ae9bf36b343ab91a8
                                                      • Opcode Fuzzy Hash: a49d20d3ecb8acddbd4132256805943c56c930b2d695a3c4727dac55219dcbc1
                                                      • Instruction Fuzzy Hash: AF119F315042009BD218BB26DC17AAEBBA8AF41708F40047FF542621D3EF79AA1986DE
                                                      Function 00442EE2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0179cd47eff8c75336d676f059f6bc7958f0419c29ca715f1c911511461a8d64
                                                      • Instruction ID: b58c8eca075ef28bddc965f0bc4d2171c3ec1f8ef65ef5096018edf4bb449d44
                                                      • Opcode Fuzzy Hash: 0179cd47eff8c75336d676f059f6bc7958f0419c29ca715f1c911511461a8d64
                                                      • Instruction Fuzzy Hash: 2501F2B26093163EF61016796CC1F27671CEF417B8BB1032BB626612D2EEA88C46606D
                                                      Function 00442F61 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 112e7316d96929b625426bf143e83baabee3255260599eba4999be5de9cde10c
                                                      • Instruction ID: 7fe3e8edc5bbc175eb6928fc2517c3e9b6b95ea9c4057c88a91cd5d3c4beb3ed
                                                      • Opcode Fuzzy Hash: 112e7316d96929b625426bf143e83baabee3255260599eba4999be5de9cde10c
                                                      • Instruction Fuzzy Hash: F201F9B22096167EB61016796DC4D27676DEF813B83F1033BF421612D1EEA8CC44A179
                                                      Function 00438305 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • ___BuildCatchObject.LIBVCRUNTIME ref: 0043831F
                                                        • Part of subcall function 0043826C: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0043829B
                                                        • Part of subcall function 0043826C: ___AdjustPointer.LIBCMT ref: 004382B6
                                                      • _UnwindNestedFrames.LIBCMT ref: 00438334
                                                      • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00438345
                                                      • CallCatchBlock.LIBVCRUNTIME ref: 0043836D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                      • String ID:
                                                      • API String ID: 737400349-0
                                                      • Opcode ID: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                                      • Instruction ID: 0bcd00d322a0ad7a372b2cc4a74953bc209b0d499cbe7a3061e5fba3b10c2df3
                                                      • Opcode Fuzzy Hash: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                                      • Instruction Fuzzy Hash: 3E014072100248BBDF126E96CC41DEF7B69EF4C758F04501DFE4866221D73AE861DBA4
                                                      Function 00447420 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,004473C7,00000000,00000000,00000000,00000000,?,004476F3,00000006,FlsSetValue), ref: 00447452
                                                      • GetLastError.KERNEL32(?,004473C7,00000000,00000000,00000000,00000000,?,004476F3,00000006,FlsSetValue,0045E328,FlsSetValue,00000000,00000364,?,004471A1), ref: 0044745E
                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004473C7,00000000,00000000,00000000,00000000,?,004476F3,00000006,FlsSetValue,0045E328,FlsSetValue,00000000), ref: 0044746C
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: LibraryLoad$ErrorLast
                                                      • String ID:
                                                      • API String ID: 3177248105-0
                                                      • Opcode ID: bca6965db1f65f3d9859255c05e5b0128703451981dee5a4eba808798ce175cf
                                                      • Instruction ID: 55721a836d87515a1eea2a56d4c7bce34062b93f94d6470a2cb527c4f3a692dc
                                                      • Opcode Fuzzy Hash: bca6965db1f65f3d9859255c05e5b0128703451981dee5a4eba808798ce175cf
                                                      • Instruction Fuzzy Hash: 6D01FC326497366BD7314F789C44A777FD8AF047617114535F906E3241DF28D802C6E8
                                                      Function 0041B825 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B83E
                                                      • GetFileSize.KERNEL32(00000000,00000000), ref: 0041B852
                                                      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041B877
                                                      • CloseHandle.KERNEL32(00000000), ref: 0041B885
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: File$CloseCreateHandleReadSize
                                                      • String ID:
                                                      • API String ID: 3919263394-0
                                                      • Opcode ID: ed58f78054f3304a0e571c39d56cdde4fa23284483a9ae65eff7322f5774d552
                                                      • Instruction ID: 2a104a3335fe37b36386f9496d9e2b25d881a91c22a4f34d2042fa75e5cfbfce
                                                      • Opcode Fuzzy Hash: ed58f78054f3304a0e571c39d56cdde4fa23284483a9ae65eff7322f5774d552
                                                      • Instruction Fuzzy Hash: 47F0C2B12422047FE6102F25AC89FBF3A5CDB86BA9F10023EF801A2291DE258C0581B9
                                                      Function 00418702 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetSystemMetrics.USER32(0000004C), ref: 0041870F
                                                      • GetSystemMetrics.USER32(0000004D), ref: 00418715
                                                      • GetSystemMetrics.USER32(0000004E), ref: 0041871B
                                                      • GetSystemMetrics.USER32(0000004F), ref: 00418721
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MetricsSystem
                                                      • String ID:
                                                      • API String ID: 4116985748-0
                                                      • Opcode ID: 0409876626ed8831e64dc81abc3b09ac1b97839c455807a5cfaaf12ce600e90b
                                                      • Instruction ID: 0d34e4fe417a410293abd419840fb627d3fd172a5f9f2d4f3f0ee0adad43daa0
                                                      • Opcode Fuzzy Hash: 0409876626ed8831e64dc81abc3b09ac1b97839c455807a5cfaaf12ce600e90b
                                                      • Instruction Fuzzy Hash: 26F0D672B043215BCB00AB754C4596EBB969FC03A4F25083FFA159B381EE78EC4687D9
                                                      Function 004420ED Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __startOneArgErrorHandling.LIBCMT ref: 0044217D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorHandling__start
                                                      • String ID: pow
                                                      • API String ID: 3213639722-2276729525
                                                      • Opcode ID: 520362507bef941fab5cffea9abde62870a3d8c74bbf2bfcbae46fc27f337450
                                                      • Instruction ID: 9e1bbc3390eeabea57be79b34f62796538476165ffe421cdb5ba0d05f4dc7be1
                                                      • Opcode Fuzzy Hash: 520362507bef941fab5cffea9abde62870a3d8c74bbf2bfcbae46fc27f337450
                                                      • Instruction Fuzzy Hash: 7251AF61A0A20297F7557B15CE8137B2B90EB50741F684D6BF085423E9EB7CCC819F4E
                                                      Function 00421179 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 178COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _memcmp
                                                      • String ID: <kG$<kG
                                                      • API String ID: 2931989736-383723866
                                                      • Opcode ID: 21e918851be83e46baa3e5e3c8b8b30cd909724b045746f3163941703dd33272
                                                      • Instruction ID: 841d78c923fca9e627808cf77cab3bf97fcfd39527adbe47470f5cf9fadca134
                                                      • Opcode Fuzzy Hash: 21e918851be83e46baa3e5e3c8b8b30cd909724b045746f3163941703dd33272
                                                      • Instruction Fuzzy Hash: 9F613471604B0A9ED710DF28D8806A6B7A5FF18304F440A3FEC5CCF656E3B8A955C7A9
                                                      Function 004095D6 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 158COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetKeyboardLayoutNameA.USER32(?), ref: 00409601
                                                        • Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212
                                                        • Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5
                                                        • Part of subcall function 0041B8B5: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409689,00474EE0,?,00474EE0,00000000,00474EE0,00000000), ref: 0041B8CA
                                                        • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CreateFileKeyboardLayoutNameconnectsendsocket
                                                      • String ID: pQG$NG
                                                      • API String ID: 2334542088-921107917
                                                      • Opcode ID: baae2f31211816717d1891d12ba902b559df7df93e5a23e8c27409df4f7124f2
                                                      • Instruction ID: 713adcd63a50277e86c853b9c7bd1a900ae8bd87492a3ad9f31fb308660c5d8e
                                                      • Opcode Fuzzy Hash: baae2f31211816717d1891d12ba902b559df7df93e5a23e8c27409df4f7124f2
                                                      • Instruction Fuzzy Hash: BB5141321082405AC365F775D8A2AEF73E5AFD4308F50483FF84A671E2EE789949C69D
                                                      Function 0044DD44 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 0044DD69
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Info
                                                      • String ID: $vD
                                                      • API String ID: 1807457897-3636070802
                                                      • Opcode ID: af2dbb740455362532db4c6e27cef1bba8ecc5757f530743f693fef6f10ca257
                                                      • Instruction ID: 6a53932102cf2f29093c464eb4c67803ff3648b28b3ba8b7d074bec3f8911faa
                                                      • Opcode Fuzzy Hash: af2dbb740455362532db4c6e27cef1bba8ecc5757f530743f693fef6f10ca257
                                                      • Instruction Fuzzy Hash: D0415DB0D047489BEF218E24CC84AF6BBF9DF55708F2404EEE58A87142D239AD45DF65
                                                      Function 00417DD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00417DFE
                                                        • Part of subcall function 00417988: GdipLoadImageFromStream.GDIPLUS(?,?,?,00417E11,00000000,?,?,?,?,00000000), ref: 0041799C
                                                      • SHCreateMemStream.SHLWAPI(00000000), ref: 00417E4B
                                                        • Part of subcall function 004179FB: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00417E67,00000000,?,?), ref: 00417A0D
                                                        • Part of subcall function 004179AB: GdipDisposeImage.GDIPLUS(?,00417EC2), ref: 004179B4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                                      • String ID: image/jpeg
                                                      • API String ID: 1291196975-3785015651
                                                      • Opcode ID: c0c6e86b316e55d66ebf2cdb0a10bdafe60ea560917bbaebe4dfd9cc843f5356
                                                      • Instruction ID: 8af81f403c9bc23e7458ee74b157d237c4b9220e470ad7f048828f44144df9d5
                                                      • Opcode Fuzzy Hash: c0c6e86b316e55d66ebf2cdb0a10bdafe60ea560917bbaebe4dfd9cc843f5356
                                                      • Instruction Fuzzy Hash: 23313C71518204AFC301EF65C884DAFB7E9EF8A704F000A6EF98597251DB79D9098BA6
                                                      Function 00450AEE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00450D49,?,00000050,?,?,?,?,?), ref: 00450BC9
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: ACP$OCP
                                                      • API String ID: 0-711371036
                                                      • Opcode ID: 6fd782f53c9633299fe98566c4ec68ed2bffd726811d49864d22e4fe4dac6dcd
                                                      • Instruction ID: d29bb87f3b47b124c8bd6c760bb86eb4cd4ec0f84f402c6b2e0ab732353f73f5
                                                      • Opcode Fuzzy Hash: 6fd782f53c9633299fe98566c4ec68ed2bffd726811d49864d22e4fe4dac6dcd
                                                      • Instruction Fuzzy Hash: 4021F72AA00105A6E7308FD48C82B977396AB50B1BF564467ED09D7303F73AFD09C358
                                                      Function 00417ECF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00417EEA
                                                        • Part of subcall function 00417988: GdipLoadImageFromStream.GDIPLUS(?,?,?,00417E11,00000000,?,?,?,?,00000000), ref: 0041799C
                                                      • SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,?,?,?,?,00000000), ref: 00417F0F
                                                        • Part of subcall function 004179FB: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00417E67,00000000,?,?), ref: 00417A0D
                                                        • Part of subcall function 004179AB: GdipDisposeImage.GDIPLUS(?,00417EC2), ref: 004179B4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                                      • String ID: image/png
                                                      • API String ID: 1291196975-2966254431
                                                      • Opcode ID: af5d1f129cd5bd430e2235d416c6cbdfecbf91bf363856a8bd94ba4e637429f2
                                                      • Instruction ID: ee77ca1c213fe0bce41e511bbcee913114c194eb695e7cc9890245c9a4d1a3c2
                                                      • Opcode Fuzzy Hash: af5d1f129cd5bd430e2235d416c6cbdfecbf91bf363856a8bd94ba4e637429f2
                                                      • Instruction Fuzzy Hash: B9219F71204210AFC301AB61CC88DBFBBBDEFCA714B00052EF94693261DB389945CBA6
                                                      Function 00449A39 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _free
                                                      • String ID: P*G$T*G
                                                      • API String ID: 269201875-829108958
                                                      • Opcode ID: 2f751c0efca173fa551c184794475f0d61f37e7d68ea2317de90041697b8eca5
                                                      • Instruction ID: a7437cf58198a632dccd7940a762e636932f246661e7801d2bdfb2ecead32fa8
                                                      • Opcode Fuzzy Hash: 2f751c0efca173fa551c184794475f0d61f37e7d68ea2317de90041697b8eca5
                                                      • Instruction Fuzzy Hash: 6111E4711443429FFB20DF26D441B53B3E8EB55368B30842FE48A9B281DB78AC859788
                                                      Function 004049BA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLocalTime.KERNEL32(?,00474EE0,004755B0,?,?,?,?,?,?,?,00414F0F,?,00000001,0000004C,00000000), ref: 004049F1
                                                        • Part of subcall function 0041A891: GetLocalTime.KERNEL32(00000000), ref: 0041A8AB
                                                      • GetLocalTime.KERNEL32(?,00474EE0,004755B0,?,?,?,?,?,?,?,00414F0F,?,00000001,0000004C,00000000), ref: 00404A4E
                                                      Strings
                                                      • KeepAlive | Enabled | Timeout: , xrefs: 004049E5
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: LocalTime
                                                      • String ID: KeepAlive | Enabled | Timeout:
                                                      • API String ID: 481472006-1507639952
                                                      • Opcode ID: 7b17d1e227f48684207d6be12f6d8554e6a2daeb87b5d1524601f4e1b57e679e
                                                      • Instruction ID: 07f09c1926c096f578aeb4a964dedba27d52497869334d5e310e707c12b0f234
                                                      • Opcode Fuzzy Hash: 7b17d1e227f48684207d6be12f6d8554e6a2daeb87b5d1524601f4e1b57e679e
                                                      • Instruction Fuzzy Hash: 932131B1A042806BD600F77A980635B7B9497C4314F84043FE90C562E2EEBD59898BAF
                                                      Function 00448B07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetStdHandle.KERNEL32(000000F6), ref: 00448B53
                                                      • GetFileType.KERNEL32(00000000), ref: 00448B65
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FileHandleType
                                                      • String ID: `]]
                                                      • API String ID: 3000768030-2908298338
                                                      • Opcode ID: 709764ea7de61a1ee6b1c7a208d8f310102b3ec00a3095b3a15ed26258e7c2c3
                                                      • Instruction ID: 4d96847604c3c5e89c92e0bae5a56447120e6fba85ff24299cab8e9791f5b951
                                                      • Opcode Fuzzy Hash: 709764ea7de61a1ee6b1c7a208d8f310102b3ec00a3095b3a15ed26258e7c2c3
                                                      • Instruction Fuzzy Hash: E71196B15047814EE7304A3D8C8962B6A54D752334B38071FF5B6967F1CF28E882924D
                                                      Function 0043AE40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _free
                                                      • String ID: `]]
                                                      • API String ID: 269201875-2908298338
                                                      • Opcode ID: d7be576e25eb8f91f1c7522a8e83579c420102f8c2aee4373051d9f21f228018
                                                      • Instruction ID: bbcf2e6bbb9829bcdebbaa4262a7be325da62559df7761f078343b1b3ea7e5ad
                                                      • Opcode Fuzzy Hash: d7be576e25eb8f91f1c7522a8e83579c420102f8c2aee4373051d9f21f228018
                                                      • Instruction Fuzzy Hash: EF11B471A803114AE7245F39BD42F563254E704734F15122BEA79DB2E0E7BCC8C2568A
                                                      Function 0041A891 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLocalTime.KERNEL32(00000000), ref: 0041A8AB
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: LocalTime
                                                      • String ID: | $%02i:%02i:%02i:%03i
                                                      • API String ID: 481472006-2430845779
                                                      • Opcode ID: 93a98d44db7fb0c881bd96abbdce9d50535dabea07bf117fefb48cdc9cbc8cb7
                                                      • Instruction ID: bea5c42f2d95e84a76b62dfc34e9438b8882b4e2d456746f57979f9b7964cbe7
                                                      • Opcode Fuzzy Hash: 93a98d44db7fb0c881bd96abbdce9d50535dabea07bf117fefb48cdc9cbc8cb7
                                                      • Instruction Fuzzy Hash: 0F114C725082405BC704EBA5D8969BF77E8AB94708F10093FF885A31E1EF38DA44C69E
                                                      Function 004126C6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 004126EA
                                                      • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00412720
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: QueryValue
                                                      • String ID: TeF
                                                      • API String ID: 3660427363-331424825
                                                      • Opcode ID: d95fd9167a1313fe8c80bfc7e96c72c6aa8b9b847f69a2249def5cc6c104aaba
                                                      • Instruction ID: 3cb62dd7824af05a29d95bf947337739d939994cfcf273d244ad568f401b79ba
                                                      • Opcode Fuzzy Hash: d95fd9167a1313fe8c80bfc7e96c72c6aa8b9b847f69a2249def5cc6c104aaba
                                                      • Instruction Fuzzy Hash: 650184B6A00108BFEB05AB95DD46EFF7ABDEB44240F14007AF901E2241E6B0AF049664
                                                      Function 0041A07F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • PathFileExistsW.SHLWAPI(00000000), ref: 0041A0A4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ExistsFilePath
                                                      • String ID: TeF$alarm.wav
                                                      • API String ID: 1174141254-486219832
                                                      • Opcode ID: f7ee6337fc654cc0b09d6f8c04168479c952f1b1aa7db7e8f0e02e837cc1a088
                                                      • Instruction ID: 6b61ed94da76c6dc8509722386f9763649bd27766d5c45ddbf5277e073f3d638
                                                      • Opcode Fuzzy Hash: f7ee6337fc654cc0b09d6f8c04168479c952f1b1aa7db7e8f0e02e837cc1a088
                                                      • Instruction Fuzzy Hash: 4D01D23160520166C604B636D8576EE3A458BC0728F50813FF88A666E2EF7CAED5C2DF
                                                      Function 0040A767 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
                                                        • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                        • Part of subcall function 0041A891: GetLocalTime.KERNEL32(00000000), ref: 0041A8AB
                                                      • CloseHandle.KERNEL32(?), ref: 0040A7CA
                                                      • UnhookWindowsHookEx.USER32 ref: 0040A7DD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                      • String ID: Online Keylogger Stopped
                                                      • API String ID: 1623830855-1496645233
                                                      • Opcode ID: 908f31768a51f4bba0f1177a467c2c11ec0582f6bfe0bae760a55f80d2203bb8
                                                      • Instruction ID: da65c2120251a34d34924486d515db36f90714a8cba0a7d82e96ebed52376b78
                                                      • Opcode Fuzzy Hash: 908f31768a51f4bba0f1177a467c2c11ec0582f6bfe0bae760a55f80d2203bb8
                                                      • Instruction Fuzzy Hash: 5901F131A043019BCB25BB35C80B7AEBBB19B45314F40406EE441225D2EB7999A6C3DF
                                                      Function 00448973 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00444CDC: EnterCriticalSection.KERNEL32(-00472558,?,0044246B,00000000,0046EAD0,0000000C,00442426,0000000A,?,?,00448949,0000000A,?,00447184,00000001,00000364), ref: 00444CEB
                                                      • DeleteCriticalSection.KERNEL32(?,?,?,?,?,0046ECB8,00000010,0043AF25), ref: 004489D5
                                                      • _free.LIBCMT ref: 004489E3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CriticalSection$DeleteEnter_free
                                                      • String ID: `]]
                                                      • API String ID: 1836352639-2908298338
                                                      • Opcode ID: 9d76c620edcff08112ad37d792de4fd9c43109646451596060a8f89fb46b25c4
                                                      • Instruction ID: 148d79857643bc82b319f24316268943629f83d9e3709ab7633481e59fa6f6a8
                                                      • Opcode Fuzzy Hash: 9d76c620edcff08112ad37d792de4fd9c43109646451596060a8f89fb46b25c4
                                                      • Instruction Fuzzy Hash: F51161715002119FE715DFA9E946BAD73B0FB08724F11411EE5A5AB2E2CF7CE8829B0D
                                                      Function 004016E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • waveInPrepareHeader.WINMM(005CF588,00000020,?,?,00000000,00476B98,00474EE0,?,00000000,00401913), ref: 00401747
                                                      • waveInAddBuffer.WINMM(005CF588,00000020,?,00000000,00401913), ref: 0040175D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: wave$BufferHeaderPrepare
                                                      • String ID: XMG
                                                      • API String ID: 2315374483-813777761
                                                      • Opcode ID: 620c8429846d9d472bb74b0b690090328b51b047c9fc1556c206adb706f1508e
                                                      • Instruction ID: 26799fbdff8c3ec01ad48014b311b0d3f370155dffc0330205344997a7b0d52a
                                                      • Opcode Fuzzy Hash: 620c8429846d9d472bb74b0b690090328b51b047c9fc1556c206adb706f1508e
                                                      • Instruction Fuzzy Hash: 6501AD71300300AFD7209F39ED45A69BBB5EF89315B00413EB808E33A2EB74AC50CB98
                                                      Function 004479A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • IsValidLocale.KERNEL32(00000000,z?D,00000000,00000001,?,?,00443F7A,?,?,?,?,00000004), ref: 004479EC
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: LocaleValid
                                                      • String ID: IsValidLocaleName$z?D
                                                      • API String ID: 1901932003-2490211753
                                                      • Opcode ID: 030ca6b5b062e3e6eb463140e6e5805cf12db518d0019a9c378278714199a4d0
                                                      • Instruction ID: 892bc6e93789200f6c95030ba230210178196c8f1f686432b442ac7872abfc60
                                                      • Opcode Fuzzy Hash: 030ca6b5b062e3e6eb463140e6e5805cf12db518d0019a9c378278714199a4d0
                                                      • Instruction Fuzzy Hash: 06F0E930645218B7DB186F258C06F5E7B95CB05716F50807BFC047A293DE794E0295DD
                                                      Function 00401D91 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: H_prolog
                                                      • String ID: XMG$XMG
                                                      • API String ID: 3519838083-886261599
                                                      • Opcode ID: 94d942c2b9cd7cd452367b65107360caec8e392a141153fe325b9bee2a1bda9b
                                                      • Instruction ID: 0a877421dfc5135a28098138b17ad9f721677e320a6d1c8a6a2adbe775497da7
                                                      • Opcode Fuzzy Hash: 94d942c2b9cd7cd452367b65107360caec8e392a141153fe325b9bee2a1bda9b
                                                      • Instruction Fuzzy Hash: D4F0E9B1B00211ABC715BB65880569EB768EF41369F01827FB416772E1CFBD5D04975C
                                                      Function 0040AD56 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetKeyState.USER32(00000011), ref: 0040AD5B
                                                        • Part of subcall function 00409B10: GetForegroundWindow.USER32(?,?,00475108), ref: 00409B3F
                                                        • Part of subcall function 00409B10: GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                                        • Part of subcall function 00409B10: GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                                        • Part of subcall function 00409B10: GetKeyState.USER32(00000010), ref: 00409B5C
                                                        • Part of subcall function 00409B10: GetKeyboardState.USER32(?,?,00475108), ref: 00409B67
                                                        • Part of subcall function 00409B10: ToUnicodeEx.USER32(0047515C,00000000,?,?,00000010,00000000,00000000), ref: 00409B8A
                                                        • Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                                        • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,?,0040AF3F,?,?,?,?,?,00000000), ref: 00409D84
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                                      • String ID: [AltL]$[AltR]
                                                      • API String ID: 2738857842-2658077756
                                                      • Opcode ID: 013d8eb75564844e77d0a130007ea633e5b9443d2c6b05f924e9c22f592720ae
                                                      • Instruction ID: 4c389cf0edc94a27bb3bc0fddc987b72c0da48b50f0a0a77cbfc03dd010ffeca
                                                      • Opcode Fuzzy Hash: 013d8eb75564844e77d0a130007ea633e5b9443d2c6b05f924e9c22f592720ae
                                                      • Instruction Fuzzy Hash: 9AE09B2134032117C898323EA91B6EE3A218F82F65B80016FF8427BADADD7D4D5043CF
                                                      Function 00448A13 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _free.LIBCMT ref: 00448A35
                                                        • Part of subcall function 00446CD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FC60,0000000A,00000000,0000000A,00000000,?,0044FF04,0000000A,00000007,0000000A,?,00450415,0000000A), ref: 00446CEB
                                                        • Part of subcall function 00446CD5: GetLastError.KERNEL32(0000000A,?,0044FC60,0000000A,00000000,0000000A,00000000,?,0044FF04,0000000A,00000007,0000000A,?,00450415,0000000A,0000000A), ref: 00446CFD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorFreeHeapLast_free
                                                      • String ID: 8@$8@
                                                      • API String ID: 1353095263-3408345419
                                                      • Opcode ID: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                                      • Instruction ID: 8fe4af4b93ebf6b2b13329648f525de20a5552277f2be9521e73d3219e6c2dc0
                                                      • Opcode Fuzzy Hash: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                                      • Instruction Fuzzy Hash: 01E092361003059F8720CF6DD400A86B7F4EF95720720852FE89EE3710D731E812CB40
                                                      Function 0040ADB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetKeyState.USER32(00000012), ref: 0040ADB5
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: State
                                                      • String ID: [CtrlL]$[CtrlR]
                                                      • API String ID: 1649606143-2446555240
                                                      • Opcode ID: 4cd3fd2045822c407c10e6f4791885f4ed8356674f4e2c80592f01f7e92f4c5a
                                                      • Instruction ID: c178b64a75e50e2fccb38c9379e001e6e5e0f6b670105b82eaba8ba361dc1658
                                                      • Opcode Fuzzy Hash: 4cd3fd2045822c407c10e6f4791885f4ed8356674f4e2c80592f01f7e92f4c5a
                                                      • Instruction Fuzzy Hash: 59E0866170031517C514363DD61B67F39128F41B66F80012FF842A7AC6ED7E8D6423CB
                                                      Function 00412A52 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040BFB2,00000000,004752F0,00475308,?,pth_unenc), ref: 00412A60
                                                      • RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 00412A70
                                                      Strings
                                                      • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00412A5E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: DeleteOpenValue
                                                      • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                      • API String ID: 2654517830-1051519024
                                                      • Opcode ID: 3a238ae8f5602ce2402de7cae663a0db3b4178bc362611f3100633d001d48757
                                                      • Instruction ID: 27182704b7fa20b5ed2a2764b3d23dc9a6b68b829b0f6622ee10c7d45645f89b
                                                      • Opcode Fuzzy Hash: 3a238ae8f5602ce2402de7cae663a0db3b4178bc362611f3100633d001d48757
                                                      • Instruction Fuzzy Hash: F1E01270200308BAEF204FA19E06FEB37ACAB40BC9F004169F601F5191EAB6DD54A658
                                                      Function 0043AF18 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00448973: DeleteCriticalSection.KERNEL32(?,?,?,?,?,0046ECB8,00000010,0043AF25), ref: 004489D5
                                                        • Part of subcall function 00448973: _free.LIBCMT ref: 004489E3
                                                        • Part of subcall function 00448A13: _free.LIBCMT ref: 00448A35
                                                      • DeleteCriticalSection.KERNEL32(005D5D40), ref: 0043AF41
                                                      • _free.LIBCMT ref: 0043AF55
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _free$CriticalDeleteSection
                                                      • String ID: `]]
                                                      • API String ID: 1906768660-2908298338
                                                      • Opcode ID: 71ff8b17d51679f1d22a336c43bf2a586848bbcdcff3b0266824fadac5e6ad26
                                                      • Instruction ID: c565f5be962e97e7d95751f2e11d368bfb34a8db459f84b373f63e28eeb95a6a
                                                      • Opcode Fuzzy Hash: 71ff8b17d51679f1d22a336c43bf2a586848bbcdcff3b0266824fadac5e6ad26
                                                      • Instruction Fuzzy Hash: 31E0D83280461087D6247F7DFD4195D73A4EB4D725F02042EF859B3161CE6C6CC1674D
                                                      Function 0040AF77 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040AF84
                                                      • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040AFAF
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: DeleteDirectoryFileRemove
                                                      • String ID: pth_unenc
                                                      • API String ID: 3325800564-4028850238
                                                      • Opcode ID: 7b845410b2c100cd84e1cb5c796077768945eb3f9586e929b361309ded2c1d61
                                                      • Instruction ID: b030a41f26c3d5f2e51690188d4bb45887e11e7cc62b1c698fc8f7347c957287
                                                      • Opcode Fuzzy Hash: 7b845410b2c100cd84e1cb5c796077768945eb3f9586e929b361309ded2c1d61
                                                      • Instruction Fuzzy Hash: 12E046715116104BC610AB32E845AEBB798AB05306F00446FE8D3B36A1DE38A948CA98
                                                      Function 00411771 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • TerminateProcess.KERNEL32(00000000,pth_unenc,0040E748), ref: 00411781
                                                      • WaitForSingleObject.KERNEL32(000000FF), ref: 00411794
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ObjectProcessSingleTerminateWait
                                                      • String ID: pth_unenc
                                                      • API String ID: 1872346434-4028850238
                                                      • Opcode ID: 5bb4d910bf534706ca5f2b5d32154bdbdc32722f36a2c9cc9993c004b7262cc3
                                                      • Instruction ID: eef26e02e81300ba4c8cf7f61278c3f59c29627b67378ac59a4e73c1cb1fd9d7
                                                      • Opcode Fuzzy Hash: 5bb4d910bf534706ca5f2b5d32154bdbdc32722f36a2c9cc9993c004b7262cc3
                                                      • Instruction Fuzzy Hash: 24D01234145351AFD7610B60AD19F953F68E705323F108365F428512F1CFB58494AA1C
                                                      Function 0044E2FB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CommandLine
                                                      • String ID: 8([
                                                      • API String ID: 3253501508-1960659948
                                                      • Opcode ID: 2af003f58cbc160ee14b683418bbba4d8b8a3db8a81f41d33ad53b69198441d0
                                                      • Instruction ID: 13669fbb96da4af28d6e29504cff827b20a3884a95298ededa59c37acacad3b6
                                                      • Opcode Fuzzy Hash: 2af003f58cbc160ee14b683418bbba4d8b8a3db8a81f41d33ad53b69198441d0
                                                      • Instruction Fuzzy Hash: E7B092788017019FC7519F30BE0C2053BA0B3082033800479D809D3B21DE748082EF08
                                                      Function 0043FCA1 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401AD8), ref: 0043FD37
                                                      • GetLastError.KERNEL32 ref: 0043FD45
                                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043FDA0
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4511946468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.4511934086.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511973439.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4511992687.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.4512026993.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ByteCharMultiWide$ErrorLast
                                                      • String ID:
                                                      • API String ID: 1717984340-0
                                                      • Opcode ID: da5cee2afb3fc4b5b183086853f31dabd9e5fae04dd03cb90eeff65bb8952867
                                                      • Instruction ID: a8021b2984f9c2011c4d4eba480f75da6e6c35d7fa760b83b06315d7a0ea6bca
                                                      • Opcode Fuzzy Hash: da5cee2afb3fc4b5b183086853f31dabd9e5fae04dd03cb90eeff65bb8952867
                                                      • Instruction Fuzzy Hash: E1410A30E00246AFCF218F65C84867B7BA5EF09310F14517EFC5A9B2A2DB398D05C759