Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
FdSJYyDayo.exe

Overview

General Information

Sample name:FdSJYyDayo.exe
renamed because original name is a hash value
Original sample name:C00E45FE6B36F599558F546CD45D7C52.exe
Analysis ID:1501236
MD5:c00e45fe6b36f599558f546cd45d7c52
SHA1:094c1c6d8814b4d73e1aafaabf9f8506f8551fb2
SHA256:7d2784f37a68e93b654bb2eb0c7ef1220194f82b80e1b394c3f1d2866861286f
Tags:exeRATRemcosRAT
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates autostart registry keys with suspicious names
Delayed program exit found
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • FdSJYyDayo.exe (PID: 764 cmdline: "C:\Users\user\Desktop\FdSJYyDayo.exe" MD5: C00E45FE6B36F599558F546CD45D7C52)
    • 27 de Junio.exe (PID: 5968 cmdline: "C:\ProgramData\27 de Junio\27 de Junio.exe" MD5: C00E45FE6B36F599558F546CD45D7C52)
  • 27 de Junio.exe (PID: 4820 cmdline: "C:\ProgramData\27 de Junio\27 de Junio.exe" MD5: C00E45FE6B36F599558F546CD45D7C52)
  • 27 de Junio.exe (PID: 2596 cmdline: "C:\ProgramData\27 de Junio\27 de Junio.exe" MD5: C00E45FE6B36F599558F546CD45D7C52)
  • 27 de Junio.exe (PID: 2056 cmdline: "C:\ProgramData\27 de Junio\27 de Junio.exe" MD5: C00E45FE6B36F599558F546CD45D7C52)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "eslibre9889.dynuddns.com:8997:0", "Assigned name": "27 de Junio", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "27 de Junio.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-IN9IWC", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
FdSJYyDayo.exeJoeSecurity_RemcosYara detected Remcos RATJoe Security
    FdSJYyDayo.exeJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
      FdSJYyDayo.exeWindows_Trojan_Remcos_b296e965unknownunknown
      • 0x6aaa8:$a1: Remcos restarted by watchdog!
      • 0x6b020:$a3: %02i:%02i:%02i:%03i
      FdSJYyDayo.exeREMCOS_RAT_variantsunknownunknown
      • 0x64afc:$str_a1: C:\Windows\System32\cmd.exe
      • 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
      • 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
      • 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
      • 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
      • 0x64b6c:$str_b2: Executing file:
      • 0x65bec:$str_b3: GetDirectListeningPort
      • 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
      • 0x65718:$str_b7: \update.vbs
      • 0x64b94:$str_b9: Downloaded file:
      • 0x64b80:$str_b10: Downloading file:
      • 0x64c24:$str_b12: Failed to upload file:
      • 0x65bb4:$str_b13: StartForward
      • 0x65bd4:$str_b14: StopForward
      • 0x65670:$str_b15: fso.DeleteFile "
      • 0x65604:$str_b16: On Error Resume Next
      • 0x656a0:$str_b17: fso.DeleteFolder "
      • 0x64c14:$str_b18: Uploaded file:
      • 0x64bd4:$str_b19: Unable to delete:
      • 0x65638:$str_b20: while fso.FileExists("
      • 0x650b1:$str_c0: [Firefox StoredLogins not found]
      FdSJYyDayo.exeINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
      • 0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
      • 0x6497c:$s1: CoGetObject
      • 0x64990:$s1: CoGetObject
      • 0x649ac:$s1: CoGetObject
      • 0x6e938:$s1: CoGetObject
      • 0x6493c:$s2: Elevation:Administrator!new:

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security
        C:\ProgramData\27 de Junio\27 de Junio.exeJoeSecurity_RemcosYara detected Remcos RATJoe Security
          C:\ProgramData\27 de Junio\27 de Junio.exeJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
            C:\ProgramData\27 de Junio\27 de Junio.exeWindows_Trojan_Remcos_b296e965unknownunknown
            • 0x6aaa8:$a1: Remcos restarted by watchdog!
            • 0x6b020:$a3: %02i:%02i:%02i:%03i
            C:\ProgramData\27 de Junio\27 de Junio.exeREMCOS_RAT_variantsunknownunknown
            • 0x64afc:$str_a1: C:\Windows\System32\cmd.exe
            • 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
            • 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
            • 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
            • 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
            • 0x64b6c:$str_b2: Executing file:
            • 0x65bec:$str_b3: GetDirectListeningPort
            • 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
            • 0x65718:$str_b7: \update.vbs
            • 0x64b94:$str_b9: Downloaded file:
            • 0x64b80:$str_b10: Downloading file:
            • 0x64c24:$str_b12: Failed to upload file:
            • 0x65bb4:$str_b13: StartForward
            • 0x65bd4:$str_b14: StopForward
            • 0x65670:$str_b15: fso.DeleteFile "
            • 0x65604:$str_b16: On Error Resume Next
            • 0x656a0:$str_b17: fso.DeleteFolder "
            • 0x64c14:$str_b18: Uploaded file:
            • 0x64bd4:$str_b19: Unable to delete:
            • 0x65638:$str_b20: while fso.FileExists("
            • 0x650b1:$str_c0: [Firefox StoredLogins not found]
            Click to see the 1 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000001.00000002.4140240474.00000000021FF000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
              00000001.00000002.4139888253.00000000005B1000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
                00000002.00000002.1803831388.0000000000528000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
                  00000007.00000002.1965049891.00000000005FA000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
                    00000001.00000002.4139824044.0000000000459000.00000002.00000001.01000000.00000006.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
                      Click to see the 50 entries

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      7.0.27 de Junio.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                        7.0.27 de Junio.exe.400000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                          7.0.27 de Junio.exe.400000.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                          • 0x6aaa8:$a1: Remcos restarted by watchdog!
                          • 0x6b020:$a3: %02i:%02i:%02i:%03i
                          7.0.27 de Junio.exe.400000.0.unpackREMCOS_RAT_variantsunknownunknown
                          • 0x64afc:$str_a1: C:\Windows\System32\cmd.exe
                          • 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                          • 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                          • 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                          • 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                          • 0x64b6c:$str_b2: Executing file:
                          • 0x65bec:$str_b3: GetDirectListeningPort
                          • 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                          • 0x65718:$str_b7: \update.vbs
                          • 0x64b94:$str_b9: Downloaded file:
                          • 0x64b80:$str_b10: Downloading file:
                          • 0x64c24:$str_b12: Failed to upload file:
                          • 0x65bb4:$str_b13: StartForward
                          • 0x65bd4:$str_b14: StopForward
                          • 0x65670:$str_b15: fso.DeleteFile "
                          • 0x65604:$str_b16: On Error Resume Next
                          • 0x656a0:$str_b17: fso.DeleteFolder "
                          • 0x64c14:$str_b18: Uploaded file:
                          • 0x64bd4:$str_b19: Unable to delete:
                          • 0x65638:$str_b20: while fso.FileExists("
                          • 0x650b1:$str_c0: [Firefox StoredLogins not found]
                          7.0.27 de Junio.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
                          • 0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                          • 0x6497c:$s1: CoGetObject
                          • 0x64990:$s1: CoGetObject
                          • 0x649ac:$s1: CoGetObject
                          • 0x6e938:$s1: CoGetObject
                          • 0x6493c:$s2: Elevation:Administrator!new:
                          Click to see the 45 entries

                          Sigma Signatures

                          System Summary

                          barindex
                          Sigma detected: CurrentVersion Autorun Keys Modification
                          Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\27 de Junio\27 de Junio.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\FdSJYyDayo.exe, ProcessId: 764, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-IN9IWC
                          Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
                          Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\27 de Junio\27 de Junio.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\FdSJYyDayo.exe, ProcessId: 764, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-IN9IWC

                          Stealing of Sensitive Information

                          barindex
                          Sigma detected: Remcos
                          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\ProgramData\27 de Junio\27 de Junio.exe, ProcessId: 5968, TargetFilename: C:\ProgramData\remcos\logs.dat

                          Suricata Signatures

                          Timestamp:2024-08-29T16:06:56.322890+0200
                          SID:2032776
                          Severity:1
                          Source Port:49730
                          Destination Port:8997
                          Protocol:TCP
                          Classtype:Malware Command and Control Activity Detected
                          Timestamp:2024-08-29T16:09:00.868774+0200
                          SID:2032777
                          Severity:1
                          Source Port:8997
                          Destination Port:49730
                          Protocol:TCP
                          Classtype:Malware Command and Control Activity Detected
                          Timestamp:2024-08-29T16:06:57.000533+0200
                          SID:2032777
                          Severity:1
                          Source Port:8997
                          Destination Port:49730
                          Protocol:TCP
                          Classtype:Malware Command and Control Activity Detected
                          Timestamp:2024-08-29T16:06:57.858069+0200
                          SID:2803304
                          Severity:3
                          Source Port:49731
                          Destination Port:80
                          Protocol:TCP
                          Classtype:Unknown Traffic
                          Timestamp:2024-08-29T16:11:00.964719+0200
                          SID:2032777
                          Severity:1
                          Source Port:8997
                          Destination Port:49730
                          Protocol:TCP
                          Classtype:Malware Command and Control Activity Detected

                          Joe Sandbox Signatures

                          Click to jump to signature section

                          Show All Signature Results

                          AV Detection

                          barindex
                          Antivirus / Scanner detection for submitted sample
                          Source: FdSJYyDayo.exeAvira: detected
                          Antivirus detection for dropped file
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeAvira: detection malicious, Label: BDS/Backdoor.Gen
                          Found malware configuration
                          Source: 00000002.00000002.1803831388.0000000000528000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "eslibre9889.dynuddns.com:8997:0", "Assigned name": "27 de Junio", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "27 de Junio.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-IN9IWC", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
                          Multi AV Scanner detection for dropped file
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeReversingLabs: Detection: 86%
                          Multi AV Scanner detection for submitted file
                          Source: FdSJYyDayo.exeReversingLabs: Detection: 86%
                          Yara detected Remcos RAT
                          Source: Yara matchFile source: FdSJYyDayo.exe, type: SAMPLE
                          Source: Yara matchFile source: 7.0.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.FdSJYyDayo.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 7.2.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 4.2.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 4.0.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.0.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.FdSJYyDayo.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.0.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.2.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000001.00000002.4140240474.00000000021FF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000002.4139888253.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000002.1803831388.0000000000528000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000007.00000002.1965049891.00000000005FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000002.4139824044.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000000.1672378091.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000004.00000000.1883697788.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000003.1672747458.0000000000750000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000007.00000000.1964515889.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000004.00000002.1884459506.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.1674480983.000000000072E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000007.00000002.1964940474.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000000.1674126891.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000002.4139888253.000000000056E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000000.1802942700.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000004.00000002.1884579837.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: FdSJYyDayo.exe PID: 764, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: 27 de Junio.exe PID: 5968, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: 27 de Junio.exe PID: 4820, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: 27 de Junio.exe PID: 2596, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: 27 de Junio.exe PID: 2056, type: MEMORYSTR
                          Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                          Source: Yara matchFile source: C:\ProgramData\27 de Junio\27 de Junio.exe, type: DROPPED
                          AI detected suspicious sample
                          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                          Machine Learning detection for dropped file
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeJoe Sandbox ML: detected
                          Machine Learning detection for sample
                          Source: FdSJYyDayo.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,0_2_00433837
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: 2_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,2_2_00433837
                          Source: FdSJYyDayo.exe, 00000000.00000000.1672378091.0000000000459000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_3c11387d-b

                          Exploits

                          barindex
                          Yara detected UAC Bypass using CMSTP
                          Source: Yara matchFile source: FdSJYyDayo.exe, type: SAMPLE
                          Source: Yara matchFile source: 7.0.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.FdSJYyDayo.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 7.2.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 4.2.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 4.0.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.0.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.FdSJYyDayo.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.0.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.2.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000001.00000002.4139824044.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000000.1672378091.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000004.00000000.1883697788.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000003.1672747458.0000000000750000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000007.00000000.1964515889.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000004.00000002.1884459506.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000007.00000002.1964940474.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000000.1674126891.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000000.1802942700.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: FdSJYyDayo.exe PID: 764, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: 27 de Junio.exe PID: 5968, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: 27 de Junio.exe PID: 4820, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: 27 de Junio.exe PID: 2596, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: 27 de Junio.exe PID: 2056, type: MEMORYSTR
                          Source: Yara matchFile source: C:\ProgramData\27 de Junio\27 de Junio.exe, type: DROPPED

                          Privilege Escalation

                          barindex
                          Contains functionality to bypass UAC (CMSTPLUA)
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_004074FD _wcslen,CoGetObject,0_2_004074FD
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: 2_2_004074FD _wcslen,CoGetObject,2_2_004074FD
                          Source: FdSJYyDayo.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_00409253
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,0_2_0041C291
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,0_2_0040C34D
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_00409665
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,0_2_0040880C
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_0040783C FindFirstFileW,FindNextFileW,0_2_0040783C
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00419AF5
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040BB30
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040BD37
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: 2_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,2_2_00409253
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: 2_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,2_2_0041C291
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: 2_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,2_2_0040C34D
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: 2_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,2_2_00409665
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: 2_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,2_2_0040880C
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: 2_2_0040783C FindFirstFileW,FindNextFileW,2_2_0040783C
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: 2_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,2_2_00419AF5
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: 2_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,2_2_0040BB30
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: 2_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,2_2_0040BD37
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00407C97

                          Networking

                          barindex
                          Suricata IDS alerts for network traffic
                          Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49730 -> 190.70.119.188:8997
                          Source: Network trafficSuricata IDS: 2032777 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Server Response : 190.70.119.188:8997 -> 192.168.2.4:49730
                          C2 URLs / IPs found in malware configuration
                          Source: Malware configuration extractorURLs: eslibre9889.dynuddns.com
                          Source: global trafficTCP traffic: 192.168.2.4:49730 -> 190.70.119.188:8997
                          Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                          Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                          Source: Joe Sandbox ViewASN Name: EPMTelecomunicacionesSAESPCO EPMTelecomunicacionesSAESPCO
                          Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49731 -> 178.237.33.50:80
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_0041B380 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_0041B380
                          Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                          Source: global trafficDNS traffic detected: DNS query: colombiaeslibre9889.dynuddns.com
                          Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                          Source: 27 de Junio.exe, 00000001.00000003.1692245031.00000000005D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/
                          Source: 27 de Junio.exeString found in binary or memory: http://geoplugin.net/json.gp
                          Source: 27 de Junio.exe, 00000001.00000002.4139888253.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, 27 de Junio.exe, 00000001.00000003.1692245031.00000000005B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp#z
                          Source: FdSJYyDayo.exe, 27 de Junio.exe.0.drString found in binary or memory: http://geoplugin.net/json.gp/C
                          Source: 27 de Junio.exe, 00000001.00000002.4139888253.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, 27 de Junio.exe, 00000001.00000003.1692245031.00000000005B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpQz
                          Source: 27 de Junio.exe, 00000001.00000002.4139888253.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, 27 de Junio.exe, 00000001.00000003.1692245031.00000000005B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpn.net/Eq

                          Key, Mouse, Clipboard, Microphone and Screen Capturing

                          barindex
                          Contains functionality to register a low level keyboard hook
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,000000000_2_0040A2B8
                          Installs a global keyboard hook
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeWindows user hook set: 0 keyboard low level C:\ProgramData\27 de Junio\27 de Junio.exeJump to behavior
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,0_2_0040B70E
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_004168C1
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: 2_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,2_2_004168C1
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,0_2_0040B70E
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_0040A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,0_2_0040A3E0

                          E-Banking Fraud

                          barindex
                          Yara detected Remcos RAT
                          Source: Yara matchFile source: FdSJYyDayo.exe, type: SAMPLE
                          Source: Yara matchFile source: 7.0.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.FdSJYyDayo.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 7.2.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 4.2.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 4.0.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.0.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.FdSJYyDayo.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.0.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.2.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000001.00000002.4140240474.00000000021FF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000002.4139888253.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000002.1803831388.0000000000528000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000007.00000002.1965049891.00000000005FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000002.4139824044.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000000.1672378091.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000004.00000000.1883697788.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000003.1672747458.0000000000750000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000007.00000000.1964515889.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000004.00000002.1884459506.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.1674480983.000000000072E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000007.00000002.1964940474.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000000.1674126891.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000002.4139888253.000000000056E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000000.1802942700.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000004.00000002.1884579837.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: FdSJYyDayo.exe PID: 764, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: 27 de Junio.exe PID: 5968, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: 27 de Junio.exe PID: 4820, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: 27 de Junio.exe PID: 2596, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: 27 de Junio.exe PID: 2056, type: MEMORYSTR
                          Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                          Source: Yara matchFile source: C:\ProgramData\27 de Junio\27 de Junio.exe, type: DROPPED

                          Spam, unwanted Advertisements and Ransom Demands

                          barindex
                          Contains functionalty to change the wallpaper
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_0041C9E2 SystemParametersInfoW,0_2_0041C9E2
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: 2_2_0041C9E2 SystemParametersInfoW,2_2_0041C9E2

                          System Summary

                          barindex
                          Malicious sample detected (through community Yara rule)
                          Source: FdSJYyDayo.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                          Source: FdSJYyDayo.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Author: unknown
                          Source: FdSJYyDayo.exe, type: SAMPLEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                          Source: 7.0.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                          Source: 7.0.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                          Source: 7.0.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                          Source: 2.2.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                          Source: 2.2.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                          Source: 2.2.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                          Source: 0.0.FdSJYyDayo.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                          Source: 0.0.FdSJYyDayo.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                          Source: 0.0.FdSJYyDayo.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                          Source: 7.2.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                          Source: 7.2.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                          Source: 7.2.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                          Source: 4.2.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                          Source: 4.2.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                          Source: 4.2.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                          Source: 4.0.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                          Source: 4.0.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                          Source: 4.0.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                          Source: 1.0.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                          Source: 1.0.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                          Source: 1.0.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                          Source: 0.2.FdSJYyDayo.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                          Source: 0.2.FdSJYyDayo.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                          Source: 0.2.FdSJYyDayo.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                          Source: 2.0.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                          Source: 2.0.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                          Source: 2.0.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                          Source: 1.2.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                          Source: 1.2.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                          Source: 1.2.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                          Source: 00000001.00000002.4139824044.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                          Source: 00000000.00000000.1672378091.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                          Source: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                          Source: 00000004.00000000.1883697788.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                          Source: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                          Source: 00000000.00000003.1672747458.0000000000750000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                          Source: 00000007.00000000.1964515889.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                          Source: 00000004.00000002.1884459506.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                          Source: 00000007.00000002.1964940474.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                          Source: 00000001.00000000.1674126891.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                          Source: 00000002.00000000.1802942700.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                          Source: Process Memory Space: FdSJYyDayo.exe PID: 764, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                          Source: Process Memory Space: 27 de Junio.exe PID: 5968, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                          Source: Process Memory Space: 27 de Junio.exe PID: 4820, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                          Source: Process Memory Space: 27 de Junio.exe PID: 2596, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                          Source: Process Memory Space: 27 de Junio.exe PID: 2056, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exe, type: DROPPEDMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exe, type: DROPPEDMatched rule: REMCOS_RAT_variants Author: unknown
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exe, type: DROPPEDMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeProcess Stats: CPU usage > 49%
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_004132D2 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,0_2_004132D2
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_0041BB09 OpenProcess,NtSuspendProcess,CloseHandle,0_2_0041BB09
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_0041BB35 OpenProcess,NtResumeProcess,CloseHandle,0_2_0041BB35
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: 2_2_004132D2 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,2_2_004132D2
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: 2_2_0041BB09 OpenProcess,NtSuspendProcess,CloseHandle,2_2_0041BB09
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: 2_2_0041BB35 OpenProcess,NtResumeProcess,CloseHandle,2_2_0041BB35
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,0_2_004167B4
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: 2_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,2_2_004167B4
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_0043E0CC0_2_0043E0CC
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_0041F0FA0_2_0041F0FA
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_004541590_2_00454159
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_004381680_2_00438168
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_004461F00_2_004461F0
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_0043E2FB0_2_0043E2FB
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_0045332B0_2_0045332B
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_0042739D0_2_0042739D
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_004374E60_2_004374E6
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_0043E5580_2_0043E558
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_004387700_2_00438770
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_004378FE0_2_004378FE
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_004339460_2_00433946
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_0044D9C90_2_0044D9C9
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_00427A460_2_00427A46
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_0041DB620_2_0041DB62
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_00427BAF0_2_00427BAF
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_00437D330_2_00437D33
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_00435E5E0_2_00435E5E
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_00426E0E0_2_00426E0E
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_0043DE9D0_2_0043DE9D
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_00413FCA0_2_00413FCA
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_00436FEA0_2_00436FEA
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: 2_2_0043E0CC2_2_0043E0CC
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: 2_2_0041F0FA2_2_0041F0FA
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: 2_2_004541592_2_00454159
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: 2_2_004381682_2_00438168
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: 2_2_004461F02_2_004461F0
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: 2_2_0043E2FB2_2_0043E2FB
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: 2_2_0045332B2_2_0045332B
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: 2_2_0042739D2_2_0042739D
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: 2_2_004374E62_2_004374E6
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: 2_2_0043E5582_2_0043E558
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: 2_2_004387702_2_00438770
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: 2_2_004378FE2_2_004378FE
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: 2_2_004339462_2_00433946
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: 2_2_0044D9C92_2_0044D9C9
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: 2_2_00427A462_2_00427A46
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: 2_2_0041DB622_2_0041DB62
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: 2_2_00427BAF2_2_00427BAF
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: 2_2_00437D332_2_00437D33
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: 2_2_00435E5E2_2_00435E5E
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: 2_2_00426E0E2_2_00426E0E
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: 2_2_0043DE9D2_2_0043DE9D
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: 2_2_00413FCA2_2_00413FCA
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: 2_2_00436FEA2_2_00436FEA
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: String function: 00434E10 appears 54 times
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: String function: 00402093 appears 50 times
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: String function: 00434770 appears 42 times
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: String function: 00401E65 appears 34 times
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: String function: 00434E10 appears 54 times
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: String function: 00402093 appears 50 times
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: String function: 00434770 appears 42 times
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: String function: 00401E65 appears 35 times
                          Source: FdSJYyDayo.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                          Source: FdSJYyDayo.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                          Source: FdSJYyDayo.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                          Source: FdSJYyDayo.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                          Source: 7.0.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                          Source: 7.0.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                          Source: 7.0.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                          Source: 2.2.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                          Source: 2.2.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                          Source: 2.2.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                          Source: 0.0.FdSJYyDayo.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                          Source: 0.0.FdSJYyDayo.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                          Source: 0.0.FdSJYyDayo.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                          Source: 7.2.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                          Source: 7.2.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                          Source: 7.2.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                          Source: 4.2.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                          Source: 4.2.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                          Source: 4.2.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                          Source: 4.0.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                          Source: 4.0.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                          Source: 4.0.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                          Source: 1.0.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                          Source: 1.0.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                          Source: 1.0.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                          Source: 0.2.FdSJYyDayo.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                          Source: 0.2.FdSJYyDayo.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                          Source: 0.2.FdSJYyDayo.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                          Source: 2.0.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                          Source: 2.0.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                          Source: 2.0.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                          Source: 1.2.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                          Source: 1.2.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                          Source: 1.2.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                          Source: 00000001.00000002.4139824044.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                          Source: 00000000.00000000.1672378091.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                          Source: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                          Source: 00000004.00000000.1883697788.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                          Source: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                          Source: 00000000.00000003.1672747458.0000000000750000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                          Source: 00000007.00000000.1964515889.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                          Source: 00000004.00000002.1884459506.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                          Source: 00000007.00000002.1964940474.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                          Source: 00000001.00000000.1674126891.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                          Source: 00000002.00000000.1802942700.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                          Source: Process Memory Space: FdSJYyDayo.exe PID: 764, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                          Source: Process Memory Space: 27 de Junio.exe PID: 5968, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                          Source: Process Memory Space: 27 de Junio.exe PID: 4820, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                          Source: Process Memory Space: 27 de Junio.exe PID: 2596, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                          Source: Process Memory Space: 27 de Junio.exe PID: 2056, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exe, type: DROPPEDMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exe, type: DROPPEDMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                          Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@6/4@2/2
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,0_2_00417952
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: 2_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,2_2_00417952
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_0040F474 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,0_2_0040F474
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_0041B4A8 FindResourceA,LoadResource,LockResource,SizeofResource,0_2_0041B4A8
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_0041AA4A
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\json[1].jsonJump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-IN9IWC
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCommand line argument: PG0_2_0040E9C5
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCommand line argument: PG0_2_0040E9C5
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCommand line argument: Software\0_2_0040E9C5
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCommand line argument: Rmc-IN9IWC0_2_0040E9C5
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCommand line argument: Exe0_2_0040E9C5
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCommand line argument: Exe0_2_0040E9C5
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCommand line argument: Rmc-IN9IWC0_2_0040E9C5
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCommand line argument: Inj0_2_0040E9C5
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCommand line argument: Inj0_2_0040E9C5
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCommand line argument: PG0_2_0040E9C5
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCommand line argument: PG0_2_0040E9C5
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCommand line argument: PG0_2_0040E9C5
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCommand line argument: xIs0_2_0040E9C5
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCommand line argument: xIs0_2_0040E9C5
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCommand line argument: xIs0_2_0040E9C5
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCommand line argument: 8SG0_2_0040E9C5
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCommand line argument: xIs0_2_0040E9C5
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCommand line argument: exepath0_2_0040E9C5
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCommand line argument: PG0_2_0040E9C5
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCommand line argument: 8SG0_2_0040E9C5
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCommand line argument: exepath0_2_0040E9C5
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCommand line argument: xIs0_2_0040E9C5
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCommand line argument: PG0_2_0040E9C5
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCommand line argument: licence0_2_0040E9C5
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCommand line argument: PG0_2_0040E9C5
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCommand line argument: PG0_2_0040E9C5
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCommand line argument: PG0_2_0040E9C5
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCommand line argument: PG0_2_0040E9C5
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCommand line argument: PG0_2_0040E9C5
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCommand line argument: PG0_2_0040E9C5
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCommand line argument: dMG0_2_0040E9C5
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCommand line argument: PG0_2_0040E9C5
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCommand line argument: PG0_2_0040E9C5
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCommand line argument: PSG0_2_0040E9C5
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCommand line argument: Administrator0_2_0040E9C5
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCommand line argument: User0_2_0040E9C5
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCommand line argument: del0_2_0040E9C5
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCommand line argument: del0_2_0040E9C5
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCommand line argument: del0_2_0040E9C5
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCommand line argument: PG2_2_0040E9C5
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCommand line argument: PG2_2_0040E9C5
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCommand line argument: Software\2_2_0040E9C5
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCommand line argument: Exe2_2_0040E9C5
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCommand line argument: Inj2_2_0040E9C5
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCommand line argument: Inj2_2_0040E9C5
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCommand line argument: PG2_2_0040E9C5
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCommand line argument: PG2_2_0040E9C5
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCommand line argument: PG2_2_0040E9C5
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCommand line argument: 8SG2_2_0040E9C5
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCommand line argument: exepath2_2_0040E9C5
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCommand line argument: PG2_2_0040E9C5
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCommand line argument: 8SG2_2_0040E9C5
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCommand line argument: exepath2_2_0040E9C5
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCommand line argument: PG2_2_0040E9C5
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCommand line argument: licence2_2_0040E9C5
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCommand line argument: PG2_2_0040E9C5
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCommand line argument: PG2_2_0040E9C5
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCommand line argument: PG2_2_0040E9C5
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCommand line argument: PG2_2_0040E9C5
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCommand line argument: PG2_2_0040E9C5
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCommand line argument: PG2_2_0040E9C5
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCommand line argument: dMG2_2_0040E9C5
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCommand line argument: PG2_2_0040E9C5
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCommand line argument: PG2_2_0040E9C5
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCommand line argument: PSG2_2_0040E9C5
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCommand line argument: Administrator2_2_0040E9C5
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCommand line argument: User2_2_0040E9C5
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCommand line argument: del2_2_0040E9C5
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCommand line argument: del2_2_0040E9C5
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCommand line argument: del2_2_0040E9C5
                          Source: FdSJYyDayo.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                          Source: FdSJYyDayo.exeReversingLabs: Detection: 86%
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeFile read: C:\Users\user\Desktop\FdSJYyDayo.exeJump to behavior
                          Source: unknownProcess created: C:\Users\user\Desktop\FdSJYyDayo.exe "C:\Users\user\Desktop\FdSJYyDayo.exe"
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeProcess created: C:\ProgramData\27 de Junio\27 de Junio.exe "C:\ProgramData\27 de Junio\27 de Junio.exe"
                          Source: unknownProcess created: C:\ProgramData\27 de Junio\27 de Junio.exe "C:\ProgramData\27 de Junio\27 de Junio.exe"
                          Source: unknownProcess created: C:\ProgramData\27 de Junio\27 de Junio.exe "C:\ProgramData\27 de Junio\27 de Junio.exe"
                          Source: unknownProcess created: C:\ProgramData\27 de Junio\27 de Junio.exe "C:\ProgramData\27 de Junio\27 de Junio.exe"
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeProcess created: C:\ProgramData\27 de Junio\27 de Junio.exe "C:\ProgramData\27 de Junio\27 de Junio.exe" Jump to behavior
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeSection loaded: winmm.dllJump to behavior
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeSection loaded: wininet.dllJump to behavior
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeSection loaded: iphlpapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeSection loaded: rstrtmgr.dllJump to behavior
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeSection loaded: ncrypt.dllJump to behavior
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeSection loaded: ntasn1.dllJump to behavior
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeSection loaded: ntmarta.dllJump to behavior
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeSection loaded: edputil.dllJump to behavior
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeSection loaded: appresolver.dllJump to behavior
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeSection loaded: bcp47langs.dllJump to behavior
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeSection loaded: slc.dllJump to behavior
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeSection loaded: sppc.dllJump to behavior
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeSection loaded: winmm.dllJump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeSection loaded: wininet.dllJump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeSection loaded: iphlpapi.dllJump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeSection loaded: rstrtmgr.dllJump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeSection loaded: ncrypt.dllJump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeSection loaded: ntasn1.dllJump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeSection loaded: mswsock.dllJump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeSection loaded: dnsapi.dllJump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeSection loaded: rasadhlp.dllJump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeSection loaded: fwpuclnt.dllJump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeSection loaded: winhttp.dllJump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeSection loaded: winnsi.dllJump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeSection loaded: winmm.dllJump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeSection loaded: wininet.dllJump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeSection loaded: iphlpapi.dllJump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeSection loaded: rstrtmgr.dllJump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeSection loaded: ncrypt.dllJump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeSection loaded: ntasn1.dllJump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeSection loaded: winmm.dllJump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeSection loaded: wininet.dllJump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeSection loaded: iphlpapi.dllJump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeSection loaded: rstrtmgr.dllJump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeSection loaded: ncrypt.dllJump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeSection loaded: ntasn1.dllJump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeSection loaded: winmm.dllJump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeSection loaded: wininet.dllJump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeSection loaded: iphlpapi.dllJump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeSection loaded: rstrtmgr.dllJump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeSection loaded: ncrypt.dllJump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeSection loaded: ntasn1.dllJump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                          Source: FdSJYyDayo.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                          Source: FdSJYyDayo.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                          Source: FdSJYyDayo.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                          Source: FdSJYyDayo.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                          Source: FdSJYyDayo.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                          Source: FdSJYyDayo.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                          Source: FdSJYyDayo.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                          Source: FdSJYyDayo.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                          Source: FdSJYyDayo.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                          Source: FdSJYyDayo.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                          Source: FdSJYyDayo.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                          Source: FdSJYyDayo.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041CB50
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_00457106 push ecx; ret 0_2_00457119
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_00457A28 push eax; ret 0_2_00457A46
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_00434E56 push ecx; ret 0_2_00434E69
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: 2_2_00457106 push ecx; ret 2_2_00457119
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: 2_2_00457A28 push eax; ret 2_2_00457A46
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: 2_2_00434E56 push ecx; ret 2_2_00434E69
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_00406EB0 ShellExecuteW,URLDownloadToFileW,0_2_00406EB0
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeFile created: C:\ProgramData\27 de Junio\27 de Junio.exeJump to dropped file
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeFile created: C:\ProgramData\27 de Junio\27 de Junio.exeJump to dropped file

                          Boot Survival

                          barindex
                          Creates autostart registry keys with suspicious names
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-IN9IWCJump to behavior
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_0041AA4A
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-IN9IWCJump to behavior
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-IN9IWCJump to behavior
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Rmc-IN9IWCJump to behavior
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Rmc-IN9IWCJump to behavior
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041CB50
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                          Malware Analysis System Evasion

                          barindex
                          Delayed program exit found
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_0040F7A7 Sleep,ExitProcess,0_2_0040F7A7
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: 2_2_0040F7A7 Sleep,ExitProcess,2_2_0040F7A7
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,0_2_0041A748
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,2_2_0041A748
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeWindow / User API: threadDelayed 9481Jump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeWindow / User API: foregroundWindowGot 1750Jump to behavior
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeEvaded block: after key decisiongraph_0-46993
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeEvaded block: after key decisiongraph_0-46969
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeAPI coverage: 6.1 %
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeAPI coverage: 6.0 %
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exe TID: 5568Thread sleep count: 247 > 30Jump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exe TID: 5568Thread sleep time: -123500s >= -30000sJump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exe TID: 4520Thread sleep time: -75000s >= -30000sJump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exe TID: 4520Thread sleep count: 9481 > 30Jump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exe TID: 4520Thread sleep time: -28443000s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_00409253
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,0_2_0041C291
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,0_2_0040C34D
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_00409665
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,0_2_0040880C
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_0040783C FindFirstFileW,FindNextFileW,0_2_0040783C
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00419AF5
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040BB30
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040BD37
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: 2_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,2_2_00409253
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: 2_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,2_2_0041C291
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: 2_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,2_2_0040C34D
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: 2_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,2_2_00409665
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: 2_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,2_2_0040880C
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: 2_2_0040783C FindFirstFileW,FindNextFileW,2_2_0040783C
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: 2_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,2_2_00419AF5
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: 2_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,2_2_0040BB30
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: 2_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,2_2_0040BD37
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00407C97
                          Source: 27 de Junio.exe, 00000001.00000003.1692743832.00000000005E8000.00000004.00000020.00020000.00000000.sdmp, 27 de Junio.exe, 00000001.00000002.4139888253.00000000005E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW6
                          Source: 27 de Junio.exe, 00000001.00000002.4139888253.000000000056E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWP_%SystemRoot%\system32\mswsock.dll
                          Source: 27 de Junio.exe, 00000001.00000003.1692743832.00000000005E8000.00000004.00000020.00020000.00000000.sdmp, 27 de Junio.exe, 00000001.00000002.4139888253.00000000005E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004349F9
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041CB50
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_004432B5 mov eax, dword ptr fs:[00000030h]0_2_004432B5
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: 2_2_004432B5 mov eax, dword ptr fs:[00000030h]2_2_004432B5
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_00412077 GetProcessHeap,HeapFree,0_2_00412077
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004349F9
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_00434B47 SetUnhandledExceptionFilter,0_2_00434B47
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0043BB22
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00434FDC
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: 2_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_004349F9
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: 2_2_00434B47 SetUnhandledExceptionFilter,2_2_00434B47
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: 2_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_0043BB22
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: 2_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00434FDC
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe0_2_00412117
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe2_2_004120F7
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_00419627 mouse_event,0_2_00419627
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeProcess created: C:\ProgramData\27 de Junio\27 de Junio.exe "C:\ProgramData\27 de Junio\27 de Junio.exe" Jump to behavior
                          Source: 27 de Junio.exe, 00000001.00000002.4139888253.00000000005E2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager'
                          Source: 27 de Junio.exe, 00000001.00000002.4139888253.000000000056E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerWC\-
                          Source: 27 de Junio.exe, 00000001.00000002.4139888253.00000000005E2000.00000004.00000020.00020000.00000000.sdmp, 27 de Junio.exe, 00000001.00000003.1692245031.00000000005D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                          Source: 27 de Junio.exe, 00000001.00000002.4139888253.00000000005E2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerA
                          Source: 27 de Junio.exe, 00000001.00000002.4139888253.00000000005E2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerO
                          Source: 27 de Junio.exe, 00000001.00000002.4139888253.000000000056E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerWC\$
                          Source: 27 de Junio.exe, 00000001.00000002.4139888253.000000000056E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerWC\#
                          Source: 27 de Junio.exe, 00000001.00000002.4139888253.000000000056E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerWC\
                          Source: 27 de Junio.exe, 00000001.00000002.4139888253.000000000056E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager8
                          Source: 27 de Junio.exe, 00000001.00000002.4139888253.000000000056E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerWC\10
                          Source: 27 de Junio.exe, 00000001.00000002.4139888253.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, 27 de Junio.exe, 00000001.00000002.4139888253.000000000056E000.00000004.00000020.00020000.00000000.sdmp, 27 de Junio.exe, 00000001.00000002.4139888253.00000000005C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                          Source: 27 de Junio.exe, 00000001.00000002.4139888253.000000000056E000.00000004.00000020.00020000.00000000.sdmp, logs.dat.1.drBinary or memory string: [Program Manager]
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_00434C52 cpuid 0_2_00434C52
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: EnumSystemLocalesW,0_2_00452036
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_004520C3
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: GetLocaleInfoW,0_2_00452313
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: EnumSystemLocalesW,0_2_00448404
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_0045243C
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: GetLocaleInfoW,0_2_00452543
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00452610
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: GetLocaleInfoA,0_2_0040F8D1
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: GetLocaleInfoW,0_2_004488ED
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_00451CD8
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: EnumSystemLocalesW,0_2_00451F50
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: EnumSystemLocalesW,0_2_00451F9B
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: EnumSystemLocalesW,2_2_00452036
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,2_2_004520C3
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: GetLocaleInfoW,2_2_00452313
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: EnumSystemLocalesW,2_2_00448404
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,2_2_0045243C
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: GetLocaleInfoW,2_2_00452543
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,2_2_00452610
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: GetLocaleInfoA,2_2_0040F8D1
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: GetLocaleInfoW,2_2_004488ED
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,2_2_00451CD8
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: EnumSystemLocalesW,2_2_00451F50
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: EnumSystemLocalesW,2_2_00451F9B
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_0040B164 GetLocalTime,wsprintfW,0_2_0040B164
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_0041B60D GetComputerNameExW,GetUserNameW,0_2_0041B60D
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: 0_2_004493AD _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_004493AD

                          Stealing of Sensitive Information

                          barindex
                          Yara detected Remcos RAT
                          Source: Yara matchFile source: FdSJYyDayo.exe, type: SAMPLE
                          Source: Yara matchFile source: 7.0.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.FdSJYyDayo.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 7.2.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 4.2.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 4.0.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.0.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.FdSJYyDayo.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.0.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.2.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000001.00000002.4140240474.00000000021FF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000002.4139888253.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000002.1803831388.0000000000528000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000007.00000002.1965049891.00000000005FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000002.4139824044.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000000.1672378091.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000004.00000000.1883697788.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000003.1672747458.0000000000750000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000007.00000000.1964515889.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000004.00000002.1884459506.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.1674480983.000000000072E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000007.00000002.1964940474.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000000.1674126891.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000002.4139888253.000000000056E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000000.1802942700.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000004.00000002.1884579837.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: FdSJYyDayo.exe PID: 764, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: 27 de Junio.exe PID: 5968, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: 27 de Junio.exe PID: 4820, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: 27 de Junio.exe PID: 2596, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: 27 de Junio.exe PID: 2056, type: MEMORYSTR
                          Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                          Source: Yara matchFile source: C:\ProgramData\27 de Junio\27 de Junio.exe, type: DROPPED
                          Contains functionality to steal Chrome passwords or cookies
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data0_2_0040BA12
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data2_2_0040BA12
                          Contains functionality to steal Firefox passwords or cookies
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\0_2_0040BB30
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: \key3.db0_2_0040BB30
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\2_2_0040BB30
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: \key3.db2_2_0040BB30

                          Remote Access Functionality

                          barindex
                          Detected Remcos RAT
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-IN9IWCJump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-IN9IWCJump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-IN9IWCJump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-IN9IWCJump to behavior
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-IN9IWCJump to behavior
                          Yara detected Remcos RAT
                          Source: Yara matchFile source: FdSJYyDayo.exe, type: SAMPLE
                          Source: Yara matchFile source: 7.0.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.FdSJYyDayo.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 7.2.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 4.2.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 4.0.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.0.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.FdSJYyDayo.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.0.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.2.27 de Junio.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000001.00000002.4140240474.00000000021FF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000002.4139888253.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000002.1803831388.0000000000528000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000007.00000002.1965049891.00000000005FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000002.4139824044.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000000.1672378091.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000004.00000000.1883697788.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000003.1672747458.0000000000750000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000007.00000000.1964515889.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000004.00000002.1884459506.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.1674480983.000000000072E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000007.00000002.1964940474.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000000.1674126891.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000002.4139888253.000000000056E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000000.1802942700.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000004.00000002.1884579837.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: FdSJYyDayo.exe PID: 764, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: 27 de Junio.exe PID: 5968, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: 27 de Junio.exe PID: 4820, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: 27 de Junio.exe PID: 2596, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: 27 de Junio.exe PID: 2056, type: MEMORYSTR
                          Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                          Source: Yara matchFile source: C:\ProgramData\27 de Junio\27 de Junio.exe, type: DROPPED
                          Source: C:\Users\user\Desktop\FdSJYyDayo.exeCode function: cmd.exe0_2_0040569A
                          Source: C:\ProgramData\27 de Junio\27 de Junio.exeCode function: cmd.exe2_2_0040569A

                          Mitre Att&ck Matrix

                          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                          Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                          Native API                          		1
                          DLL Side-Loading                          		1
                          DLL Side-Loading                          		1
                          Deobfuscate/Decode Files or Information                          		1
                          OS Credential Dumping                          		2
                          System Time Discovery                          		Remote Services11
                          Archive Collected Data                          		12
                          Ingress Tool Transfer                          		Exfiltration Over Other Network Medium1
                          System Shutdown/Reboot
                          CredentialsDomainsDefault Accounts12
                          Command and Scripting Interpreter                          		1
                          Windows Service                          		1
                          Bypass User Account Control                          		2
                          Obfuscated Files or Information                          		211
                          Input Capture                          		1
                          Account Discovery                          		Remote Desktop Protocol211
                          Input Capture                          		2
                          Encrypted Channel                          		Exfiltration Over Bluetooth1
                          Defacement
                          Email AddressesDNS ServerDomain Accounts2
                          Service Execution                          		11
                          Registry Run Keys / Startup Folder                          		1
                          Access Token Manipulation                          		1
                          DLL Side-Loading                          		2
                          Credentials In Files                          		1
                          System Service Discovery                          		SMB/Windows Admin Shares3
                          Clipboard Data                          		1
                          Non-Standard Port                          		Automated ExfiltrationData Encrypted for Impact
                          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                          Windows Service                          		1
                          Bypass User Account Control                          		NTDS3
                          File and Directory Discovery                          		Distributed Component Object ModelInput Capture1
                          Remote Access Software                          		Traffic DuplicationData Destruction
                          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script22
                          Process Injection                          		1
                          Masquerading                          		LSA Secrets22
                          System Information Discovery                          		SSHKeylogging2
                          Non-Application Layer Protocol                          		Scheduled TransferData Encrypted for Impact
                          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts11
                          Registry Run Keys / Startup Folder                          		1
                          Virtualization/Sandbox Evasion                          		Cached Domain Credentials121
                          Security Software Discovery                          		VNCGUI Input Capture12
                          Application Layer Protocol                          		Data Transfer Size LimitsService Stop
                          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                          Access Token Manipulation                          		DCSync1
                          Virtualization/Sandbox Evasion                          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job22
                          Process Injection                          		Proc Filesystem2
                          Process Discovery                          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                          Application Window Discovery                          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                          System Owner/User Discovery                          		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                          Behavior Graph

                          Hide Legend

                          Legend:

                          • Process
                          • Signature
                          • Created File
                          • DNS/IP Info
                          • Is Dropped
                          • Is Windows Process
                          • Number of created Registry Values
                          • Number of created Files
                          • Visual Basic
                          • Delphi
                          • Java
                          • .Net C# or VB.NET
                          • C, C++ or other language
                          • Is malicious
                          • Internet

                          Screenshots

                          Thumbnails

                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                          windows-stand

                          Antivirus, Machine Learning and Genetic Malware Detection

                          Initial Sample

                          SourceDetectionScannerLabelLink
                          FdSJYyDayo.exe87%ReversingLabsWin32.Backdoor.Remcos
                          FdSJYyDayo.exe100%AviraBDS/Backdoor.Gen
                          FdSJYyDayo.exe100%Joe Sandbox ML

                          Dropped Files

                          SourceDetectionScannerLabelLink
                          C:\ProgramData\27 de Junio\27 de Junio.exe100%AviraBDS/Backdoor.Gen
                          C:\ProgramData\27 de Junio\27 de Junio.exe100%Joe Sandbox ML
                          C:\ProgramData\27 de Junio\27 de Junio.exe87%ReversingLabsWin32.Backdoor.Remcos

                          Unpacked PE Files

                          No Antivirus matches

                          Domains

                          No Antivirus matches

                          URLs

                          SourceDetectionScannerLabelLink
                          http://geoplugin.net/json.gp0%URL Reputationsafe
                          http://geoplugin.net/0%URL Reputationsafe
                          http://geoplugin.net/json.gp/C0%URL Reputationsafe
                          eslibre9889.dynuddns.com0%Avira URL Cloudsafe
                          http://geoplugin.net/json.gp#z0%Avira URL Cloudsafe
                          http://geoplugin.net/json.gpn.net/Eq0%Avira URL Cloudsafe
                          http://geoplugin.net/json.gpQz0%Avira URL Cloudsafe

                          Domains and IPs

                          Contacted Domains

                          NameIPActiveMaliciousAntivirus DetectionReputation
                          geoplugin.net
                          		178.237.33.50
                          		truefalse
                            		unknown
                            colombiaeslibre9889.dynuddns.com
                            		190.70.119.188
                            		truetrue
                              		unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              http://geoplugin.net/json.gpfalse
                              • URL Reputation: safe
                              		unknown
                              eslibre9889.dynuddns.comtrue
                              • Avira URL Cloud: safe
                              		unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://geoplugin.net/json.gp#z27 de Junio.exe, 00000001.00000002.4139888253.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, 27 de Junio.exe, 00000001.00000003.1692245031.00000000005B1000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://geoplugin.net/json.gpn.net/Eq27 de Junio.exe, 00000001.00000002.4139888253.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, 27 de Junio.exe, 00000001.00000003.1692245031.00000000005B1000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://geoplugin.net/27 de Junio.exe, 00000001.00000003.1692245031.00000000005D3000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://geoplugin.net/json.gpQz27 de Junio.exe, 00000001.00000002.4139888253.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, 27 de Junio.exe, 00000001.00000003.1692245031.00000000005B1000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://geoplugin.net/json.gp/CFdSJYyDayo.exe, 27 de Junio.exe.0.drfalse
                              • URL Reputation: safe
                              		unknown

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              178.237.33.50
                              		geoplugin.netNetherlands
                              		8455ATOM86-ASATOM86NLfalse
                              190.70.119.188
                              		colombiaeslibre9889.dynuddns.comColombia
                              		13489EPMTelecomunicacionesSAESPCOtrue

                              General Information

                              Joe Sandbox version:40.0.0 Tourmaline
                              Analysis ID:1501236
                              Start date and time:2024-08-29 16:06:04 +02:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 6m 53s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:9
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:FdSJYyDayo.exe
                              renamed because original name is a hash value
                              Original Sample Name:C00E45FE6B36F599558F546CD45D7C52.exe
                              Detection:MAL
                              Classification:mal100.rans.troj.spyw.expl.evad.winEXE@6/4@2/2
                              EGA Information:
                              • Successful, ratio: 66.7%
                              HCA Information:
                              • Successful, ratio: 95%
                              • Number of executed functions: 18
                              • Number of non-executed functions: 397
                              Cookbook Comments:
                              • Found application associated with file extension: .exe
                              • Override analysis time to 240000 for current running targets taking high CPU consumption

                              Warnings

                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                              • Execution Graph export aborted for target 27 de Junio.exe, PID 5968 because there are no executed function
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size exceeded maximum capacity and may have missing disassembly code.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • VT rate limit hit for: FdSJYyDayo.exe

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              10:07:27API Interceptor7823011x Sleep call for process: 27 de Junio.exe modified
                              15:07:00AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Rmc-IN9IWC "C:\ProgramData\27 de Junio\27 de Junio.exe"
                              15:07:08AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Rmc-IN9IWC "C:\ProgramData\27 de Junio\27 de Junio.exe"
                              15:07:16AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Rmc-IN9IWC "C:\ProgramData\27 de Junio\27 de Junio.exe"

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              178.237.33.50Ravakhu24105.exeGet hashmaliciousRemcosBrowse
                              • geoplugin.net/json.gp
                              SecuriteInfo.com.Exploit.CVE-2017-11882.123.9070.28632.rtfGet hashmaliciousRemcosBrowse
                              • geoplugin.net/json.gp
                              BP-30M31_20240829_093844.exeGet hashmaliciousRemcosBrowse
                              • geoplugin.net/json.gp
                              P.O_Qouts_t87E90Y-E4R7G-PDF.exeGet hashmaliciousRemcos, GuLoaderBrowse
                              • geoplugin.net/json.gp
                              SecuriteInfo.com.Exploit.CVE-2017-11882.123.24787.2174.rtfGet hashmaliciousRemcosBrowse
                              • geoplugin.net/json.gp
                              PMT-INV0230824AUG.xla.xlsxGet hashmaliciousRemcosBrowse
                              • geoplugin.net/json.gp
                              French Group.jsGet hashmaliciousRemcosBrowse
                              • geoplugin.net/json.gp
                              ORDER 5172024.xla.xlsxGet hashmaliciousRemcosBrowse
                              • geoplugin.net/json.gp
                              pop.vbsGet hashmaliciousRemcosBrowse
                              • geoplugin.net/json.gp
                              SecuriteInfo.com.MSExcel.CVE_2017_0199.DDOC.exploit.16063.8851.xlsxGet hashmaliciousRemcosBrowse
                              • geoplugin.net/json.gp

                              Domains

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              geoplugin.netRavakhu24105.exeGet hashmaliciousRemcosBrowse
                              • 178.237.33.50
                              SecuriteInfo.com.Exploit.CVE-2017-11882.123.9070.28632.rtfGet hashmaliciousRemcosBrowse
                              • 178.237.33.50
                              BP-30M31_20240829_093844.exeGet hashmaliciousRemcosBrowse
                              • 178.237.33.50
                              P.O_Qouts_t87E90Y-E4R7G-PDF.exeGet hashmaliciousRemcos, GuLoaderBrowse
                              • 178.237.33.50
                              SecuriteInfo.com.Exploit.CVE-2017-11882.123.24787.2174.rtfGet hashmaliciousRemcosBrowse
                              • 178.237.33.50
                              PMT-INV0230824AUG.xla.xlsxGet hashmaliciousRemcosBrowse
                              • 178.237.33.50
                              French Group.jsGet hashmaliciousRemcosBrowse
                              • 178.237.33.50
                              ORDER 5172024.xla.xlsxGet hashmaliciousRemcosBrowse
                              • 178.237.33.50
                              pop.vbsGet hashmaliciousRemcosBrowse
                              • 178.237.33.50
                              SecuriteInfo.com.MSExcel.CVE_2017_0199.DDOC.exploit.16063.8851.xlsxGet hashmaliciousRemcosBrowse
                              • 178.237.33.50

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              EPMTelecomunicacionesSAESPCO88b5ed74d4fc6f2cf6394bd1766f44df61e7dc9b810cfacbecba5b34af3bf57d_dump.exeGet hashmaliciousSmokeLoaderBrowse
                              • 181.128.22.240
                              sora.mips.elfGet hashmaliciousUnknownBrowse
                              • 181.129.241.199
                              sora.spc.elfGet hashmaliciousUnknownBrowse
                              • 181.128.127.239
                              ExeFile (233).exeGet hashmaliciousEmotetBrowse
                              • 200.116.145.225
                              KKveTTgaAAsecNNaaaa.mips.elfGet hashmaliciousUnknownBrowse
                              • 191.95.19.250
                              ExeFile (278).exeGet hashmaliciousEmotetBrowse
                              • 181.129.96.162
                              ExeFile (305).exeGet hashmaliciousEmotetBrowse
                              • 181.129.96.162
                              ExeFile (323).exeGet hashmaliciousEmotetBrowse
                              • 181.129.96.162
                              ExeFile (333).exeGet hashmaliciousEmotetBrowse
                              • 200.116.93.61
                              ExeFile (347).exeGet hashmaliciousEmotetBrowse
                              • 181.129.96.162
                              ATOM86-ASATOM86NLRavakhu24105.exeGet hashmaliciousRemcosBrowse
                              • 178.237.33.50
                              SecuriteInfo.com.Exploit.CVE-2017-11882.123.9070.28632.rtfGet hashmaliciousRemcosBrowse
                              • 178.237.33.50
                              BP-30M31_20240829_093844.exeGet hashmaliciousRemcosBrowse
                              • 178.237.33.50
                              P.O_Qouts_t87E90Y-E4R7G-PDF.exeGet hashmaliciousRemcos, GuLoaderBrowse
                              • 178.237.33.50
                              SecuriteInfo.com.Exploit.CVE-2017-11882.123.24787.2174.rtfGet hashmaliciousRemcosBrowse
                              • 178.237.33.50
                              PMT-INV0230824AUG.xla.xlsxGet hashmaliciousRemcosBrowse
                              • 178.237.33.50
                              French Group.jsGet hashmaliciousRemcosBrowse
                              • 178.237.33.50
                              ORDER 5172024.xla.xlsxGet hashmaliciousRemcosBrowse
                              • 178.237.33.50
                              pop.vbsGet hashmaliciousRemcosBrowse
                              • 178.237.33.50
                              SecuriteInfo.com.MSExcel.CVE_2017_0199.DDOC.exploit.16063.8851.xlsxGet hashmaliciousRemcosBrowse
                              • 178.237.33.50

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\ProgramData\27 de Junio\27 de Junio.exe

                              Download File
                              Process:C:\Users\user\Desktop\FdSJYyDayo.exe
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):494080
                              Entropy (8bit):6.597009987303353
                              Encrypted:false
                              SSDEEP:6144:dXIktXfM8Lv86r9uVWAa2je4Z5zl4hgDHQQs4NTQjoHFsAOZZ5AXIcN+5Gv:dX7tPMK8ctGe4Dzl4h2QnuPs/Z5vcv
                              MD5:C00E45FE6B36F599558F546CD45D7C52
                              SHA1:094C1C6D8814B4D73E1AAFAABF9F8506F8551FB2
                              SHA-256:7D2784F37A68E93B654BB2EB0C7EF1220194F82B80E1B394C3F1D2866861286F
                              SHA-512:4EFAE9768498F16E94802FE90E35EE1B5A7188FFF4051B4CC5F0FB140CE74BAFF72108B2BB82908D64ECFC842AAA53CB05151E28CDCDD78DE244616681524893
                              Malicious:true
                              Yara Hits:
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\27 de Junio\27 de Junio.exe, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: C:\ProgramData\27 de Junio\27 de Junio.exe, Author: Joe Security
                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: C:\ProgramData\27 de Junio\27 de Junio.exe, Author: unknown
                              • Rule: REMCOS_RAT_variants, Description: unknown, Source: C:\ProgramData\27 de Junio\27 de Junio.exe, Author: unknown
                              • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: C:\ProgramData\27 de Junio\27 de Junio.exe, Author: ditekSHen
                              Antivirus:
                              • Antivirus: Avira, Detection: 100%
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              • Antivirus: ReversingLabs, Detection: 87%
                              Reputation:low
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........-H..~H..~H..~.f$~[..~.f&~...~.f'~V..~A.Q~I..~.Z.~J..~...R..~...r..~...j..~A.F~Q..~H..~u..~....,..~..*~I..~....I..~RichH..~................PE..L...X.rf.................r...........I............@.......................... ...........................................................H.......................;..@...8...........................x...@............................................text...uq.......r.................. ..`.rdata...y.......z...v..............@..@.data...D]..........................@....tls.........p......................@....gfids..0...........................@..@.rsrc....H.......J..................@..@.reloc...;.......<...N..............@..B........................................................................................................................................................................................................

                              C:\ProgramData\27 de Junio\27 de Junio.exe:Zone.Identifier

                              Download File
                              Process:C:\Users\user\Desktop\FdSJYyDayo.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:modified
                              Size (bytes):26
                              Entropy (8bit):3.95006375643621
                              Encrypted:false
                              SSDEEP:3:ggPYV:rPYV
                              MD5:187F488E27DB4AF347237FE461A079AD
                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                              Malicious:true
                              Reputation:high, very likely benign file
                              Preview:[ZoneTransfer]....ZoneId=0

                              C:\ProgramData\remcos\logs.dat

                              Download File
                              Process:C:\ProgramData\27 de Junio\27 de Junio.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):360
                              Entropy (8bit):3.2914757162646
                              Encrypted:false
                              SSDEEP:6:6lmndNeb5YcIeeDAlOWAAe5q1gWAAe5q1gWAAe5q1gWAv:6ltec0WFe5BWFe5BWFe5BW+
                              MD5:8B4C68C7FCAC1A287F4388B2589F5CC6
                              SHA1:1622714E6C91129CB2407346C43C419C594431E5
                              SHA-256:DB32C8BBD74FCCED5C6431FA36D842D29BF99F34E34462A286FB216678FFCA8B
                              SHA-512:EFC8D693D74964C7DB3C8E0DDE22FDE8529AF02533FDD219C92F2E16050964A785DE0E0F720A554E1271450FDB4E2C60760528D161649620397DA087B1D02AC7
                              Malicious:true
                              Yara Hits:
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                              Reputation:low
                              Preview:....[.2.0.2.4./.0.8./.2.9. .1.0.:.0.6.:.5.5. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\json[1].json

                              Download File
                              Process:C:\ProgramData\27 de Junio\27 de Junio.exe
                              File Type:JSON data
                              Category:dropped
                              Size (bytes):962
                              Entropy (8bit):5.013811273052389
                              Encrypted:false
                              SSDEEP:12:tklu+mnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkk:qlu+KdRNuKyGX85jvXhNlT3/7AcV9Wro
                              MD5:18BC6D34FABB00C1E30D98E8DAEC814A
                              SHA1:D21EF72B8421AA7D1F8E8B1DB1323AA93B884C54
                              SHA-256:862D5523F77D193121112B15A36F602C4439791D03E24D97EF25F3A6CBE37ED0
                              SHA-512:8DF14178B08AD2EDE670572394244B5224C8B070199A4BD851245B88D4EE3D7324FC7864D180DE85221ADFBBCAACB9EE9D2A77B5931D4E878E27334BF8589D71
                              Malicious:false
                              Reputation:moderate, very likely benign file
                              Preview:{. "geoplugin_request":"8.46.123.33",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Entropy (8bit):6.597009987303353
                              TrID:
                              • Win32 Executable (generic) a (10002005/4) 99.96%
                              • Generic Win/DOS Executable (2004/3) 0.02%
                              • DOS Executable Generic (2002/1) 0.02%
                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                              File name:FdSJYyDayo.exe
                              File size:494'080 bytes
                              MD5:c00e45fe6b36f599558f546cd45d7c52
                              SHA1:094c1c6d8814b4d73e1aafaabf9f8506f8551fb2
                              SHA256:7d2784f37a68e93b654bb2eb0c7ef1220194f82b80e1b394c3f1d2866861286f
                              SHA512:4efae9768498f16e94802fe90e35ee1b5a7188fff4051b4cc5f0fb140ce74baff72108b2bb82908d64ecfc842aaa53cb05151e28cdcdd78de244616681524893
                              SSDEEP:6144:dXIktXfM8Lv86r9uVWAa2je4Z5zl4hgDHQQs4NTQjoHFsAOZZ5AXIcN+5Gv:dX7tPMK8ctGe4Dzl4h2QnuPs/Z5vcv
                              TLSH:16B49E01BAD1C072D57524300D36F776EAB8BD2028364A7BB3D61D5BFE31190B62A6B7
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........-H..~H..~H..~.f$~[..~.f&~...~.f'~V..~A.Q~I..~.Z.~J..~....R..~....r..~....j..~A.F~Q..~H..~u..~....,..~..*~I..~....I..~RichH..

                              File Icon

                              Icon Hash:95694d05214c1b33

                              Static PE Info

                              General

                              Entrypoint:0x4349ef
                              Entrypoint Section:.text
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                              DLL Characteristics:TERMINAL_SERVER_AWARE
                              Time Stamp:0x66728C58 [Wed Jun 19 07:44:24 2024 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:5
                              OS Version Minor:1
                              File Version Major:5
                              File Version Minor:1
                              Subsystem Version Major:5
                              Subsystem Version Minor:1
                              Import Hash:8d5087ff5de35c3fbb9f212b47d63cad

                              Entrypoint Preview

                              Instruction
                              call 00007FFBC0F04B8Ch
                              jmp 00007FFBC0F045A3h
                              push ebp
                              mov ebp, esp
                              sub esp, 00000324h
                              push ebx
                              push esi
                              push 00000017h
                              call 00007FFBC0F26E04h
                              test eax, eax
                              je 00007FFBC0F04717h
                              mov ecx, dword ptr [ebp+08h]
                              int 29h
                              xor esi, esi
                              lea eax, dword ptr [ebp-00000324h]
                              push 000002CCh
                              push esi
                              push eax
                              mov dword ptr [00471D14h], esi
                              call 00007FFBC0F06B77h
                              add esp, 0Ch
                              mov dword ptr [ebp-00000274h], eax
                              mov dword ptr [ebp-00000278h], ecx
                              mov dword ptr [ebp-0000027Ch], edx
                              mov dword ptr [ebp-00000280h], ebx
                              mov dword ptr [ebp-00000284h], esi
                              mov dword ptr [ebp-00000288h], edi
                              mov word ptr [ebp-0000025Ch], ss
                              mov word ptr [ebp-00000268h], cs
                              mov word ptr [ebp-0000028Ch], ds
                              mov word ptr [ebp-00000290h], es
                              mov word ptr [ebp-00000294h], fs
                              mov word ptr [ebp-00000298h], gs
                              pushfd
                              pop dword ptr [ebp-00000264h]
                              mov eax, dword ptr [ebp+04h]
                              mov dword ptr [ebp-0000026Ch], eax
                              lea eax, dword ptr [ebp+04h]
                              mov dword ptr [ebp-00000260h], eax
                              mov dword ptr [ebp-00000324h], 00010001h
                              mov eax, dword ptr [eax-04h]
                              push 00000050h
                              mov dword ptr [ebp-00000270h], eax
                              lea eax, dword ptr [ebp-58h]
                              push esi
                              push eax
                              call 00007FFBC0F06AEEh

                              Rich Headers

                              Programming Language:
                              • [C++] VS2008 SP1 build 30729
                              • [IMP] VS2008 SP1 build 30729

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x6eea80x104.rdata
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x790000x48ac.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x7e0000x3bcc.reloc
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x6d3400x38.rdata
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x6d3d40x18.rdata
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x6d3780x40.rdata
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x590000x4fc.rdata
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x10000x571750x57200f959ed65f49a903603bc150bbb7292aaFalse0.571329694225251data6.62552167894442IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .rdata0x590000x179b60x17a00cb0626634f7bf1c5779954b9e8e456d0False0.5005787037037037Zebra Metafile graphic (comment = \210\002\007)5.859466241544869IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .data0x710000x5d440xe00fa1a169b9414830def88848af87110b5False0.22154017857142858data3.00580031855032IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .tls0x770000x90x2001f354d76203061bfdd5a53dae48d5435False0.033203125data0.020393135236084953IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .gfids0x780000x2300x40009e4699aa75951ab53e804fe4f9a3b6bFalse0.3271484375data2.349075166240886IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .rsrc0x790000x48ac0x4a00c35fd4df4fff2e8495236400ffbeeec9False0.25380067567567566data3.815921536460377IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .reloc0x7e0000x3bcc0x3c000a6e61b09628beca43d4bf9604f65238False0.7639973958333334data6.718533933603825IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                              Resources

                              NameRVASizeTypeLanguageCountryZLIB Complexity
                              RT_ICON0x7918c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.3421985815602837
                              RT_ICON0x795f40x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.27704918032786885
                              RT_ICON0x79f7c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.23686679174484052
                              RT_ICON0x7b0240x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.22977178423236513
                              RT_RCDATA0x7d5cc0x29fdata1.0163934426229508
                              RT_GROUP_ICON0x7d86c0x3edataEnglishUnited States0.8064516129032258

                              Imports

                              DLLImport
                              KERNEL32.dllFindNextFileA, ExpandEnvironmentStringsA, GetLongPathNameW, CopyFileW, GetLocaleInfoA, CreateToolhelp32Snapshot, Process32NextW, Process32FirstW, VirtualProtect, SetLastError, VirtualFree, VirtualAlloc, GetNativeSystemInfo, HeapAlloc, GetProcessHeap, FreeLibrary, IsBadReadPtr, GetTempPathW, OpenProcess, OpenMutexA, lstrcatW, GetCurrentProcessId, GetTempFileNameW, UnmapViewOfFile, DuplicateHandle, CreateFileMappingW, MapViewOfFile, GetSystemDirectoryA, GlobalAlloc, GlobalLock, GetTickCount, GlobalUnlock, WriteProcessMemory, ResumeThread, GetThreadContext, ReadProcessMemory, CreateProcessW, SetThreadContext, LocalAlloc, GlobalFree, MulDiv, SizeofResource, QueryDosDeviceW, FindFirstVolumeW, GetConsoleScreenBufferInfo, SetConsoleTextAttribute, lstrlenW, GetStdHandle, SetFilePointer, FindResourceA, LockResource, LoadResource, LocalFree, FindVolumeClose, GetVolumePathNamesForVolumeNameW, lstrcpyW, FindFirstFileA, FormatMessageA, FindNextVolumeW, AllocConsole, lstrcmpW, GetModuleFileNameA, lstrcpynA, QueryPerformanceFrequency, QueryPerformanceCounter, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, HeapSize, WriteConsoleW, SetStdHandle, SetEnvironmentVariableW, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindFirstFileExA, ReadConsoleW, GetConsoleMode, GetConsoleCP, FlushFileBuffers, GetFileType, GetTimeZoneInformation, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetTimeFormatW, GetDateFormatW, HeapReAlloc, GetACP, GetModuleHandleExW, MoveFileExW, RtlUnwind, RaiseException, LoadLibraryExW, GetCPInfo, GetStringTypeW, GetLocaleInfoW, LCMapStringW, CompareStringW, TlsFree, TlsSetValue, TlsGetValue, GetFileSize, TerminateThread, GetLastError, CreateDirectoryW, GetModuleHandleA, RemoveDirectoryW, MoveFileW, SetFilePointerEx, GetLogicalDriveStringsA, DeleteFileW, DeleteFileA, SetFileAttributesW, GetFileAttributesW, FindClose, lstrlenA, GetDriveTypeA, FindNextFileW, GetFileSizeEx, FindFirstFileW, GetModuleHandleW, ExitProcess, CreateMutexA, GetCurrentProcess, GetProcAddress, LoadLibraryA, CreateProcessA, PeekNamedPipe, CreatePipe, TerminateProcess, ReadFile, HeapFree, HeapCreate, CreateEventA, GetLocalTime, CreateThread, SetEvent, CreateEventW, WaitForSingleObject, Sleep, GetModuleFileNameW, CloseHandle, ExitThread, CreateFileW, WriteFile, SetConsoleOutputCP, TlsAlloc, InitializeCriticalSectionAndSpinCount, MultiByteToWideChar, DecodePointer, EncodePointer, WideCharToMultiByte, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, IsProcessorFeaturePresent, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, WaitForSingleObjectEx, ResetEvent, SetEndOfFile
                              USER32.dllGetWindowTextW, wsprintfW, GetClipboardData, UnhookWindowsHookEx, GetForegroundWindow, ToUnicodeEx, GetKeyboardLayout, SetWindowsHookExA, CloseClipboard, OpenClipboard, GetKeyboardState, CallNextHookEx, GetKeyboardLayoutNameA, GetKeyState, GetWindowTextLengthW, GetWindowThreadProcessId, GetMessageA, SetClipboardData, EnumWindows, ExitWindowsEx, EmptyClipboard, ShowWindow, SetWindowTextW, MessageBoxW, IsWindowVisible, CloseWindow, SendInput, EnumDisplaySettingsW, mouse_event, CreatePopupMenu, DispatchMessageA, TranslateMessage, TrackPopupMenu, DefWindowProcA, CreateWindowExA, GetIconInfo, GetSystemMetrics, AppendMenuA, RegisterClassExA, GetCursorPos, SetForegroundWindow, DrawIcon, SystemParametersInfoW
                              GDI32.dllBitBlt, CreateCompatibleBitmap, SelectObject, CreateCompatibleDC, StretchBlt, GetDIBits, DeleteObject, CreateDCA, GetObjectA, DeleteDC
                              ADVAPI32.dllCryptAcquireContextA, CryptGenRandom, CryptReleaseContext, GetUserNameW, RegEnumKeyExA, QueryServiceStatus, CloseServiceHandle, OpenSCManagerW, OpenSCManagerA, ControlService, StartServiceW, QueryServiceConfigW, ChangeServiceConfigW, OpenServiceW, EnumServicesStatusW, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, RegCreateKeyA, RegCloseKey, RegQueryInfoKeyW, RegQueryValueExA, RegCreateKeyExW, RegEnumKeyExW, RegSetValueExW, RegSetValueExA, RegOpenKeyExA, RegOpenKeyExW, RegCreateKeyW, RegDeleteValueW, RegEnumValueW, RegQueryValueExW, RegDeleteKeyA
                              SHELL32.dllShellExecuteExA, Shell_NotifyIconA, ExtractIconA, ShellExecuteW
                              ole32.dllCoInitializeEx, CoUninitialize, CoGetObject
                              SHLWAPI.dllPathFileExistsW, PathFileExistsA, StrToIntA
                              WINMM.dllwaveInUnprepareHeader, waveInOpen, waveInStart, waveInAddBuffer, PlaySoundW, mciSendStringA, mciSendStringW, waveInClose, waveInStop, waveInPrepareHeader
                              WS2_32.dllgethostbyname, send, WSAStartup, closesocket, inet_ntoa, htons, htonl, getservbyname, ntohs, getservbyport, gethostbyaddr, inet_addr, WSASetLastError, WSAGetLastError, recv, connect, socket
                              urlmon.dllURLOpenBlockingStreamW, URLDownloadToFileW
                              gdiplus.dllGdipSaveImageToStream, GdipGetImageEncodersSize, GdipFree, GdipDisposeImage, GdipAlloc, GdipCloneImage, GdipGetImageEncoders, GdiplusStartup, GdipLoadImageFromStream
                              WININET.dllInternetOpenUrlW, InternetOpenW, InternetCloseHandle, InternetReadFile

                              Possible Origin

                              Language of compilation systemCountry where language is spokenMap
                              EnglishUnited States

                              Network Behavior

                              Suricata IDS Alerts

                              TimestampProtocolSIDSignatureSeveritySource PortDest PortSource IPDest IP
                              2024-08-29T16:06:56.322890+0200TCP2032776ET MALWARE Remcos 3.x Unencrypted Checkin1497308997192.168.2.4190.70.119.188
                              2024-08-29T16:09:00.868774+0200TCP2032777ET MALWARE Remcos 3.x Unencrypted Server Response1899749730190.70.119.188192.168.2.4
                              2024-08-29T16:06:57.000533+0200TCP2032777ET MALWARE Remcos 3.x Unencrypted Server Response1899749730190.70.119.188192.168.2.4
                              2024-08-29T16:06:57.858069+0200TCP2803304ETPRO MALWARE Common Downloader Header Pattern HCa34973180192.168.2.4178.237.33.50
                              2024-08-29T16:11:00.964719+0200TCP2032777ET MALWARE Remcos 3.x Unencrypted Server Response1899749730190.70.119.188192.168.2.4

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Aug 29, 2024 16:06:56.316940069 CEST497308997192.168.2.4190.70.119.188
                              Aug 29, 2024 16:06:56.321790934 CEST899749730190.70.119.188192.168.2.4
                              Aug 29, 2024 16:06:56.321871996 CEST497308997192.168.2.4190.70.119.188
                              Aug 29, 2024 16:06:56.322890043 CEST497308997192.168.2.4190.70.119.188
                              Aug 29, 2024 16:06:56.327771902 CEST899749730190.70.119.188192.168.2.4
                              Aug 29, 2024 16:06:57.000533104 CEST899749730190.70.119.188192.168.2.4
                              Aug 29, 2024 16:06:57.001924992 CEST497308997192.168.2.4190.70.119.188
                              Aug 29, 2024 16:06:57.015131950 CEST899749730190.70.119.188192.168.2.4
                              Aug 29, 2024 16:06:57.148525000 CEST899749730190.70.119.188192.168.2.4
                              Aug 29, 2024 16:06:57.195316076 CEST497308997192.168.2.4190.70.119.188
                              Aug 29, 2024 16:06:57.220074892 CEST4973180192.168.2.4178.237.33.50
                              Aug 29, 2024 16:06:57.226629972 CEST8049731178.237.33.50192.168.2.4
                              Aug 29, 2024 16:06:57.226689100 CEST4973180192.168.2.4178.237.33.50
                              Aug 29, 2024 16:06:57.226824999 CEST4973180192.168.2.4178.237.33.50
                              Aug 29, 2024 16:06:57.231746912 CEST8049731178.237.33.50192.168.2.4
                              Aug 29, 2024 16:06:57.857980967 CEST8049731178.237.33.50192.168.2.4
                              Aug 29, 2024 16:06:57.858068943 CEST4973180192.168.2.4178.237.33.50
                              Aug 29, 2024 16:06:58.003222942 CEST497308997192.168.2.4190.70.119.188
                              Aug 29, 2024 16:06:58.011060953 CEST899749730190.70.119.188192.168.2.4
                              Aug 29, 2024 16:06:58.864144087 CEST8049731178.237.33.50192.168.2.4
                              Aug 29, 2024 16:06:58.864237070 CEST4973180192.168.2.4178.237.33.50
                              Aug 29, 2024 16:07:00.850959063 CEST899749730190.70.119.188192.168.2.4
                              Aug 29, 2024 16:07:00.857755899 CEST497308997192.168.2.4190.70.119.188
                              Aug 29, 2024 16:07:00.862634897 CEST899749730190.70.119.188192.168.2.4
                              Aug 29, 2024 16:07:30.856880903 CEST899749730190.70.119.188192.168.2.4
                              Aug 29, 2024 16:07:30.858069897 CEST497308997192.168.2.4190.70.119.188
                              Aug 29, 2024 16:07:30.862859011 CEST899749730190.70.119.188192.168.2.4
                              Aug 29, 2024 16:08:00.883070946 CEST899749730190.70.119.188192.168.2.4
                              Aug 29, 2024 16:08:00.909198046 CEST497308997192.168.2.4190.70.119.188
                              Aug 29, 2024 16:08:00.914004087 CEST899749730190.70.119.188192.168.2.4
                              Aug 29, 2024 16:08:30.877777100 CEST899749730190.70.119.188192.168.2.4
                              Aug 29, 2024 16:08:30.879010916 CEST497308997192.168.2.4190.70.119.188
                              Aug 29, 2024 16:08:30.884149075 CEST899749730190.70.119.188192.168.2.4
                              Aug 29, 2024 16:08:47.196085930 CEST4973180192.168.2.4178.237.33.50
                              Aug 29, 2024 16:08:47.679888964 CEST4973180192.168.2.4178.237.33.50
                              Aug 29, 2024 16:08:48.289273024 CEST4973180192.168.2.4178.237.33.50
                              Aug 29, 2024 16:08:49.494884968 CEST4973180192.168.2.4178.237.33.50
                              Aug 29, 2024 16:08:51.992403030 CEST4973180192.168.2.4178.237.33.50
                              Aug 29, 2024 16:08:56.974507093 CEST4973180192.168.2.4178.237.33.50
                              Aug 29, 2024 16:09:00.868773937 CEST899749730190.70.119.188192.168.2.4
                              Aug 29, 2024 16:09:00.871083975 CEST497308997192.168.2.4190.70.119.188
                              Aug 29, 2024 16:09:00.875927925 CEST899749730190.70.119.188192.168.2.4
                              Aug 29, 2024 16:09:06.586189985 CEST4973180192.168.2.4178.237.33.50
                              Aug 29, 2024 16:09:30.930414915 CEST899749730190.70.119.188192.168.2.4
                              Aug 29, 2024 16:09:30.935935020 CEST497308997192.168.2.4190.70.119.188
                              Aug 29, 2024 16:09:30.940915108 CEST899749730190.70.119.188192.168.2.4
                              Aug 29, 2024 16:10:00.925805092 CEST899749730190.70.119.188192.168.2.4
                              Aug 29, 2024 16:10:00.928024054 CEST497308997192.168.2.4190.70.119.188
                              Aug 29, 2024 16:10:00.932864904 CEST899749730190.70.119.188192.168.2.4
                              Aug 29, 2024 16:10:30.946767092 CEST899749730190.70.119.188192.168.2.4
                              Aug 29, 2024 16:10:30.987915039 CEST497308997192.168.2.4190.70.119.188
                              Aug 29, 2024 16:10:30.992755890 CEST899749730190.70.119.188192.168.2.4
                              Aug 29, 2024 16:11:00.964719057 CEST899749730190.70.119.188192.168.2.4
                              Aug 29, 2024 16:11:00.966078043 CEST497308997192.168.2.4190.70.119.188
                              Aug 29, 2024 16:11:00.971199036 CEST899749730190.70.119.188192.168.2.4

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Aug 29, 2024 16:06:56.185956955 CEST6371753192.168.2.41.1.1.1
                              Aug 29, 2024 16:06:56.314169884 CEST53637171.1.1.1192.168.2.4
                              Aug 29, 2024 16:06:57.207109928 CEST5260153192.168.2.41.1.1.1
                              Aug 29, 2024 16:06:57.216506958 CEST53526011.1.1.1192.168.2.4

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                              Aug 29, 2024 16:06:56.185956955 CEST192.168.2.41.1.1.10x3f79Standard query (0)colombiaeslibre9889.dynuddns.comA (IP address)IN (0x0001)false
                              Aug 29, 2024 16:06:57.207109928 CEST192.168.2.41.1.1.10x3f9cStandard query (0)geoplugin.netA (IP address)IN (0x0001)false

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                              Aug 29, 2024 16:06:56.314169884 CEST1.1.1.1192.168.2.40x3f79No error (0)colombiaeslibre9889.dynuddns.com190.70.119.188A (IP address)IN (0x0001)false
                              Aug 29, 2024 16:06:57.216506958 CEST1.1.1.1192.168.2.40x3f9cNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                              HTTP Request Dependency Graph

                              • geoplugin.net

                              HTTP Packets

                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              0192.168.2.449731178.237.33.50805968C:\ProgramData\27 de Junio\27 de Junio.exe
                              TimestampBytes transferredDirectionData
                              Aug 29, 2024 16:06:57.226824999 CEST71OUTGET /json.gp HTTP/1.1
                              Host: geoplugin.net
                              Cache-Control: no-cache
                              Aug 29, 2024 16:06:57.857980967 CEST1170INHTTP/1.1 200 OK
                              date: Thu, 29 Aug 2024 14:06:57 GMT
                              server: Apache
                              content-length: 962
                              content-type: application/json; charset=utf-8
                              cache-control: public, max-age=300
                              access-control-allow-origin: *
                              Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED]
                              Data Ascii: { "geoplugin_request":"8.46.123.33", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              Behavior

                              Click to jump to process

                              System Behavior

                              General

                              Target ID:0
                              Start time:10:06:55
                              Start date:29/08/2024
                              Path:C:\Users\user\Desktop\FdSJYyDayo.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\FdSJYyDayo.exe"
                              Imagebase:0x400000
                              File size:494'080 bytes
                              MD5 hash:C00E45FE6B36F599558F546CD45D7C52
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000000.1672378091.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000000.1672378091.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000000.1672378091.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000003.1672747458.0000000000750000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000003.1672747458.0000000000750000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000003.1672747458.0000000000750000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1674480983.000000000072E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:1
                              Start time:10:06:55
                              Start date:29/08/2024
                              Path:C:\ProgramData\27 de Junio\27 de Junio.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\ProgramData\27 de Junio\27 de Junio.exe"
                              Imagebase:0x400000
                              File size:494'080 bytes
                              MD5 hash:C00E45FE6B36F599558F546CD45D7C52
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000001.00000002.4140240474.00000000021FF000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000001.00000002.4139888253.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000001.00000002.4139824044.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000001.00000002.4139824044.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000001.00000002.4139824044.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: unknown
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000001.00000000.1674126891.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000001.00000000.1674126891.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000001.00000000.1674126891.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: unknown
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000001.00000002.4139888253.000000000056E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\27 de Junio\27 de Junio.exe, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: C:\ProgramData\27 de Junio\27 de Junio.exe, Author: Joe Security
                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: C:\ProgramData\27 de Junio\27 de Junio.exe, Author: unknown
                              • Rule: REMCOS_RAT_variants, Description: unknown, Source: C:\ProgramData\27 de Junio\27 de Junio.exe, Author: unknown
                              • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: C:\ProgramData\27 de Junio\27 de Junio.exe, Author: ditekSHen
                              Antivirus matches:
                              • Detection: 100%, Avira
                              • Detection: 100%, Joe Sandbox ML
                              • Detection: 87%, ReversingLabs
                              Reputation:low
                              Has exited:false

                              General

                              Target ID:2
                              Start time:10:07:08
                              Start date:29/08/2024
                              Path:C:\ProgramData\27 de Junio\27 de Junio.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\ProgramData\27 de Junio\27 de Junio.exe"
                              Imagebase:0x400000
                              File size:494'080 bytes
                              MD5 hash:C00E45FE6B36F599558F546CD45D7C52
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.1803831388.0000000000528000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: unknown
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000000.1802942700.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000002.00000000.1802942700.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000002.00000000.1802942700.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: unknown
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:4
                              Start time:10:07:16
                              Start date:29/08/2024
                              Path:C:\ProgramData\27 de Junio\27 de Junio.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\ProgramData\27 de Junio\27 de Junio.exe"
                              Imagebase:0x400000
                              File size:494'080 bytes
                              MD5 hash:C00E45FE6B36F599558F546CD45D7C52
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000000.1883697788.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000004.00000000.1883697788.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000004.00000000.1883697788.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: unknown
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.1884459506.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000004.00000002.1884459506.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000004.00000002.1884459506.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: unknown
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.1884579837.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:7
                              Start time:10:07:24
                              Start date:29/08/2024
                              Path:C:\ProgramData\27 de Junio\27 de Junio.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\ProgramData\27 de Junio\27 de Junio.exe"
                              Imagebase:0x400000
                              File size:494'080 bytes
                              MD5 hash:C00E45FE6B36F599558F546CD45D7C52
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.1965049891.00000000005FA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000000.1964515889.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000007.00000000.1964515889.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000007.00000000.1964515889.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: unknown
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.1964940474.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000007.00000002.1964940474.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000007.00000002.1964940474.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: unknown
                              Reputation:low
                              Has exited:true

                              Disassembly

                              Reset < >

                                Execution Graph

                                Execution Coverage:1.9%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:31%
                                Total number of Nodes:703
                                Total number of Limit Nodes:15
                                execution_graph 46430 434887 46431 434893 ___FrameUnwindToState 46430->46431 46457 434596 46431->46457 46433 43489a 46435 4348c3 46433->46435 46745 4349f9 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 46433->46745 46436 434902 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 46435->46436 46746 444251 5 API calls __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 46435->46746 46441 434962 46436->46441 46748 4433e7 35 API calls 6 library calls 46436->46748 46438 4348dc 46439 4348e2 ___FrameUnwindToState 46438->46439 46747 4441f5 5 API calls __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 46438->46747 46468 434b14 46441->46468 46450 434984 46451 43498e 46450->46451 46750 44341f 28 API calls _Atexit 46450->46750 46452 434997 46451->46452 46751 4433c2 28 API calls _Atexit 46451->46751 46752 43470d 13 API calls 2 library calls 46452->46752 46456 43499f 46456->46439 46458 43459f 46457->46458 46753 434c52 IsProcessorFeaturePresent 46458->46753 46460 4345ab 46754 438f31 10 API calls 4 library calls 46460->46754 46462 4345b0 46463 4345b4 46462->46463 46755 4440bf IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 46462->46755 46463->46433 46465 4345bd 46466 4345cb 46465->46466 46756 438f5a 8 API calls 3 library calls 46465->46756 46466->46433 46757 436e90 46468->46757 46471 434968 46472 4441a2 46471->46472 46759 44f059 46472->46759 46474 4441ab 46476 434971 46474->46476 46763 446815 35 API calls 46474->46763 46477 40e9c5 46476->46477 46765 41cb50 LoadLibraryA GetProcAddress 46477->46765 46479 40e9e1 GetModuleFileNameW 46770 40f3c3 46479->46770 46481 40e9fd 46785 4020f6 46481->46785 46484 4020f6 28 API calls 46485 40ea1b 46484->46485 46791 41be1b 46485->46791 46489 40ea2d 46817 401e8d 46489->46817 46491 40ea36 46492 40ea93 46491->46492 46493 40ea49 46491->46493 46823 401e65 46492->46823 47022 40fbb3 95 API calls 46493->47022 46496 40eaa3 46500 401e65 22 API calls 46496->46500 46497 40ea5b 46498 401e65 22 API calls 46497->46498 46499 40ea67 46498->46499 47023 410f37 36 API calls __EH_prolog 46499->47023 46501 40eac2 46500->46501 46828 40531e 46501->46828 46504 40ead1 46833 406383 46504->46833 46505 40ea79 47024 40fb64 77 API calls 46505->47024 46509 40ea82 47025 40f3b0 70 API calls 46509->47025 46515 401fd8 11 API calls 46517 40eefb 46515->46517 46516 401fd8 11 API calls 46518 40eafb 46516->46518 46749 4432f6 GetModuleHandleW 46517->46749 46519 401e65 22 API calls 46518->46519 46520 40eb04 46519->46520 46850 401fc0 46520->46850 46522 40eb0f 46523 401e65 22 API calls 46522->46523 46524 40eb28 46523->46524 46525 401e65 22 API calls 46524->46525 46526 40eb43 46525->46526 46527 40ebae 46526->46527 47026 406c1e 28 API calls 46526->47026 46528 401e65 22 API calls 46527->46528 46534 40ebbb 46528->46534 46530 40eb70 46531 401fe2 28 API calls 46530->46531 46532 40eb7c 46531->46532 46535 401fd8 11 API calls 46532->46535 46533 40ec02 46854 40d069 46533->46854 46534->46533 46540 413549 3 API calls 46534->46540 46537 40eb85 46535->46537 47027 413549 RegOpenKeyExA 46537->47027 46538 40ec08 46539 40ea8b 46538->46539 46857 41b2c3 46538->46857 46539->46515 46546 40ebe6 46540->46546 46544 40f34f 47059 4139a9 30 API calls 46544->47059 46545 40ec23 46547 40ec76 46545->46547 46874 407716 46545->46874 46546->46533 47030 4139a9 30 API calls 46546->47030 46549 401e65 22 API calls 46547->46549 46552 40ec7f 46549->46552 46561 40ec90 46552->46561 46562 40ec8b 46552->46562 46554 40f365 47060 412475 65 API calls ___scrt_fastfail 46554->47060 46555 40ec42 47031 407738 30 API calls 46555->47031 46556 40ec4c 46559 401e65 22 API calls 46556->46559 46571 40ec55 46559->46571 46560 40f34d 46564 41bc5e 28 API calls 46560->46564 46567 401e65 22 API calls 46561->46567 47034 407755 CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 46562->47034 46563 40ec47 47032 407260 97 API calls 46563->47032 46568 40f37f 46564->46568 46569 40ec99 46567->46569 47061 413a23 RegOpenKeyExW RegDeleteValueW 46568->47061 46878 41bc5e 46569->46878 46571->46547 46575 40ec71 46571->46575 46572 40eca4 46882 401f13 46572->46882 47033 407260 97 API calls 46575->47033 46576 40f392 46577 401f09 11 API calls 46576->46577 46580 40f39c 46577->46580 46582 401f09 11 API calls 46580->46582 46584 40f3a5 46582->46584 47062 40dd42 27 API calls 46584->47062 46585 401e65 22 API calls 46586 40ecc1 46585->46586 46590 401e65 22 API calls 46586->46590 46588 40f3aa 47063 414f2a 169 API calls 46588->47063 46592 40ecdb 46590->46592 46593 401e65 22 API calls 46592->46593 46594 40ecf5 46593->46594 46595 401e65 22 API calls 46594->46595 46597 40ed0e 46595->46597 46596 40ed7b 46599 40ed8a 46596->46599 46603 40ef06 ___scrt_fastfail 46596->46603 46597->46596 46598 401e65 22 API calls 46597->46598 46602 40ed23 _wcslen 46598->46602 46600 401e65 22 API calls 46599->46600 46605 40ee0f 46599->46605 46601 40ed9c 46600->46601 46604 401e65 22 API calls 46601->46604 46602->46596 46606 401e65 22 API calls 46602->46606 47037 4136f8 RegOpenKeyExA RegQueryValueExA RegCloseKey 46603->47037 46607 40edae 46604->46607 46628 40ee0a ___scrt_fastfail 46605->46628 46608 40ed3e 46606->46608 46610 401e65 22 API calls 46607->46610 46612 401e65 22 API calls 46608->46612 46611 40edc0 46610->46611 46615 401e65 22 API calls 46611->46615 46613 40ed53 46612->46613 46894 40da34 46613->46894 46614 40ef51 46616 401e65 22 API calls 46614->46616 46617 40ede9 46615->46617 46618 40ef76 46616->46618 46623 401e65 22 API calls 46617->46623 47038 402093 46618->47038 46621 401f13 28 API calls 46622 40ed72 46621->46622 46625 401f09 11 API calls 46622->46625 46626 40edfa 46623->46626 46625->46596 46952 40cdf9 46626->46952 46627 40ef88 47044 41376f 14 API calls 46627->47044 46628->46605 47035 413947 31 API calls 46628->47035 46632 40ef9e 46634 401e65 22 API calls 46632->46634 46633 40eea3 ctype 46636 401e65 22 API calls 46633->46636 46635 40efaa 46634->46635 47045 43baac 39 API calls _swprintf 46635->47045 46639 40eeba 46636->46639 46638 40efb7 46640 40efe4 46638->46640 47046 41cd9b 87 API calls ___scrt_fastfail 46638->47046 46639->46614 46641 401e65 22 API calls 46639->46641 46644 402093 28 API calls 46640->46644 46642 40eed7 46641->46642 46645 41bc5e 28 API calls 46642->46645 46647 40eff9 46644->46647 46648 40eee3 46645->46648 46646 40efc8 CreateThread 46646->46640 47322 41d45d 10 API calls 46646->47322 46649 402093 28 API calls 46647->46649 47036 40f474 106 API calls 46648->47036 46651 40f008 46649->46651 47047 41b4ef 79 API calls 46651->47047 46652 40eee8 46652->46614 46654 40eeef 46652->46654 46654->46539 46655 40f00d 46656 401e65 22 API calls 46655->46656 46657 40f019 46656->46657 46658 401e65 22 API calls 46657->46658 46659 40f02b 46658->46659 46660 401e65 22 API calls 46659->46660 46661 40f04b 46660->46661 47048 43baac 39 API calls _swprintf 46661->47048 46663 40f058 46664 401e65 22 API calls 46663->46664 46665 40f063 46664->46665 46666 401e65 22 API calls 46665->46666 46667 40f074 46666->46667 46668 401e65 22 API calls 46667->46668 46669 40f089 46668->46669 46670 401e65 22 API calls 46669->46670 46671 40f09a 46670->46671 46672 40f0a1 StrToIntA 46671->46672 47049 409de4 171 API calls _wcslen 46672->47049 46674 40f0b3 46675 401e65 22 API calls 46674->46675 46677 40f0bc 46675->46677 46676 40f101 46679 401e65 22 API calls 46676->46679 46677->46676 47050 4344ea 22 API calls 2 library calls 46677->47050 46685 40f111 46679->46685 46680 40f0d1 46681 401e65 22 API calls 46680->46681 46682 40f0e4 46681->46682 46683 40f0eb CreateThread 46682->46683 46683->46676 47325 419fb4 109 API calls __EH_prolog 46683->47325 46684 40f159 46687 401e65 22 API calls 46684->46687 46685->46684 47051 4344ea 22 API calls 2 library calls 46685->47051 46692 40f162 46687->46692 46688 40f126 46689 401e65 22 API calls 46688->46689 46690 40f138 46689->46690 46695 40f13f CreateThread 46690->46695 46691 40f1cc 46693 401e65 22 API calls 46691->46693 46692->46691 46694 401e65 22 API calls 46692->46694 46697 40f1d5 46693->46697 46696 40f17e 46694->46696 46695->46684 47323 419fb4 109 API calls __EH_prolog 46695->47323 46699 401e65 22 API calls 46696->46699 46698 40f21a 46697->46698 46701 401e65 22 API calls 46697->46701 47055 41b60d 80 API calls 46698->47055 46702 40f193 46699->46702 46704 40f1ea 46701->46704 47052 40d9e8 32 API calls 46702->47052 46703 40f223 46705 401f13 28 API calls 46703->46705 46709 401e65 22 API calls 46704->46709 46706 40f22e 46705->46706 46708 401f09 11 API calls 46706->46708 46711 40f237 CreateThread 46708->46711 46712 40f1ff 46709->46712 46710 40f1a6 46713 401f13 28 API calls 46710->46713 46717 40f264 46711->46717 46718 40f258 CreateThread 46711->46718 47324 40f7a7 120 API calls 46711->47324 47053 43baac 39 API calls _swprintf 46712->47053 46715 40f1b2 46713->46715 46716 401f09 11 API calls 46715->46716 46720 40f1bb CreateThread 46716->46720 46721 40f279 46717->46721 46722 40f26d CreateThread 46717->46722 46718->46717 46720->46691 47320 401be9 49 API calls 46720->47320 46725 40f2cc 46721->46725 46726 402093 28 API calls 46721->46726 46722->46721 47321 4126db 38 API calls ___scrt_fastfail 46722->47321 46723 40f20c 47054 40c162 7 API calls 46723->47054 47057 4134ff RegOpenKeyExA RegQueryValueExA RegCloseKey 46725->47057 46727 40f29c 46726->46727 47056 4052fd 28 API calls 46727->47056 46730 40f2e4 46730->46584 46733 41bc5e 28 API calls 46730->46733 46735 40f2fd 46733->46735 47058 41361b 31 API calls 46735->47058 46740 40f313 46741 401f09 11 API calls 46740->46741 46743 40f31e 46741->46743 46742 40f346 DeleteFileW 46742->46560 46742->46743 46743->46560 46743->46742 46744 40f334 Sleep 46743->46744 46744->46743 46745->46433 46746->46438 46747->46436 46748->46441 46749->46450 46750->46451 46751->46452 46752->46456 46753->46460 46754->46462 46755->46465 46756->46463 46758 434b27 GetStartupInfoW 46757->46758 46758->46471 46760 44f06b 46759->46760 46761 44f062 46759->46761 46760->46474 46764 44ef58 48 API calls 5 library calls 46761->46764 46763->46474 46764->46760 46766 41cb8f LoadLibraryA GetProcAddress 46765->46766 46767 41cb7f GetModuleHandleA GetProcAddress 46765->46767 46768 41cbb8 44 API calls 46766->46768 46769 41cba8 LoadLibraryA GetProcAddress 46766->46769 46767->46766 46768->46479 46769->46768 47064 41b4a8 FindResourceA 46770->47064 46774 40f3ed ctype 47076 4020b7 46774->47076 46777 401fe2 28 API calls 46778 40f413 46777->46778 46779 401fd8 11 API calls 46778->46779 46780 40f41c 46779->46780 46781 43bd51 new 21 API calls 46780->46781 46782 40f42d ctype 46781->46782 47082 406dd8 46782->47082 46784 40f460 46784->46481 46786 40210c 46785->46786 46787 4023ce 11 API calls 46786->46787 46788 402126 46787->46788 46789 402569 28 API calls 46788->46789 46790 402134 46789->46790 46790->46484 47119 4020df 46791->47119 46793 41be9e 46794 401fd8 11 API calls 46793->46794 46795 41bed0 46794->46795 46796 401fd8 11 API calls 46795->46796 46798 41bed8 46796->46798 46797 41bea0 47125 4041a2 28 API calls 46797->47125 46801 401fd8 11 API calls 46798->46801 46803 40ea24 46801->46803 46802 41beac 46804 401fe2 28 API calls 46802->46804 46813 40fb17 46803->46813 46806 41beb5 46804->46806 46805 401fe2 28 API calls 46812 41be2e 46805->46812 46808 401fd8 11 API calls 46806->46808 46807 401fd8 11 API calls 46807->46812 46809 41bebd 46808->46809 47126 41ce34 28 API calls 46809->47126 46812->46793 46812->46797 46812->46805 46812->46807 47123 4041a2 28 API calls 46812->47123 47124 41ce34 28 API calls 46812->47124 46814 40fb23 46813->46814 46816 40fb2a 46813->46816 47127 402163 11 API calls 46814->47127 46816->46489 46819 402163 46817->46819 46818 40219f 46818->46491 46819->46818 47128 402730 11 API calls 46819->47128 46821 402184 47129 402712 11 API calls std::_Deallocate 46821->47129 46824 401e6d 46823->46824 46825 401e75 46824->46825 47130 402158 22 API calls 46824->47130 46825->46496 46829 4020df 11 API calls 46828->46829 46830 40532a 46829->46830 47131 4032a0 46830->47131 46832 405346 46832->46504 47136 4051ef 46833->47136 46835 406391 47140 402055 46835->47140 46838 401fe2 46839 401ff1 46838->46839 46846 402039 46838->46846 46840 4023ce 11 API calls 46839->46840 46841 401ffa 46840->46841 46842 40203c 46841->46842 46844 402015 46841->46844 46843 40267a 11 API calls 46842->46843 46843->46846 47155 403098 28 API calls 46844->47155 46847 401fd8 46846->46847 46848 4023ce 11 API calls 46847->46848 46849 401fe1 46848->46849 46849->46516 46851 401fd2 46850->46851 46852 401fc9 46850->46852 46851->46522 47156 4025e0 28 API calls 46852->47156 47157 401fab 46854->47157 46856 40d073 CreateMutexA GetLastError 46856->46538 47158 41bfb7 46857->47158 46862 401fe2 28 API calls 46863 41b2ff 46862->46863 46864 401fd8 11 API calls 46863->46864 46865 41b307 46864->46865 46866 4135a6 31 API calls 46865->46866 46868 41b35d 46865->46868 46867 41b330 46866->46867 46869 41b33b StrToIntA 46867->46869 46868->46545 46870 41b352 46869->46870 46871 41b349 46869->46871 46873 401fd8 11 API calls 46870->46873 47167 41cf69 22 API calls 46871->47167 46873->46868 46875 40772a 46874->46875 46876 413549 3 API calls 46875->46876 46877 407731 46876->46877 46877->46555 46877->46556 46879 41bc72 46878->46879 47168 40b904 46879->47168 46881 41bc7a 46881->46572 46883 401f22 46882->46883 46884 401f6a 46882->46884 46885 402252 11 API calls 46883->46885 46891 401f09 46884->46891 46886 401f2b 46885->46886 46887 401f6d 46886->46887 46888 401f46 46886->46888 47201 402336 46887->47201 47200 40305c 28 API calls 46888->47200 46892 402252 11 API calls 46891->46892 46893 401f12 46892->46893 46893->46585 47205 401f86 46894->47205 46897 40da70 47215 41b5b4 29 API calls 46897->47215 46898 40daa5 46900 41bfb7 2 API calls 46898->46900 46899 40db99 GetLongPathNameW 47209 40417e 46899->47209 46903 40daaa 46900->46903 46906 40db00 46903->46906 46907 40daae 46903->46907 46904 40da79 46908 401f13 28 API calls 46904->46908 46910 40417e 28 API calls 46906->46910 46911 40417e 28 API calls 46907->46911 46912 40da83 46908->46912 46909 40417e 28 API calls 46914 40dbbd 46909->46914 46915 40db0e 46910->46915 46916 40dabc 46911->46916 46917 401f09 11 API calls 46912->46917 46913 40da66 46913->46899 47218 40ddd1 28 API calls 46914->47218 46921 40417e 28 API calls 46915->46921 46922 40417e 28 API calls 46916->46922 46917->46913 46919 40dbd0 47219 402fa5 28 API calls 46919->47219 46924 40db24 46921->46924 46925 40dad2 46922->46925 46923 40dbdb 47220 402fa5 28 API calls 46923->47220 47217 402fa5 28 API calls 46924->47217 47216 402fa5 28 API calls 46925->47216 46929 40dbe5 46933 401f09 11 API calls 46929->46933 46930 40db2f 46934 401f13 28 API calls 46930->46934 46931 40dadd 46932 401f13 28 API calls 46931->46932 46936 40dae8 46932->46936 46937 40dbef 46933->46937 46935 40db3a 46934->46935 46938 401f09 11 API calls 46935->46938 46939 401f09 11 API calls 46936->46939 46940 401f09 11 API calls 46937->46940 46942 40db43 46938->46942 46943 40daf1 46939->46943 46941 40dbf8 46940->46941 46944 401f09 11 API calls 46941->46944 46945 401f09 11 API calls 46942->46945 46946 401f09 11 API calls 46943->46946 46947 40dc01 46944->46947 46945->46912 46946->46912 46948 401f09 11 API calls 46947->46948 46949 40dc0a 46948->46949 46950 401f09 11 API calls 46949->46950 46951 40dc13 46950->46951 46951->46621 46953 40ce0c _wcslen 46952->46953 46954 40ce60 46953->46954 46955 40ce16 46953->46955 46956 40da34 32 API calls 46954->46956 46958 40ce1f CreateDirectoryW 46955->46958 46957 40ce72 46956->46957 46959 401f13 28 API calls 46957->46959 47222 40915b 46958->47222 46961 40ce5e 46959->46961 46963 401f09 11 API calls 46961->46963 46962 40ce3b 47256 403014 46962->47256 46969 40ce89 46963->46969 46966 401f13 28 API calls 46967 40ce55 46966->46967 46968 401f09 11 API calls 46967->46968 46968->46961 46970 40cea2 46969->46970 46971 40cebf 46969->46971 46973 40cd0d 31 API calls 46970->46973 46972 40cec8 CopyFileW 46971->46972 46974 40cf99 46972->46974 46975 40ceda _wcslen 46972->46975 47005 40ceb3 46973->47005 47229 40cd0d 46974->47229 46975->46974 46977 40cef6 46975->46977 46978 40cf49 46975->46978 46983 40da34 32 API calls 46977->46983 46982 40da34 32 API calls 46978->46982 46980 40cfb3 46988 40cfbc SetFileAttributesW 46980->46988 46981 40cfdf 46984 40d027 CloseHandle 46981->46984 46990 40417e 28 API calls 46981->46990 46985 40cf4f 46982->46985 46986 40cefc 46983->46986 47255 401f04 46984->47255 46991 401f13 28 API calls 46985->46991 46987 401f13 28 API calls 46986->46987 46992 40cf08 46987->46992 47004 40cfcb _wcslen 46988->47004 46994 40cff5 46990->46994 47021 40cf43 46991->47021 46995 401f09 11 API calls 46992->46995 46993 40d043 ShellExecuteW 46996 40d060 ExitProcess 46993->46996 46997 40d056 46993->46997 46998 41bc5e 28 API calls 46994->46998 47000 40cf11 46995->47000 47001 40d069 CreateMutexA GetLastError 46997->47001 47008 40d008 46998->47008 46999 401f09 11 API calls 47002 40cf61 46999->47002 47003 40915b 28 API calls 47000->47003 47001->47005 47010 40cf6d CreateDirectoryW 47002->47010 47006 40cf25 47003->47006 47004->46981 47007 40cfdc SetFileAttributesW 47004->47007 47005->46628 47011 403014 28 API calls 47006->47011 47007->46981 47262 413814 RegCreateKeyW 47008->47262 47261 401f04 47010->47261 47014 40cf31 47011->47014 47017 401f13 28 API calls 47014->47017 47015 401f09 11 API calls 47015->46984 47019 40cf3a 47017->47019 47020 401f09 11 API calls 47019->47020 47020->47021 47021->46999 47022->46497 47023->46505 47024->46509 47026->46530 47028 40eba4 47027->47028 47029 413573 RegQueryValueExA RegCloseKey 47027->47029 47028->46527 47028->46544 47029->47028 47030->46533 47031->46563 47032->46556 47033->46547 47034->46561 47035->46633 47036->46652 47037->46614 47039 40209b 47038->47039 47040 4023ce 11 API calls 47039->47040 47041 4020a6 47040->47041 47315 4024ed 47041->47315 47044->46632 47045->46638 47046->46646 47047->46655 47048->46663 47049->46674 47050->46680 47051->46688 47052->46710 47053->46723 47054->46698 47055->46703 47057->46730 47058->46740 47059->46554 47061->46576 47062->46588 47319 41ad17 105 API calls 47063->47319 47065 41b4c5 LoadResource LockResource SizeofResource 47064->47065 47066 40f3de 47064->47066 47065->47066 47067 43bd51 47066->47067 47068 446137 47067->47068 47069 446175 47068->47069 47070 446160 HeapAlloc 47068->47070 47074 446149 __Getctype 47068->47074 47086 4405dd 20 API calls _Atexit 47069->47086 47073 446173 47070->47073 47070->47074 47072 44617a 47072->46774 47073->47072 47074->47069 47074->47070 47085 442f80 7 API calls 2 library calls 47074->47085 47077 4020bf 47076->47077 47087 4023ce 47077->47087 47079 4020ca 47091 40250a 47079->47091 47081 4020d9 47081->46777 47083 4020b7 28 API calls 47082->47083 47084 406dec 47083->47084 47084->46784 47085->47074 47086->47072 47088 402428 47087->47088 47089 4023d8 47087->47089 47088->47079 47089->47088 47098 4027a7 11 API calls std::_Deallocate 47089->47098 47092 40251a 47091->47092 47093 402520 47092->47093 47094 402535 47092->47094 47099 402569 47093->47099 47109 4028e8 28 API calls 47094->47109 47097 402533 47097->47081 47098->47088 47110 402888 47099->47110 47101 40257d 47102 402592 47101->47102 47103 4025a7 47101->47103 47115 402a34 22 API calls 47102->47115 47117 4028e8 28 API calls 47103->47117 47106 40259b 47116 4029da 22 API calls 47106->47116 47108 4025a5 47108->47097 47109->47097 47111 402890 47110->47111 47112 402898 47111->47112 47118 402ca3 22 API calls 47111->47118 47112->47101 47115->47106 47116->47108 47117->47108 47120 4020e7 47119->47120 47121 4023ce 11 API calls 47120->47121 47122 4020f2 47121->47122 47122->46812 47123->46812 47124->46812 47125->46802 47126->46793 47127->46816 47128->46821 47129->46818 47132 4032aa 47131->47132 47134 4032c9 47132->47134 47135 4028e8 28 API calls 47132->47135 47134->46832 47135->47134 47137 4051fb 47136->47137 47146 405274 47137->47146 47139 405208 47139->46835 47141 402061 47140->47141 47142 4023ce 11 API calls 47141->47142 47143 40207b 47142->47143 47151 40267a 47143->47151 47147 405282 47146->47147 47150 4028a4 22 API calls 47147->47150 47152 40268b 47151->47152 47153 4023ce 11 API calls 47152->47153 47154 40208d 47153->47154 47154->46838 47155->46846 47156->46851 47159 41bfc4 GetCurrentProcess IsWow64Process 47158->47159 47160 41b2d1 47158->47160 47159->47160 47161 41bfdb 47159->47161 47162 4135a6 RegOpenKeyExA 47160->47162 47161->47160 47163 4135d4 RegQueryValueExA RegCloseKey 47162->47163 47164 4135fe 47162->47164 47163->47164 47165 402093 28 API calls 47164->47165 47166 413613 47165->47166 47166->46862 47167->46870 47169 40b90c 47168->47169 47174 402252 47169->47174 47171 40b917 47178 40b92c 47171->47178 47173 40b926 47173->46881 47175 4022ac 47174->47175 47176 40225c 47174->47176 47175->47171 47176->47175 47185 402779 11 API calls std::_Deallocate 47176->47185 47179 40b966 47178->47179 47180 40b938 47178->47180 47197 4028a4 22 API calls 47179->47197 47186 4027e6 47180->47186 47184 40b942 47184->47173 47185->47175 47187 4027ef 47186->47187 47188 402851 47187->47188 47189 4027f9 47187->47189 47199 4028a4 22 API calls 47188->47199 47192 402802 47189->47192 47194 402815 47189->47194 47198 402aea 28 API calls __EH_prolog 47192->47198 47195 402813 47194->47195 47196 402252 11 API calls 47194->47196 47195->47184 47196->47195 47198->47195 47200->46884 47202 402347 47201->47202 47203 402252 11 API calls 47202->47203 47204 4023c7 47203->47204 47204->46884 47206 401f8e 47205->47206 47207 402252 11 API calls 47206->47207 47208 401f99 47207->47208 47208->46897 47208->46898 47208->46913 47210 404186 47209->47210 47211 402252 11 API calls 47210->47211 47212 404191 47211->47212 47221 4041bc 28 API calls 47212->47221 47214 40419c 47214->46909 47215->46904 47216->46931 47217->46930 47218->46919 47219->46923 47220->46929 47221->47214 47223 401f86 11 API calls 47222->47223 47224 409167 47223->47224 47268 40314c 47224->47268 47226 409184 47272 40325d 47226->47272 47228 40918c 47228->46962 47230 40cd33 47229->47230 47231 40cd6f 47229->47231 47286 40b97c 47230->47286 47233 40b97c 28 API calls 47231->47233 47235 40cdb0 47231->47235 47237 40cd86 47233->47237 47234 40cdf1 47234->46980 47234->46981 47235->47234 47238 40b97c 28 API calls 47235->47238 47242 403014 28 API calls 47237->47242 47240 40cdc7 47238->47240 47239 403014 28 API calls 47241 40cd4f 47239->47241 47243 403014 28 API calls 47240->47243 47244 413814 14 API calls 47241->47244 47245 40cd90 47242->47245 47246 40cdd1 47243->47246 47247 40cd63 47244->47247 47248 413814 14 API calls 47245->47248 47249 413814 14 API calls 47246->47249 47250 401f09 11 API calls 47247->47250 47251 40cda4 47248->47251 47252 40cde5 47249->47252 47250->47231 47253 401f09 11 API calls 47251->47253 47254 401f09 11 API calls 47252->47254 47253->47235 47254->47234 47293 403222 47256->47293 47258 403022 47297 403262 47258->47297 47263 413866 47262->47263 47265 413829 47262->47265 47264 401f09 11 API calls 47263->47264 47266 40d01b 47264->47266 47267 413842 RegSetValueExW RegCloseKey 47265->47267 47266->47015 47267->47263 47269 403156 47268->47269 47270 403175 47269->47270 47271 4027e6 28 API calls 47269->47271 47270->47226 47271->47270 47273 40323f 47272->47273 47276 4036a6 47273->47276 47275 40324c 47275->47228 47277 402888 22 API calls 47276->47277 47278 4036b9 47277->47278 47279 40372c 47278->47279 47280 4036de 47278->47280 47285 4028a4 22 API calls 47279->47285 47282 4027e6 28 API calls 47280->47282 47284 4036f0 47280->47284 47282->47284 47284->47275 47287 401f86 11 API calls 47286->47287 47288 40b988 47287->47288 47289 40314c 28 API calls 47288->47289 47290 40b9a4 47289->47290 47291 40325d 28 API calls 47290->47291 47292 40b9b7 47291->47292 47292->47239 47294 40322e 47293->47294 47303 403618 47294->47303 47296 40323b 47296->47258 47298 40326e 47297->47298 47299 402252 11 API calls 47298->47299 47300 403288 47299->47300 47301 402336 11 API calls 47300->47301 47302 403031 47301->47302 47302->46966 47304 403626 47303->47304 47305 403644 47304->47305 47306 40362c 47304->47306 47308 40365c 47305->47308 47309 40369e 47305->47309 47307 4036a6 28 API calls 47306->47307 47313 403642 47307->47313 47312 4027e6 28 API calls 47308->47312 47308->47313 47314 4028a4 22 API calls 47309->47314 47312->47313 47313->47296 47316 4024f9 47315->47316 47317 40250a 28 API calls 47316->47317 47318 4020b1 47317->47318 47318->46627

                                Executed Functions

                                Function 0041CB50 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB65
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CB6E
                                • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CB88
                                • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CB9A
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CB9D
                                • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CBAE
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CBB1
                                • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040E9E1), ref: 0041CBC3
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CBC6
                                • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040E9E1), ref: 0041CBD2
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CBD5
                                • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CBE9
                                • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CBFD
                                • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040E9E1), ref: 0041CC0E
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC11
                                • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC25
                                • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC39
                                • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC4D
                                • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC61
                                • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC75
                                • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040E9E1), ref: 0041CC83
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC86
                                • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040E9E1), ref: 0041CC97
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC9A
                                • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040E9E1), ref: 0041CCA7
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CCAA
                                • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040E9E1), ref: 0041CCB7
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CCBA
                                • LoadLibraryA.KERNELBASE(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040E9E1), ref: 0041CCCC
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CCCF
                                • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040E9E1), ref: 0041CCDC
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CCDF
                                • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040E9E1), ref: 0041CCF0
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CCF3
                                • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040E9E1), ref: 0041CD04
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD07
                                • LoadLibraryA.KERNELBASE(Rstrtmgr,RmStartSession,?,?,?,?,0040E9E1), ref: 0041CD19
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD1C
                                • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,0040E9E1), ref: 0041CD29
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD2C
                                • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,0040E9E1), ref: 0041CD39
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD3C
                                • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,0040E9E1), ref: 0041CD49
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD4C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$LibraryLoad$HandleModule
                                • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                • API String ID: 4236061018-3687161714
                                • Opcode ID: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
                                • Instruction ID: 43d5c3d51f8f0173c8b3474e0c84bdc355f07b7b5b23ff39ae26555794408ecb
                                • Opcode Fuzzy Hash: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
                                • Instruction Fuzzy Hash: 31419EA0EC035879DA107BB66DCDE3B3E5CD9857953214837B15CA7150EBBCD8408EAE
                                Function 0040E9C5 Relevance: 86.5, APIs: 14, Strings: 35, Instructions: 795COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 5 40e9c5-40ea47 call 41cb50 GetModuleFileNameW call 40f3c3 call 4020f6 * 2 call 41be1b call 40fb17 call 401e8d call 43fd00 22 40ea93-40eb5b call 401e65 call 401fab call 401e65 call 40531e call 406383 call 401fe2 call 401fd8 * 2 call 401e65 call 401fc0 call 405aa6 call 401e65 call 4051e3 call 401e65 call 4051e3 5->22 23 40ea49-40ea8e call 40fbb3 call 401e65 call 401fab call 410f37 call 40fb64 call 40f3b0 5->23 69 40eb5d-40eba8 call 406c1e call 401fe2 call 401fd8 call 401fab call 413549 22->69 70 40ebae-40ebc9 call 401e65 call 40b9bd 22->70 49 40eef2-40ef03 call 401fd8 23->49 69->70 100 40f34f-40f36a call 401fab call 4139a9 call 412475 69->100 79 40ec03-40ec0a call 40d069 70->79 80 40ebcb-40ebea call 401fab call 413549 70->80 88 40ec13-40ec1a 79->88 89 40ec0c-40ec0e 79->89 80->79 99 40ebec-40ec02 call 401fab call 4139a9 80->99 94 40ec1c 88->94 95 40ec1e-40ec2a call 41b2c3 88->95 93 40eef1 89->93 93->49 94->95 104 40ec33-40ec37 95->104 105 40ec2c-40ec2e 95->105 99->79 126 40f36f-40f3a0 call 41bc5e call 401f04 call 413a23 call 401f09 * 2 100->126 108 40ec76-40ec89 call 401e65 call 401fab 104->108 109 40ec39 call 407716 104->109 105->104 127 40ec90-40ed18 call 401e65 call 41bc5e call 401f13 call 401f09 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab 108->127 128 40ec8b call 407755 108->128 117 40ec3e-40ec40 109->117 120 40ec42-40ec47 call 407738 call 407260 117->120 121 40ec4c-40ec5f call 401e65 call 401fab 117->121 120->121 121->108 141 40ec61-40ec67 121->141 156 40f3a5-40f3af call 40dd42 call 414f2a 126->156 177 40ed80-40ed84 127->177 178 40ed1a-40ed33 call 401e65 call 401fab call 43bad6 127->178 128->127 141->108 144 40ec69-40ec6f 141->144 144->108 147 40ec71 call 407260 144->147 147->108 180 40ef06-40ef66 call 436e90 call 40247c call 401fab * 2 call 4136f8 call 409057 177->180 181 40ed8a-40ed91 177->181 178->177 204 40ed35-40ed61 call 401e65 call 401fab call 401e65 call 401fab call 40da34 178->204 234 40ef6b-40efbf call 401e65 call 401fab call 402093 call 401fab call 41376f call 401e65 call 401fab call 43baac 180->234 183 40ed93-40ee05 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 40cdf9 181->183 184 40ee0f-40ee19 call 409057 181->184 273 40ee0a-40ee0d 183->273 190 40ee1e-40ee42 call 40247c call 434798 184->190 211 40ee51 190->211 212 40ee44-40ee4f call 436e90 190->212 246 40ed66-40ed7b call 401f13 call 401f09 204->246 217 40ee53-40eec8 call 401f04 call 43f809 call 40247c call 401fab call 40247c call 401fab call 413947 call 4347a1 call 401e65 call 40b9bd 211->217 212->217 217->234 288 40eece-40eeed call 401e65 call 41bc5e call 40f474 217->288 286 40efc1 234->286 287 40efdc-40efde 234->287 246->177 273->190 289 40efc3-40efda call 41cd9b CreateThread 286->289 290 40efe0-40efe2 287->290 291 40efe4 287->291 288->234 306 40eeef 288->306 295 40efea-40f0c6 call 402093 * 2 call 41b4ef call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 43baac call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab StrToIntA call 409de4 call 401e65 call 401fab 289->295 290->289 291->295 344 40f101 295->344 345 40f0c8-40f0ff call 4344ea call 401e65 call 401fab CreateThread 295->345 306->93 346 40f103-40f11b call 401e65 call 401fab 344->346 345->346 357 40f159-40f16c call 401e65 call 401fab 346->357 358 40f11d-40f154 call 4344ea call 401e65 call 401fab CreateThread 346->358 367 40f1cc-40f1df call 401e65 call 401fab 357->367 368 40f16e-40f1c7 call 401e65 call 401fab call 401e65 call 401fab call 40d9e8 call 401f13 call 401f09 CreateThread 357->368 358->357 379 40f1e1-40f215 call 401e65 call 401fab call 401e65 call 401fab call 43baac call 40c162 367->379 380 40f21a-40f23e call 41b60d call 401f13 call 401f09 367->380 368->367 379->380 400 40f240 380->400 401 40f243-40f256 CreateThread 380->401 400->401 405 40f264-40f26b 401->405 406 40f258-40f262 CreateThread 401->406 410 40f279-40f280 405->410 411 40f26d-40f277 CreateThread 405->411 406->405 413 40f282-40f285 410->413 414 40f28e 410->414 411->410 416 40f287-40f28c 413->416 417 40f2cc-40f2e7 call 401fab call 4134ff 413->417 418 40f293-40f2c7 call 402093 call 4052fd call 402093 call 41b4ef call 401fd8 414->418 416->418 417->156 427 40f2ed-40f32d call 41bc5e call 401f04 call 41361b call 401f09 call 401f04 417->427 418->417 443 40f346-40f34b DeleteFileW 427->443 444 40f34d 443->444 445 40f32f-40f332 443->445 444->126 445->126 446 40f334-40f341 Sleep call 401f04 445->446 446->443
                                APIs
                                  • Part of subcall function 0041CB50: LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB65
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB6E
                                  • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB88
                                  • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CB9A
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB9D
                                  • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CBAE
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBB1
                                  • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040E9E1), ref: 0041CBC3
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBC6
                                  • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040E9E1), ref: 0041CBD2
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBD5
                                  • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBE9
                                  • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBFD
                                  • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040E9E1), ref: 0041CC0E
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC11
                                  • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC25
                                  • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC39
                                  • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC4D
                                  • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC61
                                  • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC75
                                  • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040E9E1), ref: 0041CC83
                                • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\FdSJYyDayo.exe,00000104), ref: 0040E9EE
                                  • Part of subcall function 00410F37: __EH_prolog.LIBCMT ref: 00410F3C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                • String ID: 8SG$8SG$Access Level: $Administrator$C:\Users\user\Desktop\FdSJYyDayo.exe$Exe$Exe$Inj$PSG$Remcos Agent initialized$Rmc-IN9IWC$Software\$User$dMG$del$del$exepath$licence$license_code.txt$xIs$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG
                                • API String ID: 2830904901-3191836886
                                • Opcode ID: 8a6c2c2187a766e7c71a5247d826f4c94b5c0f918bced47fe90c81bb18daf3e4
                                • Instruction ID: d4e128c763ae9979da4f7e35a5cae12564b96cb69b39ecb6445d524eb2b23fe8
                                • Opcode Fuzzy Hash: 8a6c2c2187a766e7c71a5247d826f4c94b5c0f918bced47fe90c81bb18daf3e4
                                • Instruction Fuzzy Hash: 6332D860B043412BDA24B7729C67B6E26994F81748F50483FB9467B2E3EFBC4D45839E
                                Function 0040CDF9 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 203fileCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • _wcslen.LIBCMT ref: 0040CE07
                                • CreateDirectoryW.KERNELBASE(00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE20
                                • CopyFileW.KERNELBASE(C:\Users\user\Desktop\FdSJYyDayo.exe,00000000,00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040CED0
                                • _wcslen.LIBCMT ref: 0040CEE6
                                • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CF6E
                                • CopyFileW.KERNEL32(C:\Users\user\Desktop\FdSJYyDayo.exe,00000000,00000000), ref: 0040CF84
                                • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFC3
                                • _wcslen.LIBCMT ref: 0040CFC6
                                • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFDD
                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004750E4,0000000E), ref: 0040D02D
                                • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000001), ref: 0040D04B
                                • ExitProcess.KERNEL32 ref: 0040D062
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                • String ID: 6$C:\Users\user\Desktop\FdSJYyDayo.exe$del$hdF$open$xIs
                                • API String ID: 1579085052-3635998882
                                • Opcode ID: f93ee9b19be39af8b2c6cf1a511189d127526c6382b99c39daec8717fd067cfe
                                • Instruction ID: 6918cae47ac4af68ec004dabb58255b0e3542cbe00f5913d2fcd66cab837b2ae
                                • Opcode Fuzzy Hash: f93ee9b19be39af8b2c6cf1a511189d127526c6382b99c39daec8717fd067cfe
                                • Instruction Fuzzy Hash: CA51A620208302ABD605B7659C92A6F679D9F84719F10443FF609A62E3EFBC9D05866E
                                Function 0040DA34 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • GetLongPathNameW.KERNELBASE(00000000,?,00000208), ref: 0040DB9A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: LongNamePath
                                • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                • API String ID: 82841172-425784914
                                • Opcode ID: 35529518f688bb00822c59c31e380965135d22232495089cf56779e66837349f
                                • Instruction ID: 0cc8b9c4d8a16f3fd89327f32322cd7e2fd47b59120d3573c9b2d8a81569e3eb
                                • Opcode Fuzzy Hash: 35529518f688bb00822c59c31e380965135d22232495089cf56779e66837349f
                                • Instruction Fuzzy Hash: FB414F715082019AC215FB61DC52DAEB3F8AE90718F10053FB546A60E2FFB8AE49C65F
                                Function 0041B2C3 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                  • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                  • Part of subcall function 0041BFB7: IsWow64Process.KERNEL32(00000000,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFCF
                                  • Part of subcall function 004135A6: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 004135CA
                                  • Part of subcall function 004135A6: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 004135E7
                                  • Part of subcall function 004135A6: RegCloseKey.KERNELBASE(?), ref: 004135F2
                                • StrToIntA.SHLWAPI(00000000,0046C9F8,00000000,00000000,00000000,004750E4,00000003,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0041B33C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$CloseCurrentOpenQueryValueWow64
                                • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                • API String ID: 782494840-2070987746
                                • Opcode ID: 96ddb31e540ae966eb624fdd9b0772b0253fe90f3b489e3583c12feb0da0b553
                                • Instruction ID: 0537cd1ef0e49ffa1b211e53375311a7de90e31f2ded896f28e78de68f6ce99c
                                • Opcode Fuzzy Hash: 96ddb31e540ae966eb624fdd9b0772b0253fe90f3b489e3583c12feb0da0b553
                                • Instruction Fuzzy Hash: 42112370A4010566C704B3668C87EFF77198B95314F94013BF856A21E2FB6C599683AE
                                Function 00413814 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39registryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 656 413814-413827 RegCreateKeyW 657 413866 656->657 658 413829-413864 call 40247c call 401f04 RegSetValueExW RegCloseKey 656->658 660 413868-413876 call 401f09 657->660 658->660
                                APIs
                                • RegCreateKeyW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,?), ref: 0041381F
                                • RegSetValueExW.KERNELBASE(?,00000000,00000000,00000001,00000000,00000000,?,?,?,?,00000000,xIs,74DF37E0,?), ref: 0041384D
                                • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,xIs,74DF37E0,?,?,?,?,?,0040CFAA,?,00000000), ref: 00413858
                                Strings
                                • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0041381D
                                • xIs, xrefs: 00413814
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseCreateValue
                                • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$xIs
                                • API String ID: 1818849710-675847584
                                • Opcode ID: 7402a2b63bcdafcb128c4f053b5539bf219f88ac2658cd62b5e42ce82679dadc
                                • Instruction ID: 91b44a8789fefabe47d0aed0b401f4e945a8dec35bb1902c17c37083bf943f80
                                • Opcode Fuzzy Hash: 7402a2b63bcdafcb128c4f053b5539bf219f88ac2658cd62b5e42ce82679dadc
                                • Instruction Fuzzy Hash: 83F0C271440218FBDF10AFA1EC45FEE376CEF00B56F10452AF905A61A1E7359F04DA94
                                Function 0040D069 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 666 40d069-40d095 call 401fab CreateMutexA GetLastError
                                APIs
                                • CreateMutexA.KERNELBASE(00000000,00000001,00000000,0040EC08,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0040D078
                                • GetLastError.KERNEL32 ref: 0040D083
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateErrorLastMutex
                                • String ID: Rmc-IN9IWC
                                • API String ID: 1925916568-614121637
                                • Opcode ID: 801f4fab6620dad4192684c1acb97daf4a6912092659b95b34e50827bd09c0e4
                                • Instruction ID: 95155ffd2f5cf2c34283977deb482d2843c3ccfb5002447f486bda260673b364
                                • Opcode Fuzzy Hash: 801f4fab6620dad4192684c1acb97daf4a6912092659b95b34e50827bd09c0e4
                                • Instruction Fuzzy Hash: 18D012B0604701EBD7181770ED5975839959744702F40487AB50BD99F1CBAC88908519
                                Function 004135A6 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 697 4135a6-4135d2 RegOpenKeyExA 698 4135d4-4135fc RegQueryValueExA RegCloseKey 697->698 699 413607 697->699 700 413609 698->700 701 4135fe-413605 698->701 699->700 702 41360e-41361a call 402093 700->702 701->702
                                APIs
                                • RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 004135CA
                                • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 004135E7
                                • RegCloseKey.KERNELBASE(?), ref: 004135F2
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseOpenQueryValue
                                • String ID:
                                • API String ID: 3677997916-0
                                • Opcode ID: 8a165f7f556a11d3abfab9d86b37d0f406e8581ec1eb6973fd31e646fb445763
                                • Instruction ID: 357f89d7cd1c8cc036c5e31f86fe90e90b696c4569df010e686479b524d11f87
                                • Opcode Fuzzy Hash: 8a165f7f556a11d3abfab9d86b37d0f406e8581ec1eb6973fd31e646fb445763
                                • Instruction Fuzzy Hash: 5A01D676900228BBCF209B91DC09DEF7FBDDB84751F000066BB09E2240DA748E45DBA4
                                Function 00413549 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 705 413549-413571 RegOpenKeyExA 706 4135a0 705->706 707 413573-41359e RegQueryValueExA RegCloseKey 705->707 708 4135a2-4135a5 706->708 707->708
                                APIs
                                • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,00000000), ref: 00413569
                                • RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 00413587
                                • RegCloseKey.ADVAPI32(00000000), ref: 00413592
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseOpenQueryValue
                                • String ID:
                                • API String ID: 3677997916-0
                                • Opcode ID: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                • Instruction ID: df0ca7b2621da3f23a966dc0a7f3323316399916f3769291e5945d4ebcba47cd
                                • Opcode Fuzzy Hash: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                • Instruction Fuzzy Hash: E8F01776900218FFDF109FA0DC05FEEBBBCEB04B11F1040A6BA09E6191E2359F54AB94

                                Non-executed Functions

                                Function 00407C97 Relevance: 44.6, APIs: 10, Strings: 15, Instructions: 835filesleepCOMMON
                                Download Yara Rule
                                APIs
                                • SetEvent.KERNEL32(?,?), ref: 00407CB9
                                • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407D87
                                • DeleteFileW.KERNEL32(00000000), ref: 00407DA9
                                  • Part of subcall function 0041C291: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00474EE0,?), ref: 0041C2EC
                                  • Part of subcall function 0041C291: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00474EE0,?), ref: 0041C31C
                                  • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C371
                                  • Part of subcall function 0041C291: FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D2
                                  • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D9
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                  • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                  • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,00401A45,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000), ref: 00404B47
                                  • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000,?,?,?,?,?,00401A45), ref: 00404B75
                                • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00408197
                                • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 00408278
                                • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084C4
                                • DeleteFileA.KERNEL32(?), ref: 00408652
                                  • Part of subcall function 0040880C: __EH_prolog.LIBCMT ref: 00408811
                                  • Part of subcall function 0040880C: FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
                                  • Part of subcall function 0040880C: __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
                                  • Part of subcall function 0040880C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
                                • Sleep.KERNEL32(000007D0), ref: 004086F8
                                • StrToIntA.SHLWAPI(00000000,00000000), ref: 0040873A
                                  • Part of subcall function 0041C9E2: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CAD7
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                                • String ID: (PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XPG$XPG$XPG$XPG$open$NG
                                • API String ID: 1067849700-181434739
                                • Opcode ID: 3b7c4b3d7d449749017bc82f18da2b12a0677a5740b025592c3c036ee554d5ba
                                • Instruction ID: 75e26f7f6c3f3dbd7fc3c9379f58c72dc3a715cd35b24c1fb8b7d51949cc7e38
                                • Opcode Fuzzy Hash: 3b7c4b3d7d449749017bc82f18da2b12a0677a5740b025592c3c036ee554d5ba
                                • Instruction Fuzzy Hash: FE427F71A043016BC604FB76C95B9AE77A5AF91348F40093FF542671E2EE7C9A08879B
                                Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON
                                Download Yara Rule
                                APIs
                                • __Init_thread_footer.LIBCMT ref: 004056E6
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                • __Init_thread_footer.LIBCMT ref: 00405723
                                • CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660BC,00000000), ref: 004057B6
                                • CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
                                • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
                                • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                                • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
                                • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                                  • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90,004660C0,00000062,004660A4), ref: 004059E4
                                • Sleep.KERNEL32(00000064,00000062,004660A4), ref: 004059FE
                                • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                                • CloseHandle.KERNEL32 ref: 00405A23
                                • CloseHandle.KERNEL32 ref: 00405A2B
                                • CloseHandle.KERNEL32 ref: 00405A3D
                                • CloseHandle.KERNEL32 ref: 00405A45
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                • String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
                                • API String ID: 2994406822-18413064
                                • Opcode ID: 0423482584964133d0d19e65db76f813d50334c39a223a4c681c84889f8ac799
                                • Instruction ID: 70e6a120cd26ef4d63fea04585a98dfb86eec3f3f3d93349c630b188a9e88b71
                                • Opcode Fuzzy Hash: 0423482584964133d0d19e65db76f813d50334c39a223a4c681c84889f8ac799
                                • Instruction Fuzzy Hash: 8891E471604604AFD711FB36ED42A6F369AEB84308F01443FF989A62E2DB7D9C448B5D
                                Function 00412117 Relevance: 30.0, APIs: 6, Strings: 11, Instructions: 227threadCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                                  • Part of subcall function 00413877: RegSetValueExA.ADVAPI32(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
                                  • Part of subcall function 00413877: RegCloseKey.ADVAPI32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB
                                • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00412146
                                • CloseHandle.KERNEL32(00000000), ref: 00412155
                                • CreateThread.KERNEL32(00000000,00000000,Function_000127EE,00000000,00000000,00000000), ref: 004121AB
                                • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041241A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseCreateOpen$HandleMutexProcessThreadValue
                                • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe$xIs
                                • API String ID: 261377708-1626790587
                                • Opcode ID: d5a4f47a99d46a8bd21bcaceed06f590c7eb362a9ac5c8b3989ceeeb6310589c
                                • Instruction ID: 5044532447ce4e70f722e285ad7bc5f912dfeea71c25201e33dbc8cc77036b6f
                                • Opcode Fuzzy Hash: d5a4f47a99d46a8bd21bcaceed06f590c7eb362a9ac5c8b3989ceeeb6310589c
                                • Instruction Fuzzy Hash: 8171823160430167C618FB72CD579AE73A4AED0308F50057FF546A61E2FFBC9949C69A
                                Function 0040BB30 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBAF
                                • FindClose.KERNEL32(00000000), ref: 0040BBC9
                                • FindNextFileA.KERNEL32(00000000,?), ref: 0040BCEC
                                • FindClose.KERNEL32(00000000), ref: 0040BD12
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$CloseFile$FirstNext
                                • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                • API String ID: 1164774033-3681987949
                                • Opcode ID: e60ef44db30208dd2162595bb00c9bb932e2c9896fc53afd5e517d704f3508ac
                                • Instruction ID: 0369a90be492857ee26322cec2c2e6bc6ddf3692cf68474a737f8ca2a3b0d98c
                                • Opcode Fuzzy Hash: e60ef44db30208dd2162595bb00c9bb932e2c9896fc53afd5e517d704f3508ac
                                • Instruction Fuzzy Hash: 13516E3190421A9ADB14F7B2DC56DEEB739AF11304F10057FF406721E2EF785A89CA89
                                Function 004168C1 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 80clipboardmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • OpenClipboard.USER32 ref: 004168C2
                                • EmptyClipboard.USER32 ref: 004168D0
                                • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004168F0
                                • GlobalLock.KERNEL32(00000000), ref: 004168F9
                                • GlobalUnlock.KERNEL32(00000000), ref: 0041692F
                                • SetClipboardData.USER32(0000000D,00000000), ref: 00416938
                                • CloseClipboard.USER32 ref: 00416955
                                • OpenClipboard.USER32 ref: 0041695C
                                • GetClipboardData.USER32(0000000D), ref: 0041696C
                                • GlobalLock.KERNEL32(00000000), ref: 00416975
                                • GlobalUnlock.KERNEL32(00000000), ref: 0041697E
                                • CloseClipboard.USER32 ref: 00416984
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                • String ID: !D@$hdF
                                • API String ID: 3520204547-3475379602
                                • Opcode ID: 7bdf44ed23baddef4cf62a28d7db66ec7c3cdf26bf7aa0f36eb4a81407acbbaf
                                • Instruction ID: 9e7c9e91df33a813dd3aefbd505e3631e00017b2d00f6ad0929271c723fa7fba
                                • Opcode Fuzzy Hash: 7bdf44ed23baddef4cf62a28d7db66ec7c3cdf26bf7aa0f36eb4a81407acbbaf
                                • Instruction Fuzzy Hash: 9F212171604301DBD714BB71DC5DABE36A9AF88746F40043EF946921E2EF3C8D45C66A
                                Function 0040F474 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 210processCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750E4,?,00475338), ref: 0040F48E
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F4B9
                                • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F4D5
                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F554
                                • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00475338), ref: 0040F563
                                  • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                  • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                                • CloseHandle.KERNEL32(00000000,?,00475338), ref: 0040F66E
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                                • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$hdF$hdF$ieinstal.exe$ielowutil.exe$xIs
                                • API String ID: 3756808967-3268195817
                                • Opcode ID: 7f89ee10989f3bd4abeff3972d4c872612047b4c43f3230c1fb09e73b354777b
                                • Instruction ID: b3f00c97eb68dcc530bbf6735eb7028ff3362e05d7342ed3a56d945b0ce45bff
                                • Opcode Fuzzy Hash: 7f89ee10989f3bd4abeff3972d4c872612047b4c43f3230c1fb09e73b354777b
                                • Instruction Fuzzy Hash: F6715E705083419BC724FB21D8959AEB7A5AF90348F50083FF586631E3EF78994ECB5A
                                Function 0040BD37 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDAF
                                • FindClose.KERNEL32(00000000), ref: 0040BDC9
                                • FindNextFileA.KERNEL32(00000000,?), ref: 0040BE89
                                • FindClose.KERNEL32(00000000), ref: 0040BEAF
                                • FindClose.KERNEL32(00000000), ref: 0040BED0
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$Close$File$FirstNext
                                • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                • API String ID: 3527384056-432212279
                                • Opcode ID: 5d0565dfd04f48ee80346224fd960d4021310761f6a296d7b61b1ca4d4d71a86
                                • Instruction ID: daa8673b40617291cefb90f55d029d970aaced9502edc59260dc825ad40fac9f
                                • Opcode Fuzzy Hash: 5d0565dfd04f48ee80346224fd960d4021310761f6a296d7b61b1ca4d4d71a86
                                • Instruction Fuzzy Hash: 38417D3190021AAADB04F7A6DC5A9EEB769DF11704F50017FF506B20D2EF385A46CA9E
                                Function 004132D2 Relevance: 18.2, APIs: 12, Instructions: 153fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413417
                                • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413425
                                • GetFileSize.KERNEL32(?,00000000), ref: 00413432
                                • UnmapViewOfFile.KERNEL32(00000000), ref: 00413452
                                • CloseHandle.KERNEL32(00000000), ref: 0041345F
                                • CloseHandle.KERNEL32(?), ref: 00413465
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                                • String ID:
                                • API String ID: 297527592-0
                                • Opcode ID: 52b6b7bb2cc7c70124f03fd4dd600c064b869f903e3e72a7e1b27baf9a98f7f1
                                • Instruction ID: 9e0538afe5582c7c3c7070a3da709670e2bb39b60280b40541f30be5467d1837
                                • Opcode Fuzzy Hash: 52b6b7bb2cc7c70124f03fd4dd600c064b869f903e3e72a7e1b27baf9a98f7f1
                                • Instruction Fuzzy Hash: ED41E631108305BBD7109F25DC4AF6B3BACEF89726F10092AFA14D51A2DF38DA40C66E
                                Function 00419627 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 0$1$2$3$4$5$6$7$VG
                                • API String ID: 0-1861860590
                                • Opcode ID: 41b7ed3079968531247989beadbe1f0bf299f88a528c0936b597c9f8fef39dcf
                                • Instruction ID: 08acf1e0be570df0aadc768861284cd9b307e7e5fc43d41925289fb9f64992c1
                                • Opcode Fuzzy Hash: 41b7ed3079968531247989beadbe1f0bf299f88a528c0936b597c9f8fef39dcf
                                • Instruction Fuzzy Hash: A771B2709183019FD304EF21D862BAB7B94DF95310F10492FF5A26B2D1DF78AA49CB96
                                Function 004074FD Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                                Download Yara Rule
                                APIs
                                • _wcslen.LIBCMT ref: 00407521
                                • CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: Object_wcslen
                                • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                • API String ID: 240030777-3166923314
                                • Opcode ID: a3f0521951bb9342bb967e70cc438d07290dcccf7f3efa3b8b817ec6fb2293fa
                                • Instruction ID: 36c1a35fc662e139fbe0c3856e6c09b73c1590006896ac343f6f9e6a2f87480d
                                • Opcode Fuzzy Hash: a3f0521951bb9342bb967e70cc438d07290dcccf7f3efa3b8b817ec6fb2293fa
                                • Instruction Fuzzy Hash: 1D115172D04218BAD710E6959C45ADEB7A89B08714F15007BF904B2282E77CAA4486BA
                                Function 0041A748 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A75E
                                • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A7AD
                                • GetLastError.KERNEL32 ref: 0041A7BB
                                • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A7F3
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                • String ID:
                                • API String ID: 3587775597-0
                                • Opcode ID: 9206af50c139a4972f8ad6fd42bba56160b21ad091b1fa9e470d4b003cbebb8b
                                • Instruction ID: 0905bbee584710e72bd43cf86ffd47af08151029a50ddcda7611e9b1cb6672f7
                                • Opcode Fuzzy Hash: 9206af50c139a4972f8ad6fd42bba56160b21ad091b1fa9e470d4b003cbebb8b
                                • Instruction Fuzzy Hash: A1815F71104305ABC304EB61D885DAFB7A8FF94749F50092FF585521A2EF78EE48CB9A
                                Function 00419AF5 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 245fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileW.KERNEL32(00000000,?), ref: 00419D4B
                                • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419E17
                                  • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$Find$CreateFirstNext
                                • String ID: (eF$8SG$PXG$PXG$NG$PG
                                • API String ID: 341183262-875132146
                                • Opcode ID: bef3662a98f203fd8959110ad3b8c393325e7dbc5807a61bff8cf10b28a3f201
                                • Instruction ID: 96038134cf9b6260143958ba34f432c8b7c7433700823f8ab46a3e18139dd1a2
                                • Opcode Fuzzy Hash: bef3662a98f203fd8959110ad3b8c393325e7dbc5807a61bff8cf10b28a3f201
                                • Instruction Fuzzy Hash: D48152315083415AC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                                Function 0040C34D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C39B
                                • FindNextFileW.KERNEL32(00000000,?), ref: 0040C46E
                                • FindClose.KERNEL32(00000000), ref: 0040C47D
                                • FindClose.KERNEL32(00000000), ref: 0040C4A8
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$CloseFile$FirstNext
                                • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                • API String ID: 1164774033-405221262
                                • Opcode ID: f210557bed675ad5d36221f6052a79efeb781c0a156dbb9e3500e3c2c137b3c7
                                • Instruction ID: 975c513e22faa42ee1994afe11ceef4a5d9ff9fa3a88a4f7cb3cdca8b35e8719
                                • Opcode Fuzzy Hash: f210557bed675ad5d36221f6052a79efeb781c0a156dbb9e3500e3c2c137b3c7
                                • Instruction Fuzzy Hash: 4131513150021AA6CB14E7A1DC9ADFE7778AF10718F10017FB105B20D2EF789A49CA4D
                                Function 0041C291 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00474EE0,?), ref: 0041C2EC
                                • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00474EE0,?), ref: 0041C31C
                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00474EE0,?), ref: 0041C38E
                                • DeleteFileW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C39B
                                  • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C371
                                • GetLastError.KERNEL32(?,?,?,?,?,00474EE0,?), ref: 0041C3BC
                                • FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D2
                                • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D9
                                • FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3E2
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                • String ID:
                                • API String ID: 2341273852-0
                                • Opcode ID: 5daa9100e03deb39a4691b7b17906df9641a5acb862147602035c05749f1dd0e
                                • Instruction ID: c19bc5cae20e4253aafd1d57f534f4f4794eeb6ee7264df4fdb3445c687e6cd6
                                • Opcode Fuzzy Hash: 5daa9100e03deb39a4691b7b17906df9641a5acb862147602035c05749f1dd0e
                                • Instruction Fuzzy Hash: 1331827294031CAADB24E7A1DC88EDB736CAF04305F4405FBF955D2152EB39DAC88B68
                                Function 0040A2B8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A2D3
                                • SetWindowsHookExA.USER32(0000000D,0040A2A4,00000000), ref: 0040A2E1
                                • GetLastError.KERNEL32 ref: 0040A2ED
                                  • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040A33B
                                • TranslateMessage.USER32(?), ref: 0040A34A
                                • DispatchMessageA.USER32(?), ref: 0040A355
                                Strings
                                • Keylogger initialization failure: error , xrefs: 0040A301
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                • String ID: Keylogger initialization failure: error
                                • API String ID: 3219506041-952744263
                                • Opcode ID: a226280b9444fdc9d85a987e0cc9a01563434beb77e8bedbb690ae4a652fbc74
                                • Instruction ID: 26c2bdf112627336efb266b6f5317542b4ef4d62b82d8858756ad59ca9dca42a
                                • Opcode Fuzzy Hash: a226280b9444fdc9d85a987e0cc9a01563434beb77e8bedbb690ae4a652fbc74
                                • Instruction Fuzzy Hash: FA11BF32604301ABCB107F76DC0A86B77ECEA95716B10457EFC85E21D1EA38C910CBAA
                                Function 0040A3E0 Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
                                Download Yara Rule
                                APIs
                                • GetForegroundWindow.USER32 ref: 0040A416
                                • GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
                                • GetKeyboardLayout.USER32(00000000), ref: 0040A429
                                • GetKeyState.USER32(00000010), ref: 0040A433
                                • GetKeyboardState.USER32(?), ref: 0040A43E
                                • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A461
                                • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4C1
                                • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A4FA
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                • String ID:
                                • API String ID: 1888522110-0
                                • Opcode ID: 4ba0a60493bf1cb7a04a280161e9af6e0206db9f66fbe83c406a8642f04fa518
                                • Instruction ID: 5ff565fa5b8df07833abad56ec5ecbabe923af01fc99f1944a330f9e709d98a3
                                • Opcode Fuzzy Hash: 4ba0a60493bf1cb7a04a280161e9af6e0206db9f66fbe83c406a8642f04fa518
                                • Instruction Fuzzy Hash: AE316D72504308FFD710DF94DC45F9BB7ECAB88705F01083AB645D61A0E7B5E9488BA6
                                Function 00454159 Relevance: 11.9, APIs: 1, Strings: 5, Instructions: 1381COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: __floor_pentium4
                                • String ID: 1#IND$1#INF$1#QNAN$1#SNAN$PkGNG
                                • API String ID: 4168288129-3873169313
                                • Opcode ID: d95690e0b6e6c864278ea550f2cfeefdc475363cedebba9bd57c416b56382187
                                • Instruction ID: adbfc57a6ba9eb8fd61ef87ee4788d0f45260f030e03b769905361500cdb2a19
                                • Opcode Fuzzy Hash: d95690e0b6e6c864278ea550f2cfeefdc475363cedebba9bd57c416b56382187
                                • Instruction Fuzzy Hash: EBC26E71E046288FDB25CE28DD407EAB3B5EB85306F1541EBD80DE7241E778AE898F45
                                Function 00413FCA Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 0041409D
                                • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140A9
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 0041426A
                                • GetProcAddress.KERNEL32(00000000), ref: 00414271
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressCloseCreateLibraryLoadProcsend
                                • String ID: SHDeleteKeyW$Shlwapi.dll
                                • API String ID: 2127411465-314212984
                                • Opcode ID: 5c1ab5f3fb1cf2b2c54c0a1d939c6765263ff7c3c04796efd8fccf04486207c6
                                • Instruction ID: ad322413622673165c78a8c4b5f48079e939d646f467ca97d3bec1feacf55119
                                • Opcode Fuzzy Hash: 5c1ab5f3fb1cf2b2c54c0a1d939c6765263ff7c3c04796efd8fccf04486207c6
                                • Instruction Fuzzy Hash: F9B1F971A0430066CA14FB76DC5B9AF36A86FD1748F40053FF942771E2EE7C9A4886DA
                                Function 00406EB0 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 222filenetworkCOMMON
                                Download Yara Rule
                                APIs
                                • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FBC
                                • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070A0
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: DownloadExecuteFileShell
                                • String ID: aF$ aF$C:\Users\user\Desktop\FdSJYyDayo.exe$open
                                • API String ID: 2825088817-891909452
                                • Opcode ID: 5505d1f989835e5386e0be1d1f6824a76adf241377c16252f380900cbb29c9cd
                                • Instruction ID: 27a8b34c094a82f854f2ee3e6b31e6014a71d41456184bc7540e3ceb6c1d0c01
                                • Opcode Fuzzy Hash: 5505d1f989835e5386e0be1d1f6824a76adf241377c16252f380900cbb29c9cd
                                • Instruction Fuzzy Hash: 6561A171B0830166CA24FB76C8569BE37A59F81748F50093FB942772D2EE3C9905C69B
                                Function 0040880C Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 186fileCOMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00408811
                                • FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
                                • __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
                                • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
                                • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A15
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                • String ID: hdF
                                • API String ID: 1771804793-665520524
                                • Opcode ID: e4bf9b104c2a4932abe6be63e8df5bb1645f0ee96392f376ac585c53c850bca5
                                • Instruction ID: 1e810be39857a3d86828f92fa26e793a4655b35e172fafea17edde612d57cc14
                                • Opcode Fuzzy Hash: e4bf9b104c2a4932abe6be63e8df5bb1645f0ee96392f376ac585c53c850bca5
                                • Instruction Fuzzy Hash: 16515F72900209AACF04FB61DD569ED7778AF11308F50417FB946B61E2EF389B48CB99
                                Function 004167B4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00417952: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
                                  • Part of subcall function 00417952: OpenProcessToken.ADVAPI32(00000000), ref: 00417966
                                  • Part of subcall function 00417952: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
                                  • Part of subcall function 00417952: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
                                  • Part of subcall function 00417952: GetLastError.KERNEL32 ref: 0041799D
                                • ExitWindowsEx.USER32(00000000,00000001), ref: 00416856
                                • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 0041686B
                                • GetProcAddress.KERNEL32(00000000), ref: 00416872
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                • String ID: !D@$PowrProf.dll$SetSuspendState
                                • API String ID: 1589313981-2876530381
                                • Opcode ID: 06b2ed81386eea833f57913314ae7cc45cedb7ecee8fca0ea64c9477fec69274
                                • Instruction ID: 15d3ae9bc4d358b9de40311b9e813ebd0b85961e95f80c383f5c7d57e5fc9640
                                • Opcode Fuzzy Hash: 06b2ed81386eea833f57913314ae7cc45cedb7ecee8fca0ea64c9477fec69274
                                • Instruction Fuzzy Hash: 6E21617060430256CB14FBB68856AAE63599F41788F41487FB442A72D3EF3CD845CBAE
                                Function 0040F7A7 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 88sleepCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00413549: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,00000000), ref: 00413569
                                  • Part of subcall function 00413549: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 00413587
                                  • Part of subcall function 00413549: RegCloseKey.ADVAPI32(00000000), ref: 00413592
                                • Sleep.KERNEL32(00000BB8), ref: 0040F85B
                                • ExitProcess.KERNEL32 ref: 0040F8CA
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseExitOpenProcessQuerySleepValue
                                • String ID: 5.0.0 Pro$override$pth_unenc$xIs
                                • API String ID: 2281282204-2748174302
                                • Opcode ID: 58c5b883e5d172f22ef58a46adbd46fba81c8570fd30b9f4b5b12bcade53b407
                                • Instruction ID: 07d0e0dc4205ecb16ec703249a4fc897915f305b32a2beb09604d1d6565ffe0f
                                • Opcode Fuzzy Hash: 58c5b883e5d172f22ef58a46adbd46fba81c8570fd30b9f4b5b12bcade53b407
                                • Instruction Fuzzy Hash: F821F371B0420167C604767A485B6AE35A95B80718F90403FF505676D7FF7C8E0583EF
                                Function 0041B380 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                Download Yara Rule
                                APIs
                                • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B3A7
                                • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B3BD
                                • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B3D6
                                • InternetCloseHandle.WININET(00000000), ref: 0041B41C
                                • InternetCloseHandle.WININET(00000000), ref: 0041B41F
                                Strings
                                • http://geoplugin.net/json.gp, xrefs: 0041B3B7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$CloseHandleOpen$FileRead
                                • String ID: http://geoplugin.net/json.gp
                                • API String ID: 3121278467-91888290
                                • Opcode ID: 4da1b85d2ea56bad142503f0f1c0f54d6a8de9b2ae8113808786c7ddc0b742be
                                • Instruction ID: bc766ab0241d3587a1949f89688fbc1c60562a782fd7f61c1deed4db1e92f461
                                • Opcode Fuzzy Hash: 4da1b85d2ea56bad142503f0f1c0f54d6a8de9b2ae8113808786c7ddc0b742be
                                • Instruction Fuzzy Hash: E711EB311053126BD224AB269C49EBF7F9CEF86755F00043EF905A2292DB68DC45C6FA
                                Function 0040BA12 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                Download Yara Rule
                                APIs
                                • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA4E
                                • GetLastError.KERNEL32 ref: 0040BA58
                                Strings
                                • [Chrome StoredLogins found, cleared!], xrefs: 0040BA7E
                                • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA19
                                • [Chrome StoredLogins not found], xrefs: 0040BA72
                                • UserProfile, xrefs: 0040BA1E
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: DeleteErrorFileLast
                                • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                • API String ID: 2018770650-1062637481
                                • Opcode ID: 7df5978969732fb09709de34775d6ce1a623c26fc4145e618767f27fcf07f662
                                • Instruction ID: af402a2c9819bc64f7c9913ab42ffc044d60d1b3c88a69bbc3d4df1d4d30a246
                                • Opcode Fuzzy Hash: 7df5978969732fb09709de34775d6ce1a623c26fc4145e618767f27fcf07f662
                                • Instruction Fuzzy Hash: 2D01A7B17801056AC70477B6CD5B9BE77249911704F50057FF802725E2FE7D59098ADE
                                Function 00417952 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
                                • OpenProcessToken.ADVAPI32(00000000), ref: 00417966
                                • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
                                • GetLastError.KERNEL32 ref: 0041799D
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                • String ID: SeShutdownPrivilege
                                • API String ID: 3534403312-3733053543
                                • Opcode ID: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
                                • Instruction ID: b599e5caaba2c857c5a7044ea86e3d1b9a306509f9612008a7a3a71442eb1233
                                • Opcode Fuzzy Hash: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
                                • Instruction Fuzzy Hash: 1EF03AB1801229FBDB109BA0EC4DEEF7FBCEF05612F100461B809A1092D7388E04CAB5
                                Function 00409253 Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00409258
                                  • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                • __CxxThrowException@8.LIBVCRUNTIME ref: 004092F4
                                • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00409352
                                • FindNextFileW.KERNEL32(00000000,?), ref: 004093AA
                                • FindClose.KERNEL32(00000000), ref: 004093C1
                                  • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00474EF8,PkGNG,00000000,00474EF8,00404CA8,00000000,00000000,00000000,?,00474EF8,?), ref: 00404E38
                                  • Part of subcall function 00404E26: SetEvent.KERNEL32(00000000), ref: 00404E43
                                  • Part of subcall function 00404E26: CloseHandle.KERNEL32(00000000), ref: 00404E4C
                                • FindClose.KERNEL32(00000000), ref: 004095B9
                                  • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,00401A45,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000), ref: 00404B47
                                  • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000,?,?,?,?,?,00401A45), ref: 00404B75
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                • String ID:
                                • API String ID: 1824512719-0
                                • Opcode ID: f9045dcdb2f3133ff8fba91c5ff4e6bf62ac57e12963de0168c3bd7490a17388
                                • Instruction ID: 125c9cc0036adb3739497efb01147483584b5989e706bb19fe9a4109aadf0594
                                • Opcode Fuzzy Hash: f9045dcdb2f3133ff8fba91c5ff4e6bf62ac57e12963de0168c3bd7490a17388
                                • Instruction Fuzzy Hash: DCB18D32900109AACB14EBA1DD96AED7779AF04318F10417FF506B60E2EF785E49CB98
                                Function 0041AA4A Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A6A0,00000000), ref: 0041AA53
                                • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A6A0,00000000), ref: 0041AA68
                                • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA75
                                • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A6A0,00000000), ref: 0041AA80
                                • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA92
                                • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA95
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: Service$CloseHandle$Open$ManagerStart
                                • String ID:
                                • API String ID: 276877138-0
                                • Opcode ID: 3fc825cdaf5b3c830df2a570b4d58928aafbb4be2e2bcb8024994744d056a879
                                • Instruction ID: 9fefcdd13c5f6832e1e8d6374d810b05479d45f16fba084c356bea358aebaaee
                                • Opcode Fuzzy Hash: 3fc825cdaf5b3c830df2a570b4d58928aafbb4be2e2bcb8024994744d056a879
                                • Instruction Fuzzy Hash: FCF08971101325AFD2119B619C88DFF2B6CDF85BA6B00082AF945921919B68CD49E9B9
                                Function 0045243C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON
                                Download Yara Rule
                                APIs
                                • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 004524D5
                                • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 004524FE
                                • GetACP.KERNEL32 ref: 00452513
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: InfoLocale
                                • String ID: ACP$OCP
                                • API String ID: 2299586839-711371036
                                • Opcode ID: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
                                • Instruction ID: 65f7b5195a5790e2d5819d7d4b0c6b76a8aa59636dcad79128a037cfc813d78c
                                • Opcode Fuzzy Hash: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
                                • Instruction Fuzzy Hash: FD21F432600104A7DB348F54CF00AA773A6EB47B1AB168567EC09D7302F7BADD48C398
                                Function 0040783C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 86fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407857
                                • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040791F
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: FileFind$FirstNextsend
                                • String ID: (eF$XPG$XPG
                                • API String ID: 4113138495-1496965907
                                • Opcode ID: 7493802b9fea3f653f5859ff7eede1918c289d9ff4253d111e6d79fb62445a1f
                                • Instruction ID: 6b6d716c6ecdfe6ec78918620e47e684a121d368db73a1555a51ac38f2ecb6eb
                                • Opcode Fuzzy Hash: 7493802b9fea3f653f5859ff7eede1918c289d9ff4253d111e6d79fb62445a1f
                                • Instruction Fuzzy Hash: 212195325083419BC314FB61D855DEFB3ACAF90358F40493EF696621E1EF78AA09C65B
                                Function 0040B164 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
                                Download Yara Rule
                                APIs
                                • GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
                                • wsprintfW.USER32 ref: 0040B1F3
                                  • Part of subcall function 0040A636: SetEvent.KERNEL32(00000000,?,00000000,0040B20A,00000000), ref: 0040A662
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: EventLocalTimewsprintf
                                • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                • API String ID: 1497725170-248792730
                                • Opcode ID: 8041cec816ab2e246b71a5493a2e7e61b0e1b04a10b028702d09a00a2ad25ebb
                                • Instruction ID: 81b60f5d3581edaaac31e3e44e1e4f5c322996b2d8bf5e7d6f89c643b346fb92
                                • Opcode Fuzzy Hash: 8041cec816ab2e246b71a5493a2e7e61b0e1b04a10b028702d09a00a2ad25ebb
                                • Instruction Fuzzy Hash: 82117F72504118AACB18AB96EC558FE77BCEE48315B00012FF506A60E1FF7C9E46C6AC
                                Function 0041B4A8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                Download Yara Rule
                                APIs
                                • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041B4B9
                                • LoadResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4CD
                                • LockResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4D4
                                • SizeofResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4E3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: Resource$FindLoadLockSizeof
                                • String ID: SETTINGS
                                • API String ID: 3473537107-594951305
                                • Opcode ID: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
                                • Instruction ID: 65170a014006dd87783428e4339c5f85687a52ee3761dac8d56b05c0676c202a
                                • Opcode Fuzzy Hash: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
                                • Instruction Fuzzy Hash: 8AE01A36200B22EBEB311BA5AC4CD473E29F7C97637100075F90596232CB798840DAA8
                                Function 00409665 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 0040966A
                                • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 004096E2
                                • FindNextFileW.KERNEL32(00000000,?), ref: 0040970B
                                • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00409722
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseFirstH_prologNext
                                • String ID:
                                • API String ID: 1157919129-0
                                • Opcode ID: 8a5ce0672f9b165c8b59fe5e999e5299a44c6451e72dbf911edcb1b5cbd094d9
                                • Instruction ID: bc6583c976318a9931a9d4e75bf6093b5b8d8c817350453c5398c0af4fd679c1
                                • Opcode Fuzzy Hash: 8a5ce0672f9b165c8b59fe5e999e5299a44c6451e72dbf911edcb1b5cbd094d9
                                • Instruction Fuzzy Hash: 59812B329001199BCB15EBA1DC969EDB378AF14318F10417FE506B71E2EF78AE49CB58
                                Function 00452610 Relevance: 7.7, APIs: 5, Instructions: 188COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                  • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                  • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                  • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                  • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                                  • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281
                                • GetUserDefaultLCID.KERNEL32 ref: 0045271C
                                • IsValidCodePage.KERNEL32(00000000), ref: 00452777
                                • IsValidLocale.KERNEL32(?,00000001), ref: 00452786
                                • GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 004527CE
                                • GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 004527ED
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                • String ID:
                                • API String ID: 745075371-0
                                • Opcode ID: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
                                • Instruction ID: 5597d49bf91f8be5c1e88387600e3254545b136a20640e737b6730ed74bf2304
                                • Opcode Fuzzy Hash: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
                                • Instruction Fuzzy Hash: 87518371900205ABDF10DFA5CD41ABF77B8AF19702F14047BFD04E7292E7B899488B69
                                Function 0041C9E2 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                Download Yara Rule
                                APIs
                                • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CAD7
                                  • Part of subcall function 0041376F: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046611C), ref: 0041377E
                                  • Part of subcall function 0041376F: RegSetValueExA.ADVAPI32(0046611C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000), ref: 004137A6
                                  • Part of subcall function 0041376F: RegCloseKey.ADVAPI32(0046611C,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000,?,0040875D,00000001), ref: 004137B1
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseCreateInfoParametersSystemValue
                                • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                • API String ID: 4127273184-3576401099
                                • Opcode ID: a05115c3504dfde330e24bf23dcfa1352310ad822a085fdd45549c78b87fb04f
                                • Instruction ID: 1197cbbb31bb874c57b9e92d70abebba424d259215afdbf251ae70ffa4d9d73d
                                • Opcode Fuzzy Hash: a05115c3504dfde330e24bf23dcfa1352310ad822a085fdd45549c78b87fb04f
                                • Instruction Fuzzy Hash: 7B1184B2BC021473D419313E5DABBBE28029743B51F94416BF6123A6C6E8DF0A8102CF
                                Function 004432B5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetCurrentProcess.KERNEL32(00000003,PkGNG,0044328B,00000003,0046E948,0000000C,004433E2,00000003,00000002,00000000,PkGNG,00446136,00000003), ref: 004432D6
                                • TerminateProcess.KERNEL32(00000000), ref: 004432DD
                                • ExitProcess.KERNEL32 ref: 004432EF
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$CurrentExitTerminate
                                • String ID: PkGNG
                                • API String ID: 1703294689-263838557
                                • Opcode ID: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
                                • Instruction ID: 3be6e6b92543006147ef5d7b2afd166c5ab2c5ffe072a920593a5ac20c7500e8
                                • Opcode Fuzzy Hash: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
                                • Instruction Fuzzy Hash: D6E0BF31400244FBDF126F55DD0AA993B69FB40757F044469F90946232CB7ADE42CA98
                                Function 00451CD8 Relevance: 6.2, APIs: 4, Instructions: 236COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                  • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                  • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                  • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                • IsValidCodePage.KERNEL32(00000000), ref: 00451DBA
                                • _wcschr.LIBVCRUNTIME ref: 00451E4A
                                • _wcschr.LIBVCRUNTIME ref: 00451E58
                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 00451EFB
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                • String ID:
                                • API String ID: 4212172061-0
                                • Opcode ID: d51387d99b1e6b249aff8f61d3989bee7608b3a62aead1fc41d833bb042b57a0
                                • Instruction ID: 601d6103ecad0283333aca7e4f79148897faf6e4cefa34abd84194fcdbd45a0d
                                • Opcode Fuzzy Hash: d51387d99b1e6b249aff8f61d3989bee7608b3a62aead1fc41d833bb042b57a0
                                • Instruction Fuzzy Hash: ED61FA35500606AAE724AB75CC86BBB73A8EF04316F14046FFD05D7292EB78ED48C769
                                Function 004493AD Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON
                                Download Yara Rule
                                APIs
                                • _free.LIBCMT ref: 004493BD
                                  • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                  • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                • GetTimeZoneInformation.KERNEL32 ref: 004493CF
                                • WideCharToMultiByte.KERNEL32(00000000,?,00472764,000000FF,?,0000003F,?,?), ref: 00449447
                                • WideCharToMultiByte.KERNEL32(00000000,?,004727B8,000000FF,?,0000003F,?,?,?,00472764,000000FF,?,0000003F,?,?), ref: 00449474
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
                                • String ID:
                                • API String ID: 806657224-0
                                • Opcode ID: 633092c3bba77b0065560d4fdbd9d9f897920caf7f9bf618c5d01735725c6ecb
                                • Instruction ID: 1863d2ad967fb4723a60e4ea427cb143a9fbff6035582c54e6546b9b7662ab80
                                • Opcode Fuzzy Hash: 633092c3bba77b0065560d4fdbd9d9f897920caf7f9bf618c5d01735725c6ecb
                                • Instruction Fuzzy Hash: E1312570908201EFDB18DF69DE8086EBBB8FF0572071442AFE054973A1D3748D42DB18
                                Function 004461F0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 464COMMONLIBRARYCODE
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: PkGNG
                                • API String ID: 0-263838557
                                • Opcode ID: 3af37b45e0065d2a9e4b628ca9eba3ad08e75ba8402ba2670485150a8c7006c8
                                • Instruction ID: a89a86a7c059f2ce1b75669fee0c4fca3fa64158462c9470c468cddaecc71d09
                                • Opcode Fuzzy Hash: 3af37b45e0065d2a9e4b628ca9eba3ad08e75ba8402ba2670485150a8c7006c8
                                • Instruction Fuzzy Hash: FB025D71E002199BEF14CFA9D8806AEBBF1FF49324F26416AD819E7344D734AE41CB85
                                Function 004520C3 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                  • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                  • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                  • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                  • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                                  • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281
                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452117
                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452168
                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452228
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorInfoLastLocale$_free$_abort
                                • String ID:
                                • API String ID: 2829624132-0
                                • Opcode ID: efce462eab54bf8eb2a2b6f9a4d43eb8e53eecd25de09d2246b00390d92e3d5e
                                • Instruction ID: 4b80d7ab7a7ff47978e382ad652e238d088576b56b9f239e8998609391b98480
                                • Opcode Fuzzy Hash: efce462eab54bf8eb2a2b6f9a4d43eb8e53eecd25de09d2246b00390d92e3d5e
                                • Instruction Fuzzy Hash: B961C1315006079BDB289F25CE82BBB77A8FF05306F1041ABED15C6642F7B89D89DB58
                                Function 0043BB22 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • IsDebuggerPresent.KERNEL32 ref: 0043BC1A
                                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0043BC24
                                • UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC31
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                • String ID:
                                • API String ID: 3906539128-0
                                • Opcode ID: a72bbe9f24da65e63e608425843f2cf14cbf2294963ef3e60e5c7cfd459546ed
                                • Instruction ID: cbfc558a7ca4bb69983b526de44ffd1abc81b2e56a4044740c9350c1ecaeaada
                                • Opcode Fuzzy Hash: a72bbe9f24da65e63e608425843f2cf14cbf2294963ef3e60e5c7cfd459546ed
                                • Instruction Fuzzy Hash: E131C27590121DABCB21DF65DD89BCDBBB8AF08311F5051EAE80CA6251EB349F858F48
                                Function 00433837 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                Download Yara Rule
                                APIs
                                • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,?,004334BF,00000034,?,?,00000000), ref: 00433849
                                • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,PkGNG,00433552,?,?,?), ref: 0043385F
                                • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,PkGNG,00433552,?,?,?,0041E251), ref: 00433871
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: Crypt$Context$AcquireRandomRelease
                                • String ID:
                                • API String ID: 1815803762-0
                                • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                • Instruction ID: 864202151b2ab8ebdb17250bb7e2999cce5b6c404a207f59f2405eb254ca80c1
                                • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                • Instruction Fuzzy Hash: 83E09231308310FAFB341F25AC08F573AA5EB89B67F20093AF211E40E4D2568C018A5C
                                Function 0040B70E Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                Download Yara Rule
                                APIs
                                • OpenClipboard.USER32(00000000), ref: 0040B711
                                • GetClipboardData.USER32(0000000D), ref: 0040B71D
                                • CloseClipboard.USER32 ref: 0040B725
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: Clipboard$CloseDataOpen
                                • String ID:
                                • API String ID: 2058664381-0
                                • Opcode ID: c799312c980d18205df260c4494eeab96c1e87453cdfeac26beaa605c81e592b
                                • Instruction ID: a9752f6e69e3a39ef1c6dae57fb9473311d117e3f10fa11c4aa70225693e5904
                                • Opcode Fuzzy Hash: c799312c980d18205df260c4494eeab96c1e87453cdfeac26beaa605c81e592b
                                • Instruction Fuzzy Hash: 4FE0EC31645320EFC2209B609C49B9A6754DF95F52F41843AB905AB2D5DB78CC40C6AD
                                Function 0041BB09 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                Download Yara Rule
                                APIs
                                • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,00415FFF,00000000), ref: 0041BB14
                                • NtSuspendProcess.NTDLL(00000000), ref: 0041BB21
                                • CloseHandle.KERNEL32(00000000,?,?,00415FFF,00000000), ref: 0041BB2A
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$CloseHandleOpenSuspend
                                • String ID:
                                • API String ID: 1999457699-0
                                • Opcode ID: 65307f06ae4da2db5a73601f3478dcd91fa25f5db04ba40a4c100ff3b6d3014e
                                • Instruction ID: bc08a5c74f7a636e8823ed9fed2a710289fdff4cb0149baf3e3f1c1580a6a9c0
                                • Opcode Fuzzy Hash: 65307f06ae4da2db5a73601f3478dcd91fa25f5db04ba40a4c100ff3b6d3014e
                                • Instruction Fuzzy Hash: 96D05E36204231E3C32017AA7C0CE97AD68EFC5AA2705412AF804C26649B20CC01C6E8
                                Function 0041BB35 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                Download Yara Rule
                                APIs
                                • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,00416024,00000000), ref: 0041BB40
                                • NtResumeProcess.NTDLL(00000000), ref: 0041BB4D
                                • CloseHandle.KERNEL32(00000000,?,?,00416024,00000000), ref: 0041BB56
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$CloseHandleOpenResume
                                • String ID:
                                • API String ID: 3614150671-0
                                • Opcode ID: 2a3aa994b22e7efaa36e689b3453aa0ec17d897c0eb19943e791a895e5fd105b
                                • Instruction ID: 907c56f48a3137ad3e5a70bb4b43f8813844e3fa30c0a1486a2e097c633c30d6
                                • Opcode Fuzzy Hash: 2a3aa994b22e7efaa36e689b3453aa0ec17d897c0eb19943e791a895e5fd105b
                                • Instruction Fuzzy Hash: B8D05E36104121E3C220176A7C0CD97AE69EBC5AA2705412AF904C32619B20CC01C6F4
                                Function 0045332B Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 269COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • RaiseException.KERNEL32(C000000D,00000000,00000001,000000FF,?,00000008,PkGNG,PkGNG,00453326,000000FF,?,00000008,?,?,004561DD,00000000), ref: 00453558
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExceptionRaise
                                • String ID: PkGNG
                                • API String ID: 3997070919-263838557
                                • Opcode ID: 7607852d8e830f82297ee51b6d0742b1a7d4b3e0fd86a5f67b8f7d07b9d25eec
                                • Instruction ID: ef9cfcefdd20db456822e604066c987cb5d00f1002a97bdaec88d2537339d9b1
                                • Opcode Fuzzy Hash: 7607852d8e830f82297ee51b6d0742b1a7d4b3e0fd86a5f67b8f7d07b9d25eec
                                • Instruction Fuzzy Hash: 40B16C311106089FD715CF28C48AB657BE0FF053A6F258659EC9ACF3A2C739DA96CB44
                                Function 00434C52 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                                Download Yara Rule
                                APIs
                                • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 00434C6B
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: FeaturePresentProcessor
                                • String ID:
                                • API String ID: 2325560087-3916222277
                                • Opcode ID: e737252210e65bd7558355cab1b99ff1055998ec76fc21d90816c5055d8ae967
                                • Instruction ID: b6e659610939bc40af268f25ffb2b9965a4fe426cdd66f7fc4435c5297b2c53a
                                • Opcode Fuzzy Hash: e737252210e65bd7558355cab1b99ff1055998ec76fc21d90816c5055d8ae967
                                • Instruction Fuzzy Hash: EE515471D002089BEB24CF69D9856DEBBF4FB48354F24956BD819EB350D378AA80CF94
                                Function 004488ED Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON
                                Download Yara Rule
                                APIs
                                • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,004444CA,?,00000004), ref: 00448940
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: InfoLocale
                                • String ID: GetLocaleInfoEx
                                • API String ID: 2299586839-2904428671
                                • Opcode ID: 2d8ab5e4c08eb423885d267f31dc3d21c73ce0c4a0b39471804a4927225e8e03
                                • Instruction ID: 280d24bb3358c3803ceca68c405fa8cd3b52f77a8ef21af096b961815111c089
                                • Opcode Fuzzy Hash: 2d8ab5e4c08eb423885d267f31dc3d21c73ce0c4a0b39471804a4927225e8e03
                                • Instruction Fuzzy Hash: D1F02B31A40308F7DB119F61DC02F7E7B15DF08751F10056EFC0926261CE399D159A9E
                                Function 0041B60D Relevance: 3.0, APIs: 2, Instructions: 41COMMON
                                Download Yara Rule
                                APIs
                                • GetComputerNameExW.KERNEL32(00000001,?,0000002B,004750E4), ref: 0041B62A
                                • GetUserNameW.ADVAPI32(?,0040F223), ref: 0041B642
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: Name$ComputerUser
                                • String ID:
                                • API String ID: 4229901323-0
                                • Opcode ID: 3d7d98170efc6b6b629f93dc404fb63378f1138ab074e43b779f7395dc78dc1a
                                • Instruction ID: 2f1a7eaa0fafc1393a04fa3680ad11d69711b7caddb5f837a5711c727b94ccef
                                • Opcode Fuzzy Hash: 3d7d98170efc6b6b629f93dc404fb63378f1138ab074e43b779f7395dc78dc1a
                                • Instruction Fuzzy Hash: 3B014F7190011CABCB01EBD5DC45EEDB7BCAF44309F10016AB505B61A1EFB46E88CBA8
                                Function 0041DB62 Relevance: 2.8, Strings: 2, Instructions: 277COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: PkGNG$A
                                • API String ID: 0-652289354
                                • Opcode ID: 5bd247f65566e5dcac570d963c8fc58fd9122a78ba50124b87c8ae73a408a6cb
                                • Instruction ID: 79373b44a76dcf5e8091c0b891bec819a00bcae964dee749e010b71610d2b526
                                • Opcode Fuzzy Hash: 5bd247f65566e5dcac570d963c8fc58fd9122a78ba50124b87c8ae73a408a6cb
                                • Instruction Fuzzy Hash: F7B1A5795142998ACF05EF28C4913F63BA1EF6A300F4851B9EC9DCF757D2398506EB24
                                Function 0043DE9D Relevance: 2.7, Strings: 2, Instructions: 214COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 0$PkGNG
                                • API String ID: 0-1056914901
                                • Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                • Instruction ID: b97fed3bff06dc01e1c808345b9e1576e5435f58d5e0cb17a963d6e43aa39459
                                • Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                • Instruction Fuzzy Hash: C8516A21E01A4496DB38892964D67BF67A99B1E304F18390FE443CB7C2C64DED06C35E
                                Function 00412077 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F37), ref: 004120E7
                                • HeapFree.KERNEL32(00000000), ref: 004120EE
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$FreeProcess
                                • String ID:
                                • API String ID: 3859560861-0
                                • Opcode ID: bbc8ffc4057debe9872561f5e92b4f6919ce40f9ddced797a216f9a420f6d04b
                                • Instruction ID: eee285bae3a3c664d400e4c5f5e220380537cd22e0998a3ce94cd1697e41dfe3
                                • Opcode Fuzzy Hash: bbc8ffc4057debe9872561f5e92b4f6919ce40f9ddced797a216f9a420f6d04b
                                • Instruction Fuzzy Hash: 16112A32000B11EFC7305F64DE85957BBE9FF08715314892EE29696921CB76FCA0CB58
                                Function 00433946 Relevance: 1.8, Strings: 1, Instructions: 501COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 0
                                • API String ID: 0-4108050209
                                • Opcode ID: 1f1efbfc6b98b7ff63776831a751ef1758ce1d1abb45475947e68a2c5420a09b
                                • Instruction ID: aa2317f629b7fe23c078ec1ce6c5eb8ae6c7f7e5ba67e2b2e47e92e01b9ebfde
                                • Opcode Fuzzy Hash: 1f1efbfc6b98b7ff63776831a751ef1758ce1d1abb45475947e68a2c5420a09b
                                • Instruction Fuzzy Hash: A4126F32B083008BD714EF6AD851A1FB3E2BFCC758F15892EF585A7391DA34E9058B46
                                Function 0042739D Relevance: 1.7, Strings: 1, Instructions: 435COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: PkGNG
                                • API String ID: 0-263838557
                                • Opcode ID: c9aaf453693c51d24ca7a3c4a4ceab2933bddcf98470505b98e2a27e306b013f
                                • Instruction ID: c5d71c01a3a4c2ba568a1e95f45065819b1df519d68335ab1a8a94a68da0c1ef
                                • Opcode Fuzzy Hash: c9aaf453693c51d24ca7a3c4a4ceab2933bddcf98470505b98e2a27e306b013f
                                • Instruction Fuzzy Hash: 1002BFB17146519BC318CF2EEC8053AB7E1BB8D301745863EE495C7795EB34E922CB98
                                Function 00426E0E Relevance: 1.6, Strings: 1, Instructions: 383COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: PkGNG
                                • API String ID: 0-263838557
                                • Opcode ID: 5962e5082cf13a8249de797b5eebe59d3637d4add307bccac64aa69d81196930
                                • Instruction ID: 4a18c9c21abf6ab3d0e9afb34562907cd60dbb70f6b305f111ae620774dcdf5c
                                • Opcode Fuzzy Hash: 5962e5082cf13a8249de797b5eebe59d3637d4add307bccac64aa69d81196930
                                • Instruction Fuzzy Hash: 42F18C716142559FC304DF1EE89182BB3E1FB89301B450A2EF5C2C7391DB79EA16CB9A
                                Function 00452313 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                  • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                  • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                  • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                  • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                                  • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281
                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452367
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$_free$InfoLocale_abort
                                • String ID:
                                • API String ID: 1663032902-0
                                • Opcode ID: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
                                • Instruction ID: a0857f467e030380fa261c038abb83aeded24e37e53cd803257bf99bba5c3bcd
                                • Opcode Fuzzy Hash: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
                                • Instruction Fuzzy Hash: 0121B632550206ABDB249E35DD41BBA73A8EF05316F1001BFFD01D6242EBBC9D59CB58
                                Function 00451F9B Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                  • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                  • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                  • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                • EnumSystemLocalesW.KERNEL32(004520C3,00000001), ref: 0045200D
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                • String ID:
                                • API String ID: 1084509184-0
                                • Opcode ID: 92dc4731b164c5dad593997b290ced1c322b4c5a654dbafbc59ecf52729822b9
                                • Instruction ID: 7d3ee128790e63e9d167a680a676634a6e0759605f9449bc3b94779c572ada63
                                • Opcode Fuzzy Hash: 92dc4731b164c5dad593997b290ced1c322b4c5a654dbafbc59ecf52729822b9
                                • Instruction Fuzzy Hash: E51125372007019FDB189F39C8916BABB91FF8075AB14482EEE4687B41D7B9A946CB44
                                Function 00452543 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                  • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                  • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                  • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,004522E1,00000000,00000000,?), ref: 0045256F
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$InfoLocale_abort_free
                                • String ID:
                                • API String ID: 2692324296-0
                                • Opcode ID: ed905f4e10f5b376defebc36d7d97aa2bb2c1abe5f1ea1ee61b46868c197e3f5
                                • Instruction ID: deb82abe2421a0f23b1c286da40711a82d27d1439ce4f734d0a93897c1f260ce
                                • Opcode Fuzzy Hash: ed905f4e10f5b376defebc36d7d97aa2bb2c1abe5f1ea1ee61b46868c197e3f5
                                • Instruction Fuzzy Hash: 3EF0993290011ABBDB245A20C916BBB3768EB01316F04046BEC05A3241FBB8FD05C698
                                Function 00452036 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                  • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                  • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                  • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                • EnumSystemLocalesW.KERNEL32(00452313,00000001), ref: 00452082
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                • String ID:
                                • API String ID: 1084509184-0
                                • Opcode ID: 80e5df12ac25632c7280d140c15a53509e07ecbf1c9f73c72f1a6f69193256f5
                                • Instruction ID: 5d4b7cb44ca553c54ae5d492338df10e7871f8ce083c0ea6e3a4370b1d871309
                                • Opcode Fuzzy Hash: 80e5df12ac25632c7280d140c15a53509e07ecbf1c9f73c72f1a6f69193256f5
                                • Instruction Fuzzy Hash: 44F0FF322003055FDB245F798881A7A7B95FB82769B14446EFE428B681D7F9AC02C604
                                Function 00448404 Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00445888: EnterCriticalSection.KERNEL32(?,?,00442FDB,00000000,0046E928,0000000C,00442F96,?,?,?,00445B26,?,?,004482CA,00000001,00000364), ref: 00445897
                                • EnumSystemLocalesW.KERNEL32(Function_000483BE,00000001,0046EAD0,0000000C), ref: 0044843C
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: CriticalEnterEnumLocalesSectionSystem
                                • String ID:
                                • API String ID: 1272433827-0
                                • Opcode ID: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
                                • Instruction ID: 9543b0ab25bad403ee5e8d2735ec903229a0e0f586434e65d0c90a277242bfd4
                                • Opcode Fuzzy Hash: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
                                • Instruction Fuzzy Hash: 6FF0AF72A50204EFE700EF69D946B8D37E0FB04725F10856AF414DB2A2CBB889808F09
                                Function 00451F50 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                  • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                  • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                  • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                • EnumSystemLocalesW.KERNEL32(00451EA7,00000001), ref: 00451F87
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                • String ID:
                                • API String ID: 1084509184-0
                                • Opcode ID: 4d0c5cba832e86d7a557150270e3ca6bc4d6d332941df2bd00d727cb77582ebf
                                • Instruction ID: 7090a925995da140c065d9916092b781359a33e81ca1c933e4536b6f4f09cf03
                                • Opcode Fuzzy Hash: 4d0c5cba832e86d7a557150270e3ca6bc4d6d332941df2bd00d727cb77582ebf
                                • Instruction Fuzzy Hash: A7F0203674020597CB04AF75C809B6A7F90EBC272AB06009AEE058B662C7799842C754
                                Function 0040F8D1 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                Download Yara Rule
                                APIs
                                • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004154FC,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,5.0.0 Pro), ref: 0040F8E5
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: InfoLocale
                                • String ID:
                                • API String ID: 2299586839-0
                                • Opcode ID: 2888965568e38a2ba7a5abe7093904758464576a93ba76aee1c710f175ee0f35
                                • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
                                • Opcode Fuzzy Hash: 2888965568e38a2ba7a5abe7093904758464576a93ba76aee1c710f175ee0f35
                                • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1
                                Function 00434B47 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                Download Yara Rule
                                APIs
                                • SetUnhandledExceptionFilter.KERNEL32(Function_00034B53,0043487A), ref: 00434B4C
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExceptionFilterUnhandled
                                • String ID:
                                • API String ID: 3192549508-0
                                • Opcode ID: 94f820becb3d11eb86a2e9fe35426058ee7de7bf36e1f11b305b7456ad7b3320
                                • Instruction ID: b2b6851a15331e9206a2225a79f218ff0d060d1473a4ca8ef9e7ab7021fb00da
                                • Opcode Fuzzy Hash: 94f820becb3d11eb86a2e9fe35426058ee7de7bf36e1f11b305b7456ad7b3320
                                • Instruction Fuzzy Hash:
                                Function 0043E0CC Relevance: 1.5, Strings: 1, Instructions: 214COMMONLIBRARYCODE
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 0
                                • API String ID: 0-4108050209
                                • Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                • Instruction ID: cdd912994a32e16cda9accbda93f1ea0618352901e275441ec4d65c4c105c2b3
                                • Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                • Instruction Fuzzy Hash: 9C514771603648A7DF3489AB88567BF63899B0E344F18394BD882C73C3C62DED02975E
                                Function 00427A46 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: @
                                • API String ID: 0-2766056989
                                • Opcode ID: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
                                • Instruction ID: e4f6ca204f58efd2523fb0dbef6dba8f744ce0bfcff40a2940ff04dc0a880f4e
                                • Opcode Fuzzy Hash: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
                                • Instruction Fuzzy Hash: A841FB75A187558BC340CF29C58061BFBE1FFD8318F655A1EF889A3350D375E9428B86
                                Function 0044D9C9 Relevance: .6, Instructions: 637COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5da51411db3bde963f465f05a0d8b0dbce9b500299d5c90620e57fed4b77625f
                                • Instruction ID: ecf94096385373c2e9f2c5c276bef480e2dc0267d4a411ba40625ecd8b408152
                                • Opcode Fuzzy Hash: 5da51411db3bde963f465f05a0d8b0dbce9b500299d5c90620e57fed4b77625f
                                • Instruction Fuzzy Hash: 7F323831D69F014DE7239A35C862336A289BFB73C5F15D737F816B5AAAEB28C4834105
                                Function 0041F0FA Relevance: .6, Instructions: 598COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 80a43d6613d2cc44a87a2a7b42b24337b7313d3f5d9f36f695e048a997dbb0e1
                                • Instruction ID: 709358690f7fb2d2e3012b2358c769367bf3ff6314f01af24d3ecfcd65fe7181
                                • Opcode Fuzzy Hash: 80a43d6613d2cc44a87a2a7b42b24337b7313d3f5d9f36f695e048a997dbb0e1
                                • Instruction Fuzzy Hash: 443290716087459BD715DE28C4807AAB7E1BF84318F044A3EF89587392D778DD8BCB8A
                                Function 00437D33 Relevance: .3, Instructions: 345COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                • Instruction ID: b3ba5b81110409d95a5723b53b6c8744913893e641e186edab39e166e1bc966b
                                • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                • Instruction Fuzzy Hash: 7DC1B1723091930ADF2D4A3D853453FFBA15AA57B171A275FE8F2CB2C1EE18C524D524
                                Function 00438168 Relevance: .3, Instructions: 341COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                • Instruction ID: 7f684bb0481695d58232a2b0d47c85f4cbd32b92c5f53758fc2a28b9861b6fac
                                • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                • Instruction Fuzzy Hash: EAC1C5723092930ADF2D463D853453FFBA15AA57B171A275EE8F2CB2C5FE28C524C614
                                Function 004378FE Relevance: .3, Instructions: 331COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                • Instruction ID: b4bbf9256ac03f5d23606f900b1ff113549fac5ad7a5b3908127750d008d8003
                                • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                • Instruction Fuzzy Hash: FDC1B0B230D1930ADB3D4A3D953453FBBA15AA63B171A275ED8F2CB2C1FE18C524D624
                                Function 004374E6 Relevance: .3, Instructions: 323COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                • Instruction ID: c0cc860fb011aaa8bec1e183ca1ba44e4399d72b3d9d4532b0ef978257cdf629
                                • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                • Instruction Fuzzy Hash: 08C1A0B230D1930ADB3D463D853853FBBA15AA67B171A276ED8F2CB2C1FE18C524D614
                                Function 0043E2FB Relevance: .2, Instructions: 237COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 912b91bcee59c5ac73c124bb0811566e2b40e5b970351445414cbd9e4b54fd2a
                                • Instruction ID: 9176630f27626b4b14444871c43cfb7a364794bde640040d1d9abeeee83df0d0
                                • Opcode Fuzzy Hash: 912b91bcee59c5ac73c124bb0811566e2b40e5b970351445414cbd9e4b54fd2a
                                • Instruction Fuzzy Hash: E1614531602709E6EF349A2B48917BF2395AB1D304F58341BED42DB3C1D55DED428A1E
                                Function 0043E558 Relevance: .2, Instructions: 237COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c6b1042308d2b4dc2ea763a701fecb4f21cb89e1eeb5fcb47da04713de909616
                                • Instruction ID: c8a25274eb6ace22fd939f207aba0bb726f52b15d0dfb3f1b2e2615f3a586ecc
                                • Opcode Fuzzy Hash: c6b1042308d2b4dc2ea763a701fecb4f21cb89e1eeb5fcb47da04713de909616
                                • Instruction Fuzzy Hash: B2619C71602609A6DA34496B8893BBF6394EB6D308F94341BE443DB3C1E61DEC43875E
                                Function 00427BAF Relevance: .2, Instructions: 187COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2ba1fc680d59fa3119c336882322ad8c37fd3cd0560676a8d3a4e4a4c2211dd3
                                • Instruction ID: 96b5c22f40dc969dc1399d427f9382315b517a9523814fa291cced01a0c32d8b
                                • Opcode Fuzzy Hash: 2ba1fc680d59fa3119c336882322ad8c37fd3cd0560676a8d3a4e4a4c2211dd3
                                • Instruction Fuzzy Hash: 5B617E72A083059FC304DF35D581A5FB7E5AFCC318F510E2EF499D6151EA35EA088B86
                                Function 00438770 Relevance: .1, Instructions: 76COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                • Instruction ID: 78f0f7b5b7642c22d8ee35c169576c4e0068381375f86828a5140fd971b96714
                                • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                • Instruction Fuzzy Hash: 9311E6BB24034143D6088A2DCCB85B7E797EADD321F7D626FF0424B758DB2AA9459608
                                Function 00418E76 Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 328windowmemoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1250 418e76-418ebd CreateDCA CreateCompatibleDC call 419325 1253 418ec3-418ede call 419367 1250->1253 1254 418ebf-418ec1 1250->1254 1255 418ee2-418ee4 1253->1255 1254->1253 1254->1255 1258 418f36-418f3d call 402093 1255->1258 1259 418ee6-418ee8 1255->1259 1263 418f42-418f4e 1258->1263 1259->1258 1260 418eea-418f21 call 41939d CreateCompatibleBitmap 1259->1260 1265 418f23-418f2f DeleteDC * 2 1260->1265 1266 418f4f-418f59 SelectObject 1260->1266 1269 418f30 DeleteObject 1265->1269 1267 418f5b 1266->1267 1268 418f6a-418f91 StretchBlt 1266->1268 1270 418f5c-418f68 DeleteDC * 2 1267->1270 1268->1267 1271 418f93-418f98 1268->1271 1269->1258 1270->1269 1272 419014-41901c 1271->1272 1273 418f9a-418faf GetCursorInfo 1271->1273 1275 41905e-419070 GetObjectA 1272->1275 1276 41901e-419025 1272->1276 1273->1272 1274 418fb1-418fc5 GetIconInfo 1273->1274 1274->1272 1277 418fc7-419010 DeleteObject * 2 DrawIcon 1274->1277 1275->1267 1280 419076-419088 1275->1280 1278 419027-41904c BitBlt 1276->1278 1279 41904e-41905b 1276->1279 1277->1272 1278->1275 1279->1275 1281 41908a-41908c 1280->1281 1282 41908e-419098 1280->1282 1285 4190c5 1281->1285 1283 4190c9-4190d2 1282->1283 1284 41909a-4190a4 1282->1284 1287 4190d3-41910d LocalAlloc 1283->1287 1284->1283 1286 4190a6-4190b0 1284->1286 1285->1283 1286->1283 1288 4190b2-4190b8 1286->1288 1289 419119-419150 GlobalAlloc 1287->1289 1290 41910f-419116 1287->1290 1291 4190c2-4190c4 1288->1291 1292 4190ba-4190c0 1288->1292 1293 419152-419156 1289->1293 1294 41915b-419170 GetDIBits 1289->1294 1290->1289 1291->1285 1292->1287 1293->1270 1295 419172-419193 DeleteDC * 2 DeleteObject GlobalFree 1294->1295 1296 419198-419260 call 4020df * 2 call 40250a call 403376 call 40250a call 403376 call 40250a call 403376 DeleteObject GlobalFree DeleteDC 1294->1296 1295->1258 1313 419262-419263 DeleteDC 1296->1313 1314 419265-419289 call 402055 call 401fd8 * 2 1296->1314 1313->1314 1314->1263
                                APIs
                                • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418E90
                                • CreateCompatibleDC.GDI32(00000000), ref: 00418E9D
                                  • Part of subcall function 00419325: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419355
                                • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F13
                                • DeleteDC.GDI32(00000000), ref: 00418F2A
                                • DeleteDC.GDI32(00000000), ref: 00418F2D
                                • DeleteObject.GDI32(00000000), ref: 00418F30
                                • SelectObject.GDI32(00000000,00000000), ref: 00418F51
                                • DeleteDC.GDI32(00000000), ref: 00418F62
                                • DeleteDC.GDI32(00000000), ref: 00418F65
                                • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418F89
                                • GetCursorInfo.USER32(?), ref: 00418FA7
                                • GetIconInfo.USER32(?,?), ref: 00418FBD
                                • DeleteObject.GDI32(?), ref: 00418FEC
                                • DeleteObject.GDI32(?), ref: 00418FF9
                                • DrawIcon.USER32(00000000,?,?,?), ref: 00419006
                                • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 0041903C
                                • GetObjectA.GDI32(00000000,00000018,?), ref: 00419068
                                • LocalAlloc.KERNEL32(00000040,00000001), ref: 004190D5
                                • GlobalAlloc.KERNEL32(00000000,?), ref: 00419144
                                • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00419168
                                • DeleteDC.GDI32(?), ref: 0041917C
                                • DeleteDC.GDI32(00000000), ref: 0041917F
                                • DeleteObject.GDI32(00000000), ref: 00419182
                                • GlobalFree.KERNEL32(?), ref: 0041918D
                                • DeleteObject.GDI32(00000000), ref: 00419241
                                • GlobalFree.KERNEL32(?), ref: 00419248
                                • DeleteDC.GDI32(?), ref: 00419258
                                • DeleteDC.GDI32(00000000), ref: 00419263
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIconInfo$BitmapBitsCursorDisplayDrawEnumLocalSelectSettingsStretch
                                • String ID: DISPLAY
                                • API String ID: 4256916514-865373369
                                • Opcode ID: d098f0494e6cf70b6a27a8e3a9167c03c8027aa06e67c3efe5d1aa02d08667bb
                                • Instruction ID: c224b28d618b709f2792c20de920cdabb9de4a917dc726d0ffe82d87ba3e906a
                                • Opcode Fuzzy Hash: d098f0494e6cf70b6a27a8e3a9167c03c8027aa06e67c3efe5d1aa02d08667bb
                                • Instruction Fuzzy Hash: 75C14C71508301AFD720DF25DC44BABBBE9EB88715F00482EF98993291DB74ED45CB6A
                                Function 0040D420 Relevance: 49.3, APIs: 6, Strings: 22, Instructions: 282registryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1321 40d420-40d436 call 412850 1324 40d442-40d44b 1321->1324 1325 40d438-40d43d call 40b8ac 1321->1325 1327 40d452-40d459 1324->1327 1328 40d44d call 419a94 1324->1328 1325->1324 1329 40d45b-40d467 call 401f04 call 41c291 1327->1329 1330 40d46c-40d47c 1327->1330 1328->1327 1329->1330 1333 40d493-40d49e 1330->1333 1334 40d47e-40d492 call 401f04 call 413a23 1330->1334 1337 40d4a0-40d4b1 call 401f04 call 413a23 1333->1337 1338 40d4b2-40d4b8 1333->1338 1334->1333 1337->1338 1339 40d4ba-40d4ce call 401f04 call 413a23 1338->1339 1340 40d4cf-40d511 call 40247c call 401fab * 2 call 4136f8 1338->1340 1339->1340 1361 40d523-40d567 call 401fab RegDeleteKeyA SetFileAttributesW call 4077b7 1340->1361 1362 40d513-40d51d GetModuleFileNameW 1340->1362 1367 40d569-40d579 call 401f04 SetFileAttributesW 1361->1367 1368 40d57b-40d5d3 call 43c0cf call 40417e call 403014 call 401f09 call 40417e call 4042fc call 401f09 1361->1368 1362->1361 1367->1368 1385 40d5d5-40d627 call 40417e call 4042fc call 403014 call 40325d call 401f09 * 3 1368->1385 1386 40d62c-40d687 call 40417e call 403014 * 2 call 40325d call 401f09 * 3 1368->1386 1385->1386 1414 40d697-40d6a7 call 4077b7 1386->1414 1415 40d689-40d692 call 409052 1386->1415 1419 40d6e2-40d7af call 40417e * 2 call 40431d call 402fa5 call 403014 call 40325d call 401f09 * 5 call 409052 call 401f04 call 40247c call 401f04 call 41c3f1 1414->1419 1420 40d6a9-40d6dd call 40b97c call 403014 call 40325d call 401f09 * 2 1414->1420 1415->1414 1462 40d7b1-40d7cd call 401f04 ShellExecuteW 1419->1462 1463 40d7d6-40d7fe call 401f09 * 3 1419->1463 1420->1419 1462->1463 1468 40d7cf-40d7d0 ExitProcess 1462->1468
                                APIs
                                  • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,?,0040D80F), ref: 00412860
                                  • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF,?,0040D80F), ref: 00412873
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D51D
                                • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D530
                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D549
                                • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D579
                                  • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,00000000,?,0040D442,?,00000000), ref: 0040B8BB
                                  • Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
                                  • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A267,00000000,?,0040D442,?,00000000), ref: 0040B8D5
                                  • Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C510,00000000,00000000,00000000), ref: 0041C430
                                • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D7C4
                                • ExitProcess.KERNEL32 ref: 0040D7D0
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                • String ID: """, 0$")$0qF$0qF$8SG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$hdF$hpF$open$wend$while fso.FileExists("
                                • API String ID: 1861856835-2780701618
                                • Opcode ID: b551f3b2373885e39556138e865b175cc3d4ae26f9f03a76750746f939b0c8d9
                                • Instruction ID: f0dedf37b1d13a6a68a2ae87fd6fc042f686ba0b246118386f774540a9e6bc24
                                • Opcode Fuzzy Hash: b551f3b2373885e39556138e865b175cc3d4ae26f9f03a76750746f939b0c8d9
                                • Instruction Fuzzy Hash: 2191A4716082005AC315FB62D8529AFB7A9AF91309F10443FB14AA71E3FF7C9D49C65E
                                Function 004180EF Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418136
                                • GetProcAddress.KERNEL32(00000000), ref: 00418139
                                • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 0041814A
                                • GetProcAddress.KERNEL32(00000000), ref: 0041814D
                                • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041815E
                                • GetProcAddress.KERNEL32(00000000), ref: 00418161
                                • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 00418172
                                • GetProcAddress.KERNEL32(00000000), ref: 00418175
                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418217
                                • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041822F
                                • GetThreadContext.KERNEL32(?,00000000), ref: 00418245
                                • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 0041826B
                                • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004182ED
                                • TerminateProcess.KERNEL32(?,00000000), ref: 00418301
                                • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00418341
                                • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0041840B
                                • SetThreadContext.KERNEL32(?,00000000), ref: 00418428
                                • ResumeThread.KERNEL32(?), ref: 00418435
                                • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041844C
                                • GetCurrentProcess.KERNEL32(?), ref: 00418457
                                • TerminateProcess.KERNEL32(?,00000000), ref: 00418472
                                • GetLastError.KERNEL32 ref: 0041847A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                • API String ID: 4188446516-3035715614
                                • Opcode ID: b936ea2c1396c7360966393650c98f262233681cd2418a1eb1ae5de04f4b839e
                                • Instruction ID: 216cb1b436b1bb1c0a39989cd20dfb1fea14fcd849b5832ba41dfff5d3f22c39
                                • Opcode Fuzzy Hash: b936ea2c1396c7360966393650c98f262233681cd2418a1eb1ae5de04f4b839e
                                • Instruction Fuzzy Hash: EDA16E70604305AFDB208F64CC85BAB7BE8FF48705F04482EF595D6291EB78D844CB1A
                                Function 0040D096 Relevance: 45.8, APIs: 6, Strings: 20, Instructions: 260registryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,?,0040D80F), ref: 00412860
                                  • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF,?,0040D80F), ref: 00412873
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1A5
                                • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1B8
                                • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E8
                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1F7
                                  • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,00000000,?,0040D442,?,00000000), ref: 0040B8BB
                                  • Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
                                  • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A267,00000000,?,0040D442,?,00000000), ref: 0040B8D5
                                  • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041B99F
                                • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D412
                                • ExitProcess.KERNEL32 ref: 0040D419
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                • String ID: ")$.vbs$8SG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$hdF$hpF$open$pth_unenc$wend$while fso.FileExists("$xIs
                                • API String ID: 3797177996-3440352031
                                • Opcode ID: 20ad542f7171711714ea231336f0bfedc48dcef2d82ad876a4b4a36a3752c16a
                                • Instruction ID: d7bb7cf55c4450259501d0c3086a2d123ad94ece798773e978a9ab54bd012bbb
                                • Opcode Fuzzy Hash: 20ad542f7171711714ea231336f0bfedc48dcef2d82ad876a4b4a36a3752c16a
                                • Instruction Fuzzy Hash: 9081B0716082005BC715FB62D8529AF77A8AFD1308F10483FB586A71E2EF7C9E49C65E
                                Function 00412475 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 190synchronizationsleepfileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750E4,00000003), ref: 00412494
                                • ExitProcess.KERNEL32(00000000), ref: 004124A0
                                • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0041251A
                                • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412529
                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00412534
                                • CloseHandle.KERNEL32(00000000), ref: 0041253B
                                • GetCurrentProcessId.KERNEL32 ref: 00412541
                                • PathFileExistsW.SHLWAPI(?), ref: 00412572
                                • GetTempPathW.KERNEL32(00000104,?), ref: 004125D5
                                • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 004125EF
                                • lstrcatW.KERNEL32(?,.exe), ref: 00412601
                                  • Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C510,00000000,00000000,00000000), ref: 0041C430
                                • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00412641
                                • Sleep.KERNEL32(000001F4), ref: 00412682
                                • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412697
                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126A2
                                • CloseHandle.KERNEL32(00000000), ref: 004126A9
                                • GetCurrentProcessId.KERNEL32 ref: 004126AF
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                • String ID: .exe$8SG$WDH$exepath$open$temp_
                                • API String ID: 2649220323-436679193
                                • Opcode ID: 41acead5e00a0d3b02ed220858109bffcea00a40e5874d1294efd922ef337f81
                                • Instruction ID: 17e21f0bcac096b9b94ced5306d028ab2385f4d1d2402c2ee3c492442eb82615
                                • Opcode Fuzzy Hash: 41acead5e00a0d3b02ed220858109bffcea00a40e5874d1294efd922ef337f81
                                • Instruction Fuzzy Hash: 4651B371A00315BBDB10ABA09C9AEFE336D9B04715F10406BF502E71D2EFBC8E85865D
                                Function 0041B047 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B13C
                                • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B150
                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660A4), ref: 0041B178
                                • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00474EE0,00000000), ref: 0041B18E
                                • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B1CF
                                • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B1E7
                                • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B1FC
                                • SetEvent.KERNEL32 ref: 0041B219
                                • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B22A
                                • CloseHandle.KERNEL32 ref: 0041B23A
                                • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B25C
                                • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B266
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
                                • API String ID: 738084811-2094122233
                                • Opcode ID: 6ef51392ff8895417ea989398018cdc7f1dc70480f06eceb7defc699de156b83
                                • Instruction ID: fe650b41180b39ed17604f18bcb9a712e211fca36760164052b554565c231c06
                                • Opcode Fuzzy Hash: 6ef51392ff8895417ea989398018cdc7f1dc70480f06eceb7defc699de156b83
                                • Instruction Fuzzy Hash: 0351A3B12842056AD314B771DC96ABF379CDB84358F10043FB64A521E2EF788D48CA6E
                                Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
                                • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
                                • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
                                • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
                                • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
                                • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
                                • WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
                                • WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
                                • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
                                • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
                                • WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
                                • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
                                • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$Write$Create
                                • String ID: RIFF$WAVE$data$fmt
                                • API String ID: 1602526932-4212202414
                                • Opcode ID: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
                                • Instruction ID: 2ec91bc18be8700290cedec85ec8f66933089e8d2246bcc6fed4c3761e19f715
                                • Opcode Fuzzy Hash: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
                                • Instruction Fuzzy Hash: EB414E72644308BAE210DA51DD86FBB7EECEB89B50F40441AF644D60C0D7A4E909DBB3
                                Function 00407270 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\FdSJYyDayo.exe,00000001,0040764D,C:\Users\user\Desktop\FdSJYyDayo.exe,00000003,00407675,xIs,004076CE), ref: 00407284
                                • GetProcAddress.KERNEL32(00000000), ref: 0040728D
                                • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072A2
                                • GetProcAddress.KERNEL32(00000000), ref: 004072A5
                                • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072B6
                                • GetProcAddress.KERNEL32(00000000), ref: 004072B9
                                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 004072CA
                                • GetProcAddress.KERNEL32(00000000), ref: 004072CD
                                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 004072DE
                                • GetProcAddress.KERNEL32(00000000), ref: 004072E1
                                • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 004072F2
                                • GetProcAddress.KERNEL32(00000000), ref: 004072F5
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressHandleModuleProc
                                • String ID: C:\Users\user\Desktop\FdSJYyDayo.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                • API String ID: 1646373207-997524024
                                • Opcode ID: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
                                • Instruction ID: f839149ce94c73eee9bda0254407c114f4740b95dc73f4bc012c28e2a4ae17e7
                                • Opcode Fuzzy Hash: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
                                • Instruction Fuzzy Hash: 520171E0E4431676DB216F3A6C54D4B6F9C9E5125131A087BB409E2292FEBCE800CE6D
                                Function 0041C01B Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlenW.KERNEL32(?), ref: 0041C036
                                • _memcmp.LIBVCRUNTIME ref: 0041C04E
                                • lstrlenW.KERNEL32(?), ref: 0041C067
                                • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041C0A2
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C0B5
                                • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C0F9
                                • lstrcmpW.KERNEL32(?,?), ref: 0041C114
                                • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C12C
                                • _wcslen.LIBCMT ref: 0041C13B
                                • FindVolumeClose.KERNEL32(?), ref: 0041C15B
                                • GetLastError.KERNEL32 ref: 0041C173
                                • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C1A0
                                • lstrcatW.KERNEL32(?,?), ref: 0041C1B9
                                • lstrcpyW.KERNEL32(?,?), ref: 0041C1C8
                                • GetLastError.KERNEL32 ref: 0041C1D0
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                • String ID: ?
                                • API String ID: 3941738427-1684325040
                                • Opcode ID: abe7e308a1a6702f98718e9be80ca678ae2d2d31c1c14d85f2c6eaae61ca29ed
                                • Instruction ID: a349862c8cee18361e8dc915c9858c0b302c9409c899df8dda18ff866c7f94c5
                                • Opcode Fuzzy Hash: abe7e308a1a6702f98718e9be80ca678ae2d2d31c1c14d85f2c6eaae61ca29ed
                                • Instruction Fuzzy Hash: 8B416171584316EBD720DFA0DC889EB77ECAB49755F00092BF545C2261EB78C988CBDA
                                Function 0044F42D Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$EnvironmentVariable$_wcschr
                                • String ID:
                                • API String ID: 3899193279-0
                                • Opcode ID: 138887d55368f9cf58208da3f492a4fc17d417063cec38a58e843e9613042db9
                                • Instruction ID: f75d98bba309171a1893162bbba9979c566f834f65d54a181aa040c21db392b6
                                • Opcode Fuzzy Hash: 138887d55368f9cf58208da3f492a4fc17d417063cec38a58e843e9613042db9
                                • Instruction Fuzzy Hash: C4D13672D007006BFB20AF799D81A6B77A4EF01318F05427FE919A7382EB3D99058799
                                Function 00412AB4 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 482sleepfileCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412ACD
                                  • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041B99F
                                  • Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E74), ref: 0041857E
                                  • Part of subcall function 00418568: CloseHandle.KERNEL32(t^F,?,?,004040F5,00465E74), ref: 00418587
                                • Sleep.KERNEL32(0000000A,00465E74), ref: 00412C1F
                                • Sleep.KERNEL32(0000000A,00465E74,00465E74), ref: 00412CC1
                                • Sleep.KERNEL32(0000000A,00465E74,00465E74,00465E74), ref: 00412D63
                                • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DC5
                                • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DFC
                                • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412E38
                                • Sleep.KERNEL32(000001F4,00465E74,00465E74,00465E74), ref: 00412E52
                                • Sleep.KERNEL32(00000064), ref: 00412E94
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                • String ID: /stext "$0TG$0TG$NG$NG
                                • API String ID: 1223786279-2576077980
                                • Opcode ID: 45816bd423e92bb8680930aa6a7d7804db8f63587a8a1e07c71b8186c8759938
                                • Instruction ID: 3b0169c2c8bc9f0d695cedb60fdc7b81a1931596247e975dd6f1dc47d42db627
                                • Opcode Fuzzy Hash: 45816bd423e92bb8680930aa6a7d7804db8f63587a8a1e07c71b8186c8759938
                                • Instruction Fuzzy Hash: 990255311083418AC325FB62D851AEFB3E5AFD4348F50483EF58A971E2EF785A49C65A
                                Function 00408B7A Relevance: 23.1, APIs: 8, Strings: 5, Instructions: 328fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00408CE3
                                • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D1B
                                • __aulldiv.LIBCMT ref: 00408D4D
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                  • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408E70
                                • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408E8B
                                • CloseHandle.KERNEL32(00000000), ref: 00408F64
                                • CloseHandle.KERNEL32(00000000,00000052), ref: 00408FAE
                                • CloseHandle.KERNEL32(00000000), ref: 00408FFC
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $hdF$NG
                                • API String ID: 3086580692-1206044436
                                • Opcode ID: 64cefbb928e21c2f7d127ca4721bf1c832eccef9f0ecc8420659d86e10d9b8ce
                                • Instruction ID: 4fd1ef8f0950b8c70c5ee12d710945c0a569e6ad21e20d2a74dcf75f3ec9a52d
                                • Opcode Fuzzy Hash: 64cefbb928e21c2f7d127ca4721bf1c832eccef9f0ecc8420659d86e10d9b8ce
                                • Instruction Fuzzy Hash: 95B193716083409BC314FB25C982AAFB7E5AFC4354F50492FF589622D2EF789945CB8B
                                Function 0040A726 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 163sleepCOMMON
                                Download Yara Rule
                                APIs
                                • Sleep.KERNEL32(00001388), ref: 0040A740
                                  • Part of subcall function 0040A675: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A74D), ref: 0040A6AB
                                  • Part of subcall function 0040A675: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
                                  • Part of subcall function 0040A675: Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
                                  • Part of subcall function 0040A675: CloseHandle.KERNEL32(00000000,?,?,?,0040A74D), ref: 0040A6EE
                                • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A77C
                                • GetFileAttributesW.KERNEL32(00000000), ref: 0040A78D
                                • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7A4
                                • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0040A81E
                                  • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                                • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466468,00000000,00000000,00000000), ref: 0040A927
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                • String ID: 8SG$8SG$hdF$pQG$pQG$PG$PG
                                • API String ID: 3795512280-4009011672
                                • Opcode ID: dd9c0471e25d076647664c84ec6971b7212badb5cce70a00efb0c7fa575d8801
                                • Instruction ID: 265ddfea45d140738b9a7e0f0353a6f5be26653907181caffe3561bb72ed66c0
                                • Opcode Fuzzy Hash: dd9c0471e25d076647664c84ec6971b7212badb5cce70a00efb0c7fa575d8801
                                • Instruction Fuzzy Hash: A7517E716043055ACB09BB32C866ABE739A9F80349F00483FB642B71E2DF7C9D09865E
                                Function 00414D86 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 109libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414DD5
                                • LoadLibraryA.KERNEL32(?), ref: 00414E17
                                • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E37
                                • FreeLibrary.KERNEL32(00000000), ref: 00414E3E
                                • LoadLibraryA.KERNEL32(?), ref: 00414E76
                                • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E88
                                • FreeLibrary.KERNEL32(00000000), ref: 00414E8F
                                • GetProcAddress.KERNEL32(00000000,?), ref: 00414E9E
                                • FreeLibrary.KERNEL32(00000000), ref: 00414EB5
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                • String ID: IA$\ws2_32$\wship6$getaddrinfo
                                • API String ID: 2490988753-2533987332
                                • Opcode ID: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
                                • Instruction ID: d7a8240acd80c680e6a706eb94e62412fcb65bdb905c2e3468e0ccb64a1f64dc
                                • Opcode Fuzzy Hash: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
                                • Instruction Fuzzy Hash: 8C31D5B1902315A7C320EF65DC84EDBB7D8AF84744F004A2AF94893250D778DD858BEE
                                Function 0041D58F Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                Download Yara Rule
                                APIs
                                • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D5DA
                                • GetCursorPos.USER32(?), ref: 0041D5E9
                                • SetForegroundWindow.USER32(?), ref: 0041D5F2
                                • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D60C
                                • Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D65D
                                • ExitProcess.KERNEL32 ref: 0041D665
                                • CreatePopupMenu.USER32 ref: 0041D66B
                                • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D680
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                • String ID: Close
                                • API String ID: 1657328048-3535843008
                                • Opcode ID: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
                                • Instruction ID: 483e3be36cf21f9f431d69439bfbb75804d706e25d1e382f075e68ac53faeb55
                                • Opcode Fuzzy Hash: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
                                • Instruction Fuzzy Hash: 392127B1944208FFDB194FA4ED0EAAA3B65FB08342F000135FA0A950B1D775EDA1EB5D
                                Function 00404E26 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 65synchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00474EF8,PkGNG,00000000,00474EF8,00404CA8,00000000,00000000,00000000,?,00474EF8,?), ref: 00404E38
                                • SetEvent.KERNEL32(00000000), ref: 00404E43
                                • CloseHandle.KERNEL32(00000000), ref: 00404E4C
                                • closesocket.WS2_32(FFFFFFFF), ref: 00404E5A
                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00404E91
                                • SetEvent.KERNEL32(00000000), ref: 00404EA2
                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00404EA9
                                • SetEvent.KERNEL32(00000000), ref: 00404EBA
                                • CloseHandle.KERNEL32(00000000), ref: 00404EBF
                                • CloseHandle.KERNEL32(00000000), ref: 00404EC4
                                • SetEvent.KERNEL32(00000000), ref: 00404ED1
                                • CloseHandle.KERNEL32(00000000), ref: 00404ED6
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                • String ID: PkGNG
                                • API String ID: 3658366068-263838557
                                • Opcode ID: 87d744648c5afa45b50529b6b6d14d146fbf4d1d8295755f98280c9be6f36435
                                • Instruction ID: 0c11cd9b042c69dc9d4dd2828563f6d61870a883144e53252efabab5b24bcc37
                                • Opcode Fuzzy Hash: 87d744648c5afa45b50529b6b6d14d146fbf4d1d8295755f98280c9be6f36435
                                • Instruction Fuzzy Hash: BF21E871104B04AFDB216B26DC49B27BBA1FF40326F104A2EE2E211AF1CB75B851DB58
                                Function 00445D56 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$Info
                                • String ID:
                                • API String ID: 2509303402-0
                                • Opcode ID: 5c7b1bf4f475568e38e69d940d0222fa4f9c7dd3754b5f784b0771feacd0cc66
                                • Instruction ID: 88ee944febda996c7adaaf7605242af7944d99fb061a5fd2e4f26fad8993db39
                                • Opcode Fuzzy Hash: 5c7b1bf4f475568e38e69d940d0222fa4f9c7dd3754b5f784b0771feacd0cc66
                                • Instruction Fuzzy Hash: 75B1CD719006059FEF20DF69C881BEEBBB4FF09304F14412EF5A8A7242D6799D45CB65
                                Function 0040D7FF Relevance: 21.1, APIs: 3, Strings: 9, Instructions: 148COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,?,0040D80F), ref: 00412860
                                  • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF,?,0040D80F), ref: 00412873
                                  • Part of subcall function 004136F8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 00413714
                                  • Part of subcall function 004136F8: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 0041372D
                                  • Part of subcall function 004136F8: RegCloseKey.ADVAPI32(?), ref: 00413738
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D859
                                • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D9B8
                                • ExitProcess.KERNEL32 ref: 0040D9C4
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                • String ID: """, 0$.vbs$8SG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$hdF$open
                                • API String ID: 1913171305-51354631
                                • Opcode ID: f258cf52c1f85b39fd526d8af0fa5692be2d229592be5a4268ec070556a5325b
                                • Instruction ID: 6fc8d312854778a25908ca85050b1cee1951ef16e4956e50e312a563d71e527c
                                • Opcode Fuzzy Hash: f258cf52c1f85b39fd526d8af0fa5692be2d229592be5a4268ec070556a5325b
                                • Instruction Fuzzy Hash: 0C413A719001195ACB15FA62DC56DEEB778AF50309F10007FB10AB61E2EF785E4ACA98
                                Function 004048C8 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 144networkCOMMON
                                Download Yara Rule
                                APIs
                                • connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                                • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                                • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                                • WSAGetLastError.WS2_32 ref: 00404A21
                                  • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                • String ID: Connection Failed: $Connection Refused$PkGNG$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                • API String ID: 994465650-3229884001
                                • Opcode ID: 73075052d8b02f035b309482e82d4e6ffd926ef573fac63689623bdc7e9bf8aa
                                • Instruction ID: c5d57dbf39bf42eeb7f1fe8451fa1a1ddda5cb55b73798f96fdafd5064c5310c
                                • Opcode Fuzzy Hash: 73075052d8b02f035b309482e82d4e6ffd926ef573fac63689623bdc7e9bf8aa
                                • Instruction Fuzzy Hash: 3E41E8B47406016BD61877BA8D1B53E7A15AB81304B50017FE60267AD3EB7D9C108BDF
                                Function 004512C6 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • ___free_lconv_mon.LIBCMT ref: 0045130A
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 0045051F
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 00450531
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 00450543
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 00450555
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 00450567
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 00450579
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 0045058B
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 0045059D
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 004505AF
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 004505C1
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 004505D3
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 004505E5
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 004505F7
                                • _free.LIBCMT ref: 004512FF
                                  • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                  • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                • _free.LIBCMT ref: 00451321
                                • _free.LIBCMT ref: 00451336
                                • _free.LIBCMT ref: 00451341
                                • _free.LIBCMT ref: 00451363
                                • _free.LIBCMT ref: 00451376
                                • _free.LIBCMT ref: 00451384
                                • _free.LIBCMT ref: 0045138F
                                • _free.LIBCMT ref: 004513C7
                                • _free.LIBCMT ref: 004513CE
                                • _free.LIBCMT ref: 004513EB
                                • _free.LIBCMT ref: 00451403
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                • String ID:
                                • API String ID: 161543041-0
                                • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                • Instruction ID: 673b37a441ff9bbb7eb6cd98574e5fa8379d72fae64c09c4febd1ea684bb8cd8
                                • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                • Instruction Fuzzy Hash: 0E319E315007009FFB20AA7AD845B5B73E8EF0131AF50851FEC68D7662DF78AD448B59
                                Function 00419FB4 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 176sleeptimeCOMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00419FB9
                                • GdiplusStartup.GDIPLUS(00474ACC,?,00000000), ref: 00419FEB
                                • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A077
                                • Sleep.KERNEL32(000003E8), ref: 0041A0FD
                                • GetLocalTime.KERNEL32(?), ref: 0041A105
                                • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A1F4
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$PG$PG$PG
                                • API String ID: 489098229-1431523004
                                • Opcode ID: 0e7dd5b9c8f3c8bbf87e47502bed00745cf23af802625de92c9b4d39b7d12e2e
                                • Instruction ID: 65e100c03f0dda0ba9a952c873ad8774fe275ee1deca45487f64c7c8a8292b0e
                                • Opcode Fuzzy Hash: 0e7dd5b9c8f3c8bbf87e47502bed00745cf23af802625de92c9b4d39b7d12e2e
                                • Instruction Fuzzy Hash: E7515D70A00215AACB14BBB5C8529ED7BA9AB44308F40403FF509AB1E2EF7C9D85C799
                                Function 00450600 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free
                                • String ID:
                                • API String ID: 269201875-0
                                • Opcode ID: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
                                • Instruction ID: d910990a8472ee08c0279d8077499983e41ff25138a9859a729e4309013b5263
                                • Opcode Fuzzy Hash: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
                                • Instruction Fuzzy Hash: E2C17476D40204AFEB20DBA9CC83FDE77B8AB19705F14015AFE05EB283D6B49D458798
                                Function 00455BDB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004558A9: CreateFileW.KERNEL32(00000000,00000000,?,00455C84,?,?,00000000,?,00455C84,00000000,0000000C), ref: 004558C6
                                • GetLastError.KERNEL32 ref: 00455CEF
                                • __dosmaperr.LIBCMT ref: 00455CF6
                                • GetFileType.KERNEL32(00000000), ref: 00455D02
                                • GetLastError.KERNEL32 ref: 00455D0C
                                • __dosmaperr.LIBCMT ref: 00455D15
                                • CloseHandle.KERNEL32(00000000), ref: 00455D35
                                • CloseHandle.KERNEL32(?), ref: 00455E7F
                                • GetLastError.KERNEL32 ref: 00455EB1
                                • __dosmaperr.LIBCMT ref: 00455EB8
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                • String ID: H
                                • API String ID: 4237864984-2852464175
                                • Opcode ID: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
                                • Instruction ID: f4290dc4267d91ba683862cdaabef3013db21248f4240db41616def06e578eae
                                • Opcode Fuzzy Hash: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
                                • Instruction Fuzzy Hash: D5A155329106049FDF19AF68DC617BE3BA0EB06325F14415EEC11EB392CB398D5ACB59
                                Function 0044AC49 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 216COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,$C,0043EA24,?,?,PkGNG,0044AE9A,00000001,00000001,73E85006), ref: 0044ACA3
                                • __alloca_probe_16.LIBCMT ref: 0044ACDB
                                • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,PkGNG,0044AE9A,00000001,00000001,73E85006,?,?,?), ref: 0044AD29
                                • __alloca_probe_16.LIBCMT ref: 0044ADC0
                                • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,73E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AE23
                                • __freea.LIBCMT ref: 0044AE30
                                  • Part of subcall function 00446137: HeapAlloc.KERNEL32(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                                • __freea.LIBCMT ref: 0044AE39
                                • __freea.LIBCMT ref: 0044AE5E
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocHeap
                                • String ID: $C$PkGNG
                                • API String ID: 2597970681-3740547665
                                • Opcode ID: 362257cb831b64f560ca9c305cbafbf1ddd2a76c4c9bcde51592d12c0f33465e
                                • Instruction ID: b5b01290aead076256688b5938d42e4b2a7c64905c3dece0b68445a47d4ef5f6
                                • Opcode Fuzzy Hash: 362257cb831b64f560ca9c305cbafbf1ddd2a76c4c9bcde51592d12c0f33465e
                                • Instruction Fuzzy Hash: 1F513A72680206AFFB258F64CC41EBF77AAEB44714F24462EFC14D6240EB38DC60875A
                                Function 00450A25 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free
                                • String ID: \&G$\&G$`&G
                                • API String ID: 269201875-253610517
                                • Opcode ID: bf6a2d62285109b65615641ef8a9ee438ca725d72dbf644c1fcc8e573ee560d0
                                • Instruction ID: 0b3297c67b001fbc5a9f4fbe1fd197d652097ca420ae28a40b4f72db8b3ed5d1
                                • Opcode Fuzzy Hash: bf6a2d62285109b65615641ef8a9ee438ca725d72dbf644c1fcc8e573ee560d0
                                • Instruction Fuzzy Hash: 77610475900204AFDB20CFA9C882B9ABBF4EF05315F14416BED58EB342D774AD458B98
                                Function 00414BB0 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 65535$udp
                                • API String ID: 0-1267037602
                                • Opcode ID: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
                                • Instruction ID: ff24d6befd6f0703c902a6165bd45161ed4db0fb5f75d2635e7e580b9b2721aa
                                • Opcode Fuzzy Hash: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
                                • Instruction Fuzzy Hash: EF51E7756093019FDB209B58E9057BB37A4AFC4755F08082FF881973A1E76DCCC1865E
                                Function 0040ACD6 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                Download Yara Rule
                                APIs
                                • __Init_thread_footer.LIBCMT ref: 0040AD38
                                • Sleep.KERNEL32(000001F4), ref: 0040AD43
                                • GetForegroundWindow.USER32 ref: 0040AD49
                                • GetWindowTextLengthW.USER32(00000000), ref: 0040AD52
                                • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040AD86
                                • Sleep.KERNEL32(000003E8), ref: 0040AE54
                                  • Part of subcall function 0040A636: SetEvent.KERNEL32(00000000,?,00000000,0040B20A,00000000), ref: 0040A662
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                • String ID: [${ User has been idle for $ minutes }$]
                                • API String ID: 911427763-3954389425
                                • Opcode ID: d029bd4235179839c9baf363e6aa800d014436574332bd325cff9a7a557b710f
                                • Instruction ID: 3d5ee5432c15115af2c0f1375ae13a0ba8112eb59c463c5c733e63bb31497985
                                • Opcode Fuzzy Hash: d029bd4235179839c9baf363e6aa800d014436574332bd325cff9a7a557b710f
                                • Instruction Fuzzy Hash: 6D51B1316043419BD314FB21D846AAE7796AB84308F50093FF586A22E2EF7C9D45C69F
                                Function 00416940 Relevance: 17.5, APIs: 8, Strings: 2, Instructions: 46clipboardCOMMON
                                Download Yara Rule
                                APIs
                                • OpenClipboard.USER32 ref: 00416941
                                • EmptyClipboard.USER32 ref: 0041694F
                                • CloseClipboard.USER32 ref: 00416955
                                • OpenClipboard.USER32 ref: 0041695C
                                • GetClipboardData.USER32(0000000D), ref: 0041696C
                                • GlobalLock.KERNEL32(00000000), ref: 00416975
                                • GlobalUnlock.KERNEL32(00000000), ref: 0041697E
                                • CloseClipboard.USER32 ref: 00416984
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                • String ID: !D@$hdF
                                • API String ID: 2172192267-3475379602
                                • Opcode ID: 217266dddd972f3c5e9f703bebafc66beb3104e9651149c41c4633369744174b
                                • Instruction ID: 305b70c8a6b081cbeb1fc088e42579eafb4add048c4ccd3ac1cf7446a02d8759
                                • Opcode Fuzzy Hash: 217266dddd972f3c5e9f703bebafc66beb3104e9651149c41c4633369744174b
                                • Instruction Fuzzy Hash: CC015E31214301DFC714BB72DC09AAE77A5AF88742F40047EF906821E2DF38CC44CA69
                                Function 0043A83A Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A892
                                • GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A89F
                                • __dosmaperr.LIBCMT ref: 0043A8A6
                                • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8D2
                                • GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8DC
                                • __dosmaperr.LIBCMT ref: 0043A8E3
                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A926
                                • GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A930
                                • __dosmaperr.LIBCMT ref: 0043A937
                                • _free.LIBCMT ref: 0043A943
                                • _free.LIBCMT ref: 0043A94A
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                • String ID:
                                • API String ID: 2441525078-0
                                • Opcode ID: 333218d4c374834d2f5605b8d1434d3a456e4a6d1d3d381f1630f1823c8abcb3
                                • Instruction ID: 785efe6d9c8e3fffb8b85045f967b8474775cb8629fdf0d32462ae01257f7f2e
                                • Opcode Fuzzy Hash: 333218d4c374834d2f5605b8d1434d3a456e4a6d1d3d381f1630f1823c8abcb3
                                • Instruction Fuzzy Hash: FF31F57140420AFFDF01AFA5CC45DAF3B68EF09325F10021AF950662A1DB38CD21DB6A
                                Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • SetEvent.KERNEL32(?,?), ref: 004054BF
                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040556F
                                • TranslateMessage.USER32(?), ref: 0040557E
                                • DispatchMessageA.USER32(?), ref: 00405589
                                • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
                                • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405679
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                • String ID: CloseChat$DisplayMessage$GetMessage
                                • API String ID: 2956720200-749203953
                                • Opcode ID: 23ad1bda7fdc8c2761b743bccdaa4a1370e03c4646df2a0694b798356af57b05
                                • Instruction ID: c1940132788662b917c5ec79ff16bb55de46c7435784779dc5fc992d72e4b12f
                                • Opcode Fuzzy Hash: 23ad1bda7fdc8c2761b743bccdaa4a1370e03c4646df2a0694b798356af57b05
                                • Instruction Fuzzy Hash: CE41A171604701ABCB14FB75DC5A86F37A9AB85704F40093EF916A36E1EF3C8905CB9A
                                Function 00417CDF Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00417F2C: __EH_prolog.LIBCMT ref: 00417F31
                                • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660A4), ref: 00417DDC
                                • CloseHandle.KERNEL32(00000000), ref: 00417DE5
                                • DeleteFileA.KERNEL32(00000000), ref: 00417DF4
                                • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DA8
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                • String ID: 0VG$0VG$<$@$Temp
                                • API String ID: 1704390241-2575729100
                                • Opcode ID: 98959ef4594bcaafc024db97d5732f010b7230a0abd9b713f16470a190596f9f
                                • Instruction ID: cfce1e327495ca125f9f778a73892d1ad62a3a088d665d9de3c725e9e650d499
                                • Opcode Fuzzy Hash: 98959ef4594bcaafc024db97d5732f010b7230a0abd9b713f16470a190596f9f
                                • Instruction Fuzzy Hash: 0E415F319002099BCB14FB62DC56AEE7775AF40318F50417EF506764E1EF7C1A8ACB99
                                Function 00410E61 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 75COMMON
                                Download Yara Rule
                                APIs
                                • std::_Lockit::_Lockit.LIBCPMT ref: 00410E6E
                                • int.LIBCPMT ref: 00410E81
                                  • Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
                                  • Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC
                                • std::_Facet_Register.LIBCPMT ref: 00410EC1
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 00410ECA
                                • __CxxThrowException@8.LIBVCRUNTIME ref: 00410EE8
                                • __Init_thread_footer.LIBCMT ref: 00410F29
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                • String ID: ,kG$0kG$@!G
                                • API String ID: 3815856325-312998898
                                • Opcode ID: 03644fa62921dd73c80b911a5d0dfda0042f6ff91148d324d9cd636e449b66af
                                • Instruction ID: 12cf7b7900226bd12227407fb3b1cbab205c4dd0745ae636880afd2a72082c2f
                                • Opcode Fuzzy Hash: 03644fa62921dd73c80b911a5d0dfda0042f6ff91148d324d9cd636e449b66af
                                • Instruction Fuzzy Hash: 162134329005249BC704EB6AD9428DE37A8EF48324F20056FF804A72D1DBB9AD81CB9D
                                Function 0041AB0D Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB1C
                                • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB33
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB40
                                • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB4F
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB60
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB63
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: Service$CloseHandle$Open$ControlManager
                                • String ID:
                                • API String ID: 221034970-0
                                • Opcode ID: c0082c5762a569dd6c794232c9d09aac69d1526d84f90b8f2ddcc8f825e948b5
                                • Instruction ID: 6fbe0b082825830d9e24babaefac53afed48758aa8e56b4d18e4903ff4329a9c
                                • Opcode Fuzzy Hash: c0082c5762a569dd6c794232c9d09aac69d1526d84f90b8f2ddcc8f825e948b5
                                • Instruction Fuzzy Hash: 41114C71901218AFD711AF64DCC4DFF3B7CDB42B62B000036FA05D2192DB289C46AAFA
                                Function 00448121 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                Download Yara Rule
                                APIs
                                • _free.LIBCMT ref: 00448135
                                  • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                  • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                • _free.LIBCMT ref: 00448141
                                • _free.LIBCMT ref: 0044814C
                                • _free.LIBCMT ref: 00448157
                                • _free.LIBCMT ref: 00448162
                                • _free.LIBCMT ref: 0044816D
                                • _free.LIBCMT ref: 00448178
                                • _free.LIBCMT ref: 00448183
                                • _free.LIBCMT ref: 0044818E
                                • _free.LIBCMT ref: 0044819C
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast
                                • String ID:
                                • API String ID: 776569668-0
                                • Opcode ID: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
                                • Instruction ID: 63500befab30bf138fa449b3e81d3956d19e40097f86fc95f12732a98ce5ff4f
                                • Opcode Fuzzy Hash: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
                                • Instruction Fuzzy Hash: C211B67A500508BFEB01EF96C842CDD3BA5FF05359B0240AAFA588F222DA35DF509BC5
                                Function 004114F5 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: Eventinet_ntoa
                                • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
                                • API String ID: 3578746661-3604713145
                                • Opcode ID: ab18085dfb9070501b6a617d13a9934c7a772270e49a3b63cf56808473da2604
                                • Instruction ID: 71dfdc03858149a45142756d2b421c0b7bbb6d70992310a40494c7f1f0681c69
                                • Opcode Fuzzy Hash: ab18085dfb9070501b6a617d13a9934c7a772270e49a3b63cf56808473da2604
                                • Instruction Fuzzy Hash: 0051C131A042015BC614FB36C91AAAE37A5AB85344F40453FF906A76F1EF7C8985C7DE
                                Function 0044B3BC Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152fileCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,PkGNG,0044BB31,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B3FE
                                • __fassign.LIBCMT ref: 0044B479
                                • __fassign.LIBCMT ref: 0044B494
                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B4BA
                                • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BB31,00000000,?,?,?,?,?,?,?,?,PkGNG,0044BB31,?), ref: 0044B4D9
                                • WriteFile.KERNEL32(?,?,00000001,0044BB31,00000000,?,?,?,?,?,?,?,?,PkGNG,0044BB31,?), ref: 0044B512
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                • String ID: PkGNG
                                • API String ID: 1324828854-263838557
                                • Opcode ID: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
                                • Instruction ID: 24f44d390d373c30b0d8a34eda065edd0bccebe0da4884afe324d1cece3cc5ea
                                • Opcode Fuzzy Hash: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
                                • Instruction Fuzzy Hash: 0751D270900208AFDB10CFA8D885AEEFBF4EF09305F14856BE955E7292D734D941CBA9
                                Function 00417495 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                Download Yara Rule
                                APIs
                                • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 004174F5
                                  • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                                • Sleep.KERNEL32(00000064), ref: 00417521
                                • DeleteFileW.KERNEL32(00000000), ref: 00417555
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CreateDeleteExecuteShellSleep
                                • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                • API String ID: 1462127192-2001430897
                                • Opcode ID: f10e294ee6a8c27b1349ad3ce0c7058653f24f1ec6cf567e6a5304385f617d5d
                                • Instruction ID: 51d64fe7c8a5c54eac4555a52c350958ac4104e8f54c8767ba2a87230734c78e
                                • Opcode Fuzzy Hash: f10e294ee6a8c27b1349ad3ce0c7058653f24f1ec6cf567e6a5304385f617d5d
                                • Instruction Fuzzy Hash: 1431307194011A9ADB04FB62DC96DED7779AF50309F40017EF606730E2EF785A8ACA9C
                                Function 004073AC Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcess.KERNEL32(00472B14,00000000,?,00003000,00000004,00000000,00000001), ref: 004073DD
                                • GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407656,C:\Users\user\Desktop\FdSJYyDayo.exe), ref: 0040749E
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: CurrentProcess
                                • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                                • API String ID: 2050909247-4242073005
                                • Opcode ID: 539e8bced36223118afef646be0064b2910b8cfba0236f50484b60453eb32d25
                                • Instruction ID: f630994b7aed3d2c1b9b8fa2b3e4f68b22e8b08ead4833dea6669ff7d567ef23
                                • Opcode Fuzzy Hash: 539e8bced36223118afef646be0064b2910b8cfba0236f50484b60453eb32d25
                                • Instruction Fuzzy Hash: 7031A471A04700ABD321FF65ED46F167BB8AB44305F10087EF515A6292E7B8B8448B6F
                                Function 00401D0B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                Download Yara Rule
                                APIs
                                • _strftime.LIBCMT ref: 00401D50
                                  • Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000,?), ref: 00401E02
                                • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
                                • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                • String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
                                • API String ID: 3809562944-243156785
                                • Opcode ID: 5d5d8b804b24dbb182b265a24ad27abd29ffba8ef4e2f14911defadce340a58b
                                • Instruction ID: 027c37fd5a1300b84eaed5fd93cda356eabc1c7fedb6cd9f381e221a57c36ff8
                                • Opcode Fuzzy Hash: 5d5d8b804b24dbb182b265a24ad27abd29ffba8ef4e2f14911defadce340a58b
                                • Instruction Fuzzy Hash: 383181315043019FC324EB21DD46A9A77A8EB84314F40443EF18DA21F2EFB89A49CB5E
                                Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON
                                Download Yara Rule
                                APIs
                                • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
                                • waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000,00000024), ref: 00401C8F
                                • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
                                • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
                                • waveInStart.WINMM ref: 00401CFE
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                • String ID: dMG$|MG$PG
                                • API String ID: 1356121797-532278878
                                • Opcode ID: 4847331a3159101abd2f471b23cb9d67ee169c85da226fed21ec568aa636ce6b
                                • Instruction ID: ba088f7df0b955e0db37e5e5e2d8d6799d5f59e9c832501e8260ac80857d70f0
                                • Opcode Fuzzy Hash: 4847331a3159101abd2f471b23cb9d67ee169c85da226fed21ec568aa636ce6b
                                • Instruction Fuzzy Hash: 53212A71604201AFC739DF6AEE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C
                                Function 0041D45D Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D476
                                  • Part of subcall function 0041D50F: RegisterClassExA.USER32(00000030), ref: 0041D55B
                                  • Part of subcall function 0041D50F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D576
                                  • Part of subcall function 0041D50F: GetLastError.KERNEL32 ref: 0041D580
                                • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D4AD
                                • lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D4C7
                                • Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D4DD
                                • TranslateMessage.USER32(?), ref: 0041D4E9
                                • DispatchMessageA.USER32(?), ref: 0041D4F3
                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041D500
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                • String ID: Remcos
                                • API String ID: 1970332568-165870891
                                • Opcode ID: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
                                • Instruction ID: 4ccd8a34d55b2cf311069b5b9598b364b65d9d4e2968dcdf9eb94a5ca0393a4d
                                • Opcode Fuzzy Hash: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
                                • Instruction Fuzzy Hash: AC015271800245EBD7109FA5EC4CFEABB7CEB85705F004026F515930A1D778E885CB98
                                Function 0044CD80 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5edaaaea362a6c10ef7d8e875ae5e8a922473b35402a21f9a1197ff68539a873
                                • Instruction ID: c2c0890efeac2311cc0422bbb5d66c498191acafde20d8af94b1f6b0c86a236e
                                • Opcode Fuzzy Hash: 5edaaaea362a6c10ef7d8e875ae5e8a922473b35402a21f9a1197ff68539a873
                                • Instruction Fuzzy Hash: 5AC1D770D04249AFEF11DFA9C881BAEBBB4EF09314F18415AE914A7392C77C9D41CB69
                                Function 00453D83 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                Download Yara Rule
                                APIs
                                • GetCPInfo.KERNEL32(?,?), ref: 00453E2F
                                • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00453EB2
                                • __alloca_probe_16.LIBCMT ref: 00453EEA
                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00453F45
                                • __alloca_probe_16.LIBCMT ref: 00453F94
                                • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00453F5C
                                  • Part of subcall function 00446137: HeapAlloc.KERNEL32(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00453FD8
                                • __freea.LIBCMT ref: 00454003
                                • __freea.LIBCMT ref: 0045400F
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocHeapInfo
                                • String ID:
                                • API String ID: 3256262068-0
                                • Opcode ID: cf0f5bca4b9d7a6a0537f160270e877f32bb2155bdb84350bfddf98010c842c7
                                • Instruction ID: bd5a1837779a5f2dcb5c2ea5aeb828518df7829aba760434011a70bbc407b236
                                • Opcode Fuzzy Hash: cf0f5bca4b9d7a6a0537f160270e877f32bb2155bdb84350bfddf98010c842c7
                                • Instruction Fuzzy Hash: E391F472E002069ADB209E65CC42AEFBBF59F09756F14052BFC01E7282D739DD89C768
                                Function 00445179 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                  • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                  • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                  • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                • _memcmp.LIBVCRUNTIME ref: 00445423
                                • _free.LIBCMT ref: 00445494
                                • _free.LIBCMT ref: 004454AD
                                • _free.LIBCMT ref: 004454DF
                                • _free.LIBCMT ref: 004454E8
                                • _free.LIBCMT ref: 004454F4
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ErrorLast$_abort_memcmp
                                • String ID: C
                                • API String ID: 1679612858-1037565863
                                • Opcode ID: a8f4e868e6027df86e14abe5e970da0ea11d1bbd4f9432e493711607e9b70df4
                                • Instruction ID: 551747f29a431029642ca2aca46be5bbca0cbe6c77a4b2ed9ddfbf6361621c56
                                • Opcode Fuzzy Hash: a8f4e868e6027df86e14abe5e970da0ea11d1bbd4f9432e493711607e9b70df4
                                • Instruction Fuzzy Hash: B2B13975A016199BEB24DF18C884BAEB7B4FF08308F5045EEE949A7351E774AE90CF44
                                Function 0041490A Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: tcp$udp
                                • API String ID: 0-3725065008
                                • Opcode ID: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
                                • Instruction ID: c6aeaafd44a905d145cb4251883953767b251f71b123717361be5a5837da4da2
                                • Opcode Fuzzy Hash: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
                                • Instruction Fuzzy Hash: 637177B06083028FDB24CF65C480BABB7E4AFD4395F15442FF88986351E778DD858B9A
                                Function 00411CFE Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 206memoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0041179C: SetLastError.KERNEL32(0000000D,00411D1C,00000000,t^F,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 004117A2
                                • SetLastError.KERNEL32(000000C1,00000000,t^F,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 00411D37
                                • GetNativeSystemInfo.KERNEL32(?,?,00000000,t^F,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 00411DA5
                                • SetLastError.KERNEL32(0000000E), ref: 00411DC9
                                  • Part of subcall function 00411CA3: VirtualAlloc.KERNEL32(00000000,00000000,00000000,00000000,00411DE7,?,00000000,00003000,00000040,00000000), ref: 00411CB3
                                • GetProcessHeap.KERNEL32(00000008,00000040), ref: 00411E10
                                • HeapAlloc.KERNEL32(00000000), ref: 00411E17
                                • SetLastError.KERNEL32(0000045A), ref: 00411F2A
                                  • Part of subcall function 00412077: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F37), ref: 004120E7
                                  • Part of subcall function 00412077: HeapFree.KERNEL32(00000000), ref: 004120EE
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                • String ID: t^F
                                • API String ID: 3950776272-389975521
                                • Opcode ID: 461a53a6892bac39e8501077da2db8edf6161aa159888280e3eaf045f7e1ced3
                                • Instruction ID: a5564978de1508fcfe39aaa31f5973b4ee53e0220ffe5d2cf9b9f7f7cc9a58c7
                                • Opcode Fuzzy Hash: 461a53a6892bac39e8501077da2db8edf6161aa159888280e3eaf045f7e1ced3
                                • Instruction Fuzzy Hash: B661E370601201ABC7109F66C980BAB7BA5BF44744F04411BFA058B7A2E7BCE8D2CBD9
                                Function 0040186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                Download Yara Rule
                                APIs
                                • __Init_thread_footer.LIBCMT ref: 004018BE
                                • ExitThread.KERNEL32 ref: 004018F6
                                • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00474EE0,00000000), ref: 00401A04
                                  • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                • String ID: {s$PkG$NG$NG
                                • API String ID: 1649129571-1567257852
                                • Opcode ID: a9a7ce0a0b90b44db80bc4e59ffcd89cd879969cdb5479c222021ee2e07a9105
                                • Instruction ID: 5b8630810f78da979eb204bf693be1d55f2004797ab3201abec5cd50ea38d472
                                • Opcode Fuzzy Hash: a9a7ce0a0b90b44db80bc4e59ffcd89cd879969cdb5479c222021ee2e07a9105
                                • Instruction Fuzzy Hash: BF41B4312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D49C75E
                                Function 00413D0D Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 135registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00413D46
                                  • Part of subcall function 00413A55: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
                                  • Part of subcall function 00413A55: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413AEB
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                • RegCloseKey.ADVAPI32(00000000,004660A4,004660A4,00466468,00466468,00000071), ref: 00413EB4
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseEnumInfoOpenQuerysend
                                • String ID: hdF$xUG$NG$NG$TG
                                • API String ID: 3114080316-2774981958
                                • Opcode ID: f05c03517f952f3a355b8cbbd5c3f5256b4ab212a1f163f9846f57004d6dde5d
                                • Instruction ID: 865164b8d80166fcad8b4517e5ed4c9fbafb7c73de3830c3e78154838722fbed
                                • Opcode Fuzzy Hash: f05c03517f952f3a355b8cbbd5c3f5256b4ab212a1f163f9846f57004d6dde5d
                                • Instruction Fuzzy Hash: 0B419E316082405BC324F726DC56AEF72959FD1348F40883FF54A671D2EF7C5949866E
                                Function 00407963 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00474EE0,00465FA4,?,00000000,00407FFC,00000000), ref: 004079C5
                                • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,00407FFC,00000000,?,?,0000000A,00000000), ref: 00407A0D
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                • CloseHandle.KERNEL32(00000000,?,00000000,00407FFC,00000000,?,?,0000000A,00000000), ref: 00407A4D
                                • MoveFileW.KERNEL32(00000000,00000000), ref: 00407A6A
                                • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407A95
                                • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AA5
                                  • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00474EF8,00404C49,00000000,00000000,00000000,?,00474EF8,?), ref: 00404BA5
                                  • Part of subcall function 00404B96: SetEvent.KERNEL32(00000000), ref: 00404BC3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                • String ID: .part
                                • API String ID: 1303771098-3499674018
                                • Opcode ID: e279c082a0d0910cbf5de12e36227e1aa9d15681696cbfcdd7b3720dc44f8cc2
                                • Instruction ID: 3872d967715c28256f57216ae0d43a20e9ded80e7ed52efebe816600842ab993
                                • Opcode Fuzzy Hash: e279c082a0d0910cbf5de12e36227e1aa9d15681696cbfcdd7b3720dc44f8cc2
                                • Instruction Fuzzy Hash: 7F318371508341AFC210EB21DC4599FB7A8FF94359F00493EB545A2192EB78EE48CB9A
                                Function 0041CD9B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 48memoryCOMMON
                                Download Yara Rule
                                APIs
                                • AllocConsole.KERNEL32(00475338), ref: 0041CDA4
                                • GetConsoleWindow.KERNEL32 ref: 0041CDAA
                                • ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
                                • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: Console$Window$AllocOutputShow
                                • String ID: Remcos v$5.0.0 Pro$CONOUT$
                                • API String ID: 4067487056-2278869229
                                • Opcode ID: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
                                • Instruction ID: 3d4e39fb732e2b6cb40f789e287104da8d9afdf675614735db993d10cd8ea689
                                • Opcode Fuzzy Hash: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
                                • Instruction Fuzzy Hash: CD0188719803087AD610F7F1DC8BF9D776C5B14705F6004277604A70D3E7BD9954466E
                                Function 00407260 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 40COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: C:\Users\user\Desktop\FdSJYyDayo.exe$Rmc-IN9IWC$hdF$xIs
                                • API String ID: 0-3910532427
                                • Opcode ID: 1c629e4396ebd3af338879a422fac1621c8df490be40c15e87bc48e2ed270b23
                                • Instruction ID: 1b954d03a55cc3c1a25a26db856d3c6076ddce7f3b9fad0ad77fefb3a3407f05
                                • Opcode Fuzzy Hash: 1c629e4396ebd3af338879a422fac1621c8df490be40c15e87bc48e2ed270b23
                                • Instruction Fuzzy Hash: 2CF046B0F14A00EBCB0467655D186693A05A740356F404C77F907EA2F2EBBD5C41C61E
                                Function 00419993 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON
                                Download Yara Rule
                                APIs
                                • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 004199CC
                                • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004199ED
                                • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A0D
                                • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A21
                                • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A37
                                • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00419A54
                                • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00419A6F
                                • SendInput.USER32(00000001,?,0000001C,?,00000000), ref: 00419A8B
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: InputSend
                                • String ID:
                                • API String ID: 3431551938-0
                                • Opcode ID: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
                                • Instruction ID: babcb3f23bbfeda7ed9031f98f3524dfd9ae94bb4b0c65128b251ed995bccade
                                • Opcode Fuzzy Hash: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
                                • Instruction Fuzzy Hash: CE31B471558349AEE310CF51DC41BEBBBDCEF98B54F00080FF6808A181D2A6A9C88B97
                                Function 00447571 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: __freea$__alloca_probe_16_free
                                • String ID: a/p$am/pm$zD
                                • API String ID: 2936374016-2723203690
                                • Opcode ID: ad0e661e8ca139f4988ec10911a06b569de76af7a8f23a444d27c6a0fba4a5cb
                                • Instruction ID: 9fbfa546a4d6e8c17a1525f8bb1fcc11d6b56032d3bbc67104e2604220ae0e85
                                • Opcode Fuzzy Hash: ad0e661e8ca139f4988ec10911a06b569de76af7a8f23a444d27c6a0fba4a5cb
                                • Instruction Fuzzy Hash: 6AD1D1B1918206CAFB249F68C845ABBB7B1FF05310F28415BE545AB351D33D9D43CBA9
                                Function 0041C6F3 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 182registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegEnumKeyExA.ADVAPI32 ref: 0041C6F5
                                • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 0041C726
                                • RegCloseKey.ADVAPI32(?), ref: 0041C9BF
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseEnumOpen
                                • String ID: DisplayName
                                • API String ID: 1332880857-3786665039
                                • Opcode ID: 9acb91869caa52ba962ff5e9cffe7dbf008cca4ae8889db815e50d5881a9b18e
                                • Instruction ID: 30dd124696def6d144da0f01c12024620090e461f41beb3abd2b2340f2562d2c
                                • Opcode Fuzzy Hash: 9acb91869caa52ba962ff5e9cffe7dbf008cca4ae8889db815e50d5881a9b18e
                                • Instruction Fuzzy Hash: E961F3711082419AD325EF11D851EEFB3E8BF94309F10493FB589921A2FF789E49CA5A
                                Function 00413A55 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
                                • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413AEB
                                • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00413B8B
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: Enum$InfoQueryValue
                                • String ID: [regsplt]$xUG$TG
                                • API String ID: 3554306468-1165877943
                                • Opcode ID: 93e1897ebdc99b88186db92230c2e95498abfdd16b02543cd39a55fa0a109888
                                • Instruction ID: b9c9d149d6e4de0395087b00820169330fa190b61d8fc59f93bff107e3475f49
                                • Opcode Fuzzy Hash: 93e1897ebdc99b88186db92230c2e95498abfdd16b02543cd39a55fa0a109888
                                • Instruction Fuzzy Hash: E5511D72900219AADB11EB95DC85EEFB77DAF04305F10007AF505F6191EF786B48CBA9
                                Function 0045112C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • MultiByteToWideChar.KERNEL32(?,00000000,000000FF,?,00000000,00000000,0043F8C8,?,00000000,?,00000001,?,000000FF,00000001,0043F8C8,?), ref: 00451179
                                • __alloca_probe_16.LIBCMT ref: 004511B1
                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00451202
                                • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00451214
                                • __freea.LIBCMT ref: 0045121D
                                  • Part of subcall function 00446137: HeapAlloc.KERNEL32(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharMultiWide$AllocHeapStringType__alloca_probe_16__freea
                                • String ID: PkGNG
                                • API String ID: 1857427562-263838557
                                • Opcode ID: bce85a8c1b82420839f42ccd06a1f385e5b5f24b7ce490b3fee2b1b7615d4ae7
                                • Instruction ID: 2862a929c21554b3885a63a70f5d1b49ed21d23a3953ed9914841bfcf42aa681
                                • Opcode Fuzzy Hash: bce85a8c1b82420839f42ccd06a1f385e5b5f24b7ce490b3fee2b1b7615d4ae7
                                • Instruction Fuzzy Hash: 6631D271A0020AABDF24DFA5DC41EAF7BA5EB04315F0445AAFC04D72A2E739CD55CB94
                                Function 0041B68A Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0041361B: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,004750E4), ref: 0041363D
                                  • Part of subcall function 0041361B: RegQueryValueExW.ADVAPI32(?,0040F313,00000000,00000000,?,00000400), ref: 0041365C
                                  • Part of subcall function 0041361B: RegCloseKey.ADVAPI32(?), ref: 00413665
                                  • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                  • Part of subcall function 0041BFB7: IsWow64Process.KERNEL32(00000000,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFCF
                                • _wcslen.LIBCMT ref: 0041B763
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
                                • String ID: .exe$8SG$http\shell\open\command$program files (x86)\$program files\
                                • API String ID: 3286818993-122982132
                                • Opcode ID: ff64268ecf0c31a6c4424bc126999b380d0383f46c80c29dc48f1e307bbff0a4
                                • Instruction ID: 0af867b59be632d30c611c6dccf556baefac66a2e67262e696d3f692bc65d575
                                • Opcode Fuzzy Hash: ff64268ecf0c31a6c4424bc126999b380d0383f46c80c29dc48f1e307bbff0a4
                                • Instruction Fuzzy Hash: 6721A472A002086BDB14BAB58CD6AFE766D9B85328F14043FF405B72C2EE7C9D494269
                                Function 0040BEE9 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004135A6: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 004135CA
                                  • Part of subcall function 004135A6: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 004135E7
                                  • Part of subcall function 004135A6: RegCloseKey.KERNELBASE(?), ref: 004135F2
                                • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BF6B
                                • PathFileExistsA.SHLWAPI(?), ref: 0040BF78
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                • API String ID: 1133728706-4073444585
                                • Opcode ID: 1e05d710c332b0c32bace29fd72cf7e3a184a0c4047cd7709485bc9a7fc4ad42
                                • Instruction ID: 11f9a5ab4d81baf10890d677fe2d2a0774849eb970c5828eb217b404dd8a17fe
                                • Opcode Fuzzy Hash: 1e05d710c332b0c32bace29fd72cf7e3a184a0c4047cd7709485bc9a7fc4ad42
                                • Instruction Fuzzy Hash: 38215271A4021AA6CB04F7B2CC569EE77699F10704F40017FE506B71D2EF7899498ADE
                                Function 00456B53 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 273ab8544d097714f5f9861dee4502037fec93a611cdb24e761043779f074d75
                                • Instruction ID: 6cb1fb7365923ae9cd4386fa22a0d7cc2d4bdc50975796c61f51bb0de8f74700
                                • Opcode Fuzzy Hash: 273ab8544d097714f5f9861dee4502037fec93a611cdb24e761043779f074d75
                                • Instruction Fuzzy Hash: B9110272504214BAEB216F728C0496F3AACEF85326B52422BFD11C7252DE38CC41CAA8
                                Function 00450EFA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00450C41: _free.LIBCMT ref: 00450C6A
                                • _free.LIBCMT ref: 00450F48
                                  • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                  • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                • _free.LIBCMT ref: 00450F53
                                • _free.LIBCMT ref: 00450F5E
                                • _free.LIBCMT ref: 00450FB2
                                • _free.LIBCMT ref: 00450FBD
                                • _free.LIBCMT ref: 00450FC8
                                • _free.LIBCMT ref: 00450FD3
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast
                                • String ID:
                                • API String ID: 776569668-0
                                • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                • Instruction ID: d9348172fd0740f80504453a64c2ebf0df3e8af845a5f6206b1ac0666941ab15
                                • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                • Instruction Fuzzy Hash: B411A231540B04AAD625BB72CC47FCB779CAF0230BF44491EBEED66053D6ACB9085745
                                Function 00411163 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                Download Yara Rule
                                APIs
                                • std::_Lockit::_Lockit.LIBCPMT ref: 00411170
                                • int.LIBCPMT ref: 00411183
                                  • Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
                                  • Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC
                                • std::_Facet_Register.LIBCPMT ref: 004111C3
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 004111CC
                                • __CxxThrowException@8.LIBVCRUNTIME ref: 004111EA
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                • String ID: (mG
                                • API String ID: 2536120697-4059303827
                                • Opcode ID: 34a51a48ebffab58c1c893f3ae79879d0a70666fb45cbfefdea1ee74b3510b9f
                                • Instruction ID: 9d9da6683174d9a5c92fa95d325e3547e0845688fcbb555b93a4fb26f280994d
                                • Opcode Fuzzy Hash: 34a51a48ebffab58c1c893f3ae79879d0a70666fb45cbfefdea1ee74b3510b9f
                                • Instruction Fuzzy Hash: 1411EB32900518A7CB14BB9AD8058DEBB79DF44354F10456FBE04A72D1DB789D40C7D9
                                Function 0043A35A Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetLastError.KERNEL32(?,?,0043A351,004392BE), ref: 0043A368
                                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A376
                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A38F
                                • SetLastError.KERNEL32(00000000,?,0043A351,004392BE), ref: 0043A3E1
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLastValue___vcrt_
                                • String ID:
                                • API String ID: 3852720340-0
                                • Opcode ID: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
                                • Instruction ID: 5d53a0da36a7034647469206452edf011e0dcb0cee8899775f26e7a14c982385
                                • Opcode Fuzzy Hash: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
                                • Instruction Fuzzy Hash: 7F01283214C3519EA61526796C86A6B2648EB0A7B9F30133FF918815F1EF594C90514D
                                Function 004075B0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                Download Yara Rule
                                APIs
                                • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\FdSJYyDayo.exe), ref: 004075D0
                                  • Part of subcall function 004074FD: _wcslen.LIBCMT ref: 00407521
                                  • Part of subcall function 004074FD: CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582
                                • CoUninitialize.OLE32 ref: 00407629
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: InitializeObjectUninitialize_wcslen
                                • String ID: C:\Users\user\Desktop\FdSJYyDayo.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                • API String ID: 3851391207-3042664167
                                • Opcode ID: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
                                • Instruction ID: 681a2da4e9d4b9e6b45db6330fec0c9e961fb52a18ca78f8243115a9baea1a6b
                                • Opcode Fuzzy Hash: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
                                • Instruction Fuzzy Hash: B201D272B087016BE2245B25DC0EF6B7758DB81729F11083FF902A61C2EBA9BC0145AB
                                Function 0040BAA1 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                Download Yara Rule
                                APIs
                                • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BADD
                                • GetLastError.KERNEL32 ref: 0040BAE7
                                Strings
                                • [Chrome Cookies not found], xrefs: 0040BB01
                                • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAA8
                                • [Chrome Cookies found, cleared!], xrefs: 0040BB0D
                                • UserProfile, xrefs: 0040BAAD
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: DeleteErrorFileLast
                                • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                • API String ID: 2018770650-304995407
                                • Opcode ID: c69a48e60de484867d8b749c5ae4c270b90bc560c43d961a50d917c7878b2bfc
                                • Instruction ID: 6bc0ec4de36c0471385c24d45a27137009bd471b3f80e31671ebbef4da92dce6
                                • Opcode Fuzzy Hash: c69a48e60de484867d8b749c5ae4c270b90bc560c43d961a50d917c7878b2bfc
                                • Instruction Fuzzy Hash: 08018F31A402095ACA04BBBACD5B8BE7724E912714F50017BF802726E6FE7D5A059ADE
                                Function 0044333A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,PkGNG,004432EB,00000003,PkGNG,0044328B,00000003,0046E948,0000000C,004433E2,00000003,00000002), ref: 0044335A
                                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044336D
                                • FreeLibrary.KERNEL32(00000000,?,?,PkGNG,004432EB,00000003,PkGNG,0044328B,00000003,0046E948,0000000C,004433E2,00000003,00000002,00000000,PkGNG), ref: 00443390
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressFreeHandleLibraryModuleProc
                                • String ID: CorExitProcess$PkGNG$mscoree.dll
                                • API String ID: 4061214504-213444651
                                • Opcode ID: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
                                • Instruction ID: b4f1316bd170a33105784e50650a9bde6d9e9410588fddf83d5a1a7bf10dc45d
                                • Opcode Fuzzy Hash: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
                                • Instruction Fuzzy Hash: 6AF0A430A00208FBDB149F55DC09B9EBFB4EF04713F0041A9FC05A2261CB349E40CA98
                                Function 00444048 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON
                                Download Yara Rule
                                APIs
                                • _free.LIBCMT ref: 00444066
                                  • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                  • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                • _free.LIBCMT ref: 00444078
                                • _free.LIBCMT ref: 0044408B
                                • _free.LIBCMT ref: 0044409C
                                • _free.LIBCMT ref: 004440AD
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast
                                • String ID: (Ss
                                • API String ID: 776569668-2441470043
                                • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                • Instruction ID: c4ed0220327abb1134bcf7d54e43c2409a3611c90002b0fe773cef56a7474a4d
                                • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                • Instruction Fuzzy Hash: 11F03AB18009208FA631AF2DBD414053B61E705769346822BF62C62A70C7B94ED2CFCF
                                Function 0043AADC Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                Download Yara Rule
                                APIs
                                • __allrem.LIBCMT ref: 0043AC69
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AC85
                                • __allrem.LIBCMT ref: 0043AC9C
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACBA
                                • __allrem.LIBCMT ref: 0043ACD1
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACEF
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                • String ID:
                                • API String ID: 1992179935-0
                                • Opcode ID: 62332627f6279ece4fdf0222086194dbbb93a47f3123b1b6f0685f97dcd8be1f
                                • Instruction ID: 0cac597ccac2158415e78c81c2c349525783c2449c9f0a8280db41f57d0428da
                                • Opcode Fuzzy Hash: 62332627f6279ece4fdf0222086194dbbb93a47f3123b1b6f0685f97dcd8be1f
                                • Instruction Fuzzy Hash: CC812B72640706ABE7209F29CC41B5BB3A9EF48324F24552FF590D7781EB7CE9108B5A
                                Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                                Download Yara Rule
                                APIs
                                • Sleep.KERNEL32(00000000,?), ref: 004044C4
                                  • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: H_prologSleep
                                • String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
                                • API String ID: 3469354165-3054508432
                                • Opcode ID: 2bae3fc1a4521fd6cfe0abfe2e334f7941d0747335ff3d87f549c58b7eefc5ba
                                • Instruction ID: 62663cdee79800d8a54f028f5a980ee1c6790ad11611a7059aef087dab150aaf
                                • Opcode Fuzzy Hash: 2bae3fc1a4521fd6cfe0abfe2e334f7941d0747335ff3d87f549c58b7eefc5ba
                                • Instruction Fuzzy Hash: 5C51E1B1A042116BCA14FB369D0A66E3755ABC5748F00053FFA06677E2EF7C8A45839E
                                Function 004458F9 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: __cftoe
                                • String ID:
                                • API String ID: 4189289331-0
                                • Opcode ID: 73f4726c011166e6bdcb5754414c0ade346116ed487fada7dd59cfb8b2f8224a
                                • Instruction ID: 6c78d09a6f5169ef6f707262af513c71f712f2c279f5202ad8aecd4a6012115a
                                • Opcode Fuzzy Hash: 73f4726c011166e6bdcb5754414c0ade346116ed487fada7dd59cfb8b2f8224a
                                • Instruction Fuzzy Hash: D951EA72900A05ABFF209B59CC81FAF77A9EF49334F14421FF515A6293DB39D900866C
                                Function 0041AC78 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041AC88
                                • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A38E,00000000), ref: 0041AC9C
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACA9
                                • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041ACDE
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF0
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF3
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                • String ID:
                                • API String ID: 493672254-0
                                • Opcode ID: 91938c1d555d364b93c99e00d8beeb13e1151d7f412d7edf767a6a0184c3eeef
                                • Instruction ID: ed0bae8235b77a8e2b5b4951a925fd67a34dfbd091713fce30693036f81a5133
                                • Opcode Fuzzy Hash: 91938c1d555d364b93c99e00d8beeb13e1151d7f412d7edf767a6a0184c3eeef
                                • Instruction Fuzzy Hash: 84014E311452147BD6110B385C4DEFB3B5CDB42771F100317F925922D1EA68CD45B5EE
                                Function 0044A004 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 305COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: __alldvrm$_strrchr
                                • String ID: PkGNG
                                • API String ID: 1036877536-263838557
                                • Opcode ID: 6e4ce0a9cd107544135c8758f381171db584a835852a0c7515be2cd765a07ccf
                                • Instruction ID: 0200e234d7a66e392568480c50467de0d06b46efb2a76a7ba0b74d69ca9a70f2
                                • Opcode Fuzzy Hash: 6e4ce0a9cd107544135c8758f381171db584a835852a0c7515be2cd765a07ccf
                                • Instruction Fuzzy Hash: 57A166319843869FFB21CF58C8817AEBBA1FF25304F1441AFE9859B382C27D8951C75A
                                Function 00448215 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                • _free.LIBCMT ref: 0044824C
                                • _free.LIBCMT ref: 00448274
                                • SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281
                                • SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                • _abort.LIBCMT ref: 00448293
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$_free$_abort
                                • String ID:
                                • API String ID: 3160817290-0
                                • Opcode ID: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
                                • Instruction ID: 1e51d54565af68f960eede883612623578b8b4ccb82fc25c91f14e3db4823c68
                                • Opcode Fuzzy Hash: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
                                • Instruction Fuzzy Hash: 15F0F935104F006AF611332A6C05B5F2515ABC276AF25066FF92892292DFACCC4581AD
                                Function 0041AAA6 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAB5
                                • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAC9
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAD6
                                • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAE5
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAF7
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAFA
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: Service$CloseHandle$Open$ControlManager
                                • String ID:
                                • API String ID: 221034970-0
                                • Opcode ID: 966b63bd912de40b5b615a00da15e5d8939a9a4c78db0212e4922df61029cb32
                                • Instruction ID: 651adf303b3d55a6ad93a9774d9c6d096703db2647e4265c62a250da7e042a32
                                • Opcode Fuzzy Hash: 966b63bd912de40b5b615a00da15e5d8939a9a4c78db0212e4922df61029cb32
                                • Instruction Fuzzy Hash: 68F0C231541218ABD711AF25AC49EFF3B6CDF45BA2F000026FE0992192DB68CD4695E9
                                Function 0041ABAA Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABB9
                                • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABCD
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABDA
                                • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABE9
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFB
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFE
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: Service$CloseHandle$Open$ControlManager
                                • String ID:
                                • API String ID: 221034970-0
                                • Opcode ID: 881ec567a8ecab9b5ae46dea35bb7569396cf57d6f42af84948da6ead9762d9b
                                • Instruction ID: cdcae22f94af1ce7d279f83afe572816001e75aa845eac4345c2c81124f82824
                                • Opcode Fuzzy Hash: 881ec567a8ecab9b5ae46dea35bb7569396cf57d6f42af84948da6ead9762d9b
                                • Instruction Fuzzy Hash: 84F0C231501218ABD6116F259C49DFF3B6CDB45B62F40002AFE0996192EB38DD4595F9
                                Function 0041AC11 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC20
                                • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC34
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC41
                                • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC50
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC62
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC65
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: Service$CloseHandle$Open$ControlManager
                                • String ID:
                                • API String ID: 221034970-0
                                • Opcode ID: 88b0ec0b9de38ee72874faffadaad7a58cf941c8d18bd5a35ca229f780ffab3e
                                • Instruction ID: 1af6be829003de2eeb85b71d4b0cbdb2c911632148e7083bdbbda8586ff13133
                                • Opcode Fuzzy Hash: 88b0ec0b9de38ee72874faffadaad7a58cf941c8d18bd5a35ca229f780ffab3e
                                • Instruction Fuzzy Hash: 2FF0F631501228BBD711AF25EC49DFF3B6CDB45B62F00002AFE0992192EB38CD4595F9
                                Function 00442801 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: PkGNG
                                • API String ID: 0-263838557
                                • Opcode ID: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
                                • Instruction ID: 497cf8d2f4a88fd96e7f98feeb1d24cd381d204b534fd1f3fd6e485e43360072
                                • Opcode Fuzzy Hash: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
                                • Instruction Fuzzy Hash: EA413871A00704BFF324AF79CD41B5EBBA9EB88710F10862FF105DB681E7B999418788
                                Function 00404CC3 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121synchronizationthreadCOMMON
                                Download Yara Rule
                                APIs
                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
                                • CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00404DD2
                                • CloseHandle.KERNEL32(00000000), ref: 00404DDB
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                • String ID: PkGNG
                                • API String ID: 3360349984-263838557
                                • Opcode ID: da9b55f167a3d17e97016713e4b8b3caaa4e9716ac3efc00888ec9c07983d3ee
                                • Instruction ID: 465453d6db43d9529954589ba2efa69a6de0eb64d520c2048147815e962fb190
                                • Opcode Fuzzy Hash: da9b55f167a3d17e97016713e4b8b3caaa4e9716ac3efc00888ec9c07983d3ee
                                • Instruction Fuzzy Hash: 3E4192B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
                                Function 00443435 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 116COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\FdSJYyDayo.exe,00000104), ref: 00443475
                                • _free.LIBCMT ref: 00443540
                                • _free.LIBCMT ref: 0044354A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$FileModuleName
                                • String ID: C:\Users\user\Desktop\FdSJYyDayo.exe$%r
                                • API String ID: 2506810119-2847473928
                                • Opcode ID: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
                                • Instruction ID: 78b8e4ab202bb8962dfea6a4c95dea7b8c186c0554b41bb8e719afd17783d6d0
                                • Opcode Fuzzy Hash: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
                                • Instruction Fuzzy Hash: 2E31C471A00258BFEB21DF999C8199EBBBCEF85B15F10406BF50497311D6B89F81CB98
                                Function 0040A675 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A74D), ref: 0040A6AB
                                • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
                                • Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
                                • CloseHandle.KERNEL32(00000000,?,?,?,0040A74D), ref: 0040A6EE
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseCreateHandleSizeSleep
                                • String ID: XQG
                                • API String ID: 1958988193-3606453820
                                • Opcode ID: 205b82dffe9b0f77f7c93e78d4092e9a7ef319f9f0d3ec4eb64b3aa0a1bff41f
                                • Instruction ID: 2d5b847f40b6dc6d65e682cb961bc0859910b41d7418e35cc132b68a4a9af338
                                • Opcode Fuzzy Hash: 205b82dffe9b0f77f7c93e78d4092e9a7ef319f9f0d3ec4eb64b3aa0a1bff41f
                                • Instruction Fuzzy Hash: AD112B30600740EEE631A7249895A5F3B6AEB41356F48083AF2C26B6D2C6799CA0C35E
                                Function 0041D50F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegisterClassExA.USER32(00000030), ref: 0041D55B
                                • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D576
                                • GetLastError.KERNEL32 ref: 0041D580
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: ClassCreateErrorLastRegisterWindow
                                • String ID: 0$MsgWindowClass
                                • API String ID: 2877667751-2410386613
                                • Opcode ID: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
                                • Instruction ID: 921741f364e14ac5d494c0d6481b3569f22aad0bbfd2e997b493b5423d792a6e
                                • Opcode Fuzzy Hash: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
                                • Instruction Fuzzy Hash: 910129B1D00219BBDB00DFD5ECC49EFBBBDEA04355F40053AF900A6240E77859058AA4
                                Function 00407755 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                Download Yara Rule
                                APIs
                                • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040779B
                                • CloseHandle.KERNEL32(?), ref: 004077AA
                                • CloseHandle.KERNEL32(?), ref: 004077AF
                                Strings
                                • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 00407791
                                • C:\Windows\System32\cmd.exe, xrefs: 00407796
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseHandle$CreateProcess
                                • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                • API String ID: 2922976086-4183131282
                                • Opcode ID: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
                                • Instruction ID: bcd6b2dc2297655d1c2a6c7a9d844aadd79638dc8707381bf3a952a3ff6736b4
                                • Opcode Fuzzy Hash: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
                                • Instruction Fuzzy Hash: BCF03676D4029D76CB20ABD6DC0EEDF7F7DEBC5B11F00056AF904A6141E6746404C6B9
                                Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EF8), ref: 00405120
                                • SetEvent.KERNEL32(?), ref: 0040512C
                                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00405137
                                • CloseHandle.KERNEL32(?), ref: 00405140
                                  • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                • String ID: KeepAlive | Disabled
                                • API String ID: 2993684571-305739064
                                • Opcode ID: c594fc0502ac089e8ceed4a366586e120d9a374f389bb2b837d8f1f373a196b1
                                • Instruction ID: c1447ea2195e795a2fa4d382ed9a15925dec3dc8ccf256ab7d783030aa8980db
                                • Opcode Fuzzy Hash: c594fc0502ac089e8ceed4a366586e120d9a374f389bb2b837d8f1f373a196b1
                                • Instruction Fuzzy Hash: 4CF06271904711BBDB103B758D0A66B7A54AB02311F0009BEF982916E2D6798840CF9A
                                Function 0041ADC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041ADF2
                                • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE00
                                • Sleep.KERNEL32(00002710), ref: 0041AE07
                                • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AE10
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: PlaySound$HandleLocalModuleSleepTime
                                • String ID: Alarm triggered
                                • API String ID: 614609389-2816303416
                                • Opcode ID: 2f63ca3754ee2fa8067f4581fa5685451e0165abe6878d0f9dceb9a842065b81
                                • Instruction ID: 9c0713ce1321a11b0f254193fe9a85ef30a97b7eb59a64372af151f10574a600
                                • Opcode Fuzzy Hash: 2f63ca3754ee2fa8067f4581fa5685451e0165abe6878d0f9dceb9a842065b81
                                • Instruction Fuzzy Hash: 36E01226B44260779620377B6D4FD6F3D28DAC2B5170100BEFA0666192D9580C4586FB
                                Function 0041CD58 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                Download Yara Rule
                                APIs
                                • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CDED), ref: 0041CD62
                                • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041CDED), ref: 0041CD6F
                                • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041CDED), ref: 0041CD7C
                                • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041CDED), ref: 0041CD8F
                                Strings
                                • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CD82
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: Console$AttributeText$BufferHandleInfoScreen
                                • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                • API String ID: 3024135584-2418719853
                                • Opcode ID: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
                                • Instruction ID: 0b88db63cd78dea0703aeaf814a7171c31f7e2e6e0b1944ffb711cb25cf7542c
                                • Opcode Fuzzy Hash: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
                                • Instruction Fuzzy Hash: B4E04872904315E7E31027B5EC4DDAB7B7CE745713B100266FA12915D39A749C40C6B5
                                Function 0044139A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 333ae2597f59f70c30e2a138da7d2dacca2148bf7cc6369c5742e0f4ac8aaabd
                                • Instruction ID: 3288ceb70b28299b768e57bc56a65f905b411dc47ae91625c595fe6b39b3afde
                                • Opcode Fuzzy Hash: 333ae2597f59f70c30e2a138da7d2dacca2148bf7cc6369c5742e0f4ac8aaabd
                                • Instruction Fuzzy Hash: 4D71C431900256ABEF21CF55C884AFFBBB5EF95350F14012BE812A72A1D7748CC1CBA9
                                Function 00444CFB Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00446137: HeapAlloc.KERNEL32(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                                • _free.LIBCMT ref: 00444E06
                                • _free.LIBCMT ref: 00444E1D
                                • _free.LIBCMT ref: 00444E3C
                                • _free.LIBCMT ref: 00444E57
                                • _free.LIBCMT ref: 00444E6E
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$AllocHeap
                                • String ID:
                                • API String ID: 1835388192-0
                                • Opcode ID: bf8b46b868af2ecf30d3444370171b65bdd51122b8350dbbe1b9982e260663b5
                                • Instruction ID: 75a60bec03265776b93b53542ea819fdab521e44af267d44e1f719a945e8e2e2
                                • Opcode Fuzzy Hash: bf8b46b868af2ecf30d3444370171b65bdd51122b8350dbbe1b9982e260663b5
                                • Instruction Fuzzy Hash: 5451D371A00704AFEB20DF6AC841B6673F4FF85729B14456EE819D7250E739EE01CB88
                                Function 0040F8FD Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                  • Part of subcall function 0041BFB7: IsWow64Process.KERNEL32(00000000,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFCF
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F91B
                                • Process32FirstW.KERNEL32(00000000,?), ref: 0040F93F
                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F94E
                                • CloseHandle.KERNEL32(00000000), ref: 0040FB05
                                  • Part of subcall function 0041BFE5: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F5F9,00000000,?,?,00475338), ref: 0041BFFA
                                  • Part of subcall function 0041BFE5: IsWow64Process.KERNEL32(00000000,?,?,?,00475338), ref: 0041C005
                                  • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                  • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FAF6
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                • String ID:
                                • API String ID: 2180151492-0
                                • Opcode ID: af739ac690ee8d07d81366b8be29f9ccbff63967b6472fc478213852870bed76
                                • Instruction ID: d179df5438ecf7187d550cf9263b6860c2801d48d571b2859f9d543a591e132f
                                • Opcode Fuzzy Hash: af739ac690ee8d07d81366b8be29f9ccbff63967b6472fc478213852870bed76
                                • Instruction Fuzzy Hash: 784116311083419BC325F722DC55AEFB3A5AF94345F50493EF48A921E2EF385A49C75A
                                Function 00443DF9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free
                                • String ID:
                                • API String ID: 269201875-0
                                • Opcode ID: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
                                • Instruction ID: 5dce3a056f7b38871bf3701478ebec2c01ef4ac0d1e4adeac0a27022f106ca0c
                                • Opcode Fuzzy Hash: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
                                • Instruction Fuzzy Hash: 0741F536A012009FEB20DF78C881A5EB3F1EF89B14F2545AEE515EB341DB35AE01CB84
                                Function 004126DB Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 93sleepCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004136F8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 00413714
                                  • Part of subcall function 004136F8: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 0041372D
                                  • Part of subcall function 004136F8: RegCloseKey.ADVAPI32(?), ref: 00413738
                                • Sleep.KERNEL32(00000BB8), ref: 0041277A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseOpenQuerySleepValue
                                • String ID: 8SG$exepath$hdF$xIs
                                • API String ID: 4119054056-754052207
                                • Opcode ID: bfa7946a20d0ba0244eb19560f4c3b0d7a78169555de0d07121ed9ca0cce8570
                                • Instruction ID: f3cf03c5a64ef847c6da3637c810c9cb64e8e240b2c65477c235684d5dc29c85
                                • Opcode Fuzzy Hash: bfa7946a20d0ba0244eb19560f4c3b0d7a78169555de0d07121ed9ca0cce8570
                                • Instruction Fuzzy Hash: B52148A0B0030427DA00B7366D46EBF724E8B84318F40443FB916E72D3EEBC9C48426D
                                Function 0044F35A Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                Download Yara Rule
                                APIs
                                • GetEnvironmentStringsW.KERNEL32 ref: 0044F363
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F386
                                  • Part of subcall function 00446137: HeapAlloc.KERNEL32(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F3AC
                                • _free.LIBCMT ref: 0044F3BF
                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F3CE
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharEnvironmentMultiStringsWide$AllocFreeHeap_free
                                • String ID:
                                • API String ID: 2278895681-0
                                • Opcode ID: 02a97bdb6e6c5d26fe886d3a9ae646317caea956d8251916105bf2d3fe3a3540
                                • Instruction ID: 8337c1946637dec1c7c9c61cb05458c13fbc509b7d73539ecc926bc10a2836fd
                                • Opcode Fuzzy Hash: 02a97bdb6e6c5d26fe886d3a9ae646317caea956d8251916105bf2d3fe3a3540
                                • Instruction Fuzzy Hash: 2301B173601755BB37211ABA5C8CC7F6A6CDAC6FA5315013FFD14C2202EA68CD0581B9
                                Function 0041C3F1 Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C510,00000000,00000000,00000000), ref: 0041C430
                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C44D
                                • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C459
                                • WriteFile.KERNEL32(00000000,00000000,00000000,00406F85,00000000,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C46A
                                • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C477
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseHandle$CreatePointerWrite
                                • String ID:
                                • API String ID: 1852769593-0
                                • Opcode ID: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
                                • Instruction ID: 5cb8be75c3dc4c1e2f747800af3fbfd5a98fa41e64789a84fd548ad7506a8702
                                • Opcode Fuzzy Hash: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
                                • Instruction Fuzzy Hash: B0110471288220FFEA104B24ACD9EFB739CEB46375F10462AF592C22C1C7259C81863A
                                Function 00448299 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetLastError.KERNEL32(?,00000000,?,0043BC87,00000000,?,?,0043BD0B,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0044829E
                                • _free.LIBCMT ref: 004482D3
                                • _free.LIBCMT ref: 004482FA
                                • SetLastError.KERNEL32(00000000), ref: 00448307
                                • SetLastError.KERNEL32(00000000), ref: 00448310
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$_free
                                • String ID:
                                • API String ID: 3170660625-0
                                • Opcode ID: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
                                • Instruction ID: 817e1e76de570c2b023109a843fda652767a1b5a915d0172e9d2adf04509528a
                                • Opcode Fuzzy Hash: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
                                • Instruction Fuzzy Hash: 5601F936500B0067F3112A2A5C8596F2559EBC2B7A735452FFD19A22D2EFADCC01816D
                                Function 0041C1DD Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                Download Yara Rule
                                APIs
                                • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                                • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0041C228
                                • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C233
                                • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C23B
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$CloseHandleOpen$FileImageName
                                • String ID:
                                • API String ID: 2951400881-0
                                • Opcode ID: f9441541d1e055ebec971b28555d0febc4d5c2f8e157a993c91f5ce795852cd2
                                • Instruction ID: 502f13a9e38f74389cb09c542eced9ec4ef47df168bad581006c654e14f0d55b
                                • Opcode Fuzzy Hash: f9441541d1e055ebec971b28555d0febc4d5c2f8e157a993c91f5ce795852cd2
                                • Instruction Fuzzy Hash: 53012BB1680315ABD61057D49C89FB7B27CDB84796F0000A7FA04D21D2EF748C818679
                                Function 004509BC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • _free.LIBCMT ref: 004509D4
                                  • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                  • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                • _free.LIBCMT ref: 004509E6
                                • _free.LIBCMT ref: 004509F8
                                • _free.LIBCMT ref: 00450A0A
                                • _free.LIBCMT ref: 00450A1C
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast
                                • String ID:
                                • API String ID: 776569668-0
                                • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                • Instruction ID: 8e1836d4b3683ea2f551dac33bf8b94159c93f8dbbc189607f67f5fa0db289e6
                                • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                • Instruction Fuzzy Hash: F3F04F76504600B79620EB5DE8C2C1B73D9EA0571A795891BF66CDB612CB38FCC0869C
                                Function 0044BA37 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: PkGNG
                                • API String ID: 0-263838557
                                • Opcode ID: 6a83c2428ddcf6ea71a3f14a315267ad78d224b448d93c685a7e270e7132f7c7
                                • Instruction ID: 56b21f6c39f874414c878b072b89285690216c2d241c0ad811085e1835033e53
                                • Opcode Fuzzy Hash: 6a83c2428ddcf6ea71a3f14a315267ad78d224b448d93c685a7e270e7132f7c7
                                • Instruction Fuzzy Hash: 1B51B271D00249AAEF14DFA9C885FAFBBB8EF45314F14015FE400A7291DB78D901CBA9
                                Function 00415AEA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: CountEventTick
                                • String ID: !D@$NG
                                • API String ID: 180926312-2721294649
                                • Opcode ID: a5a641677daa38105cbe42e75e0e2883f17254e83355899c77695e5a9bf74507
                                • Instruction ID: 1740d3d485f2be3f914829e5aa2a54ae858af1ae40273f66f7ff2800e9d96298
                                • Opcode Fuzzy Hash: a5a641677daa38105cbe42e75e0e2883f17254e83355899c77695e5a9bf74507
                                • Instruction Fuzzy Hash: 7E51A1316083019AC724FB32D852AEF73A5AF94314F50493FF54A671E2EF3C5949C68A
                                Function 00409EA3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON
                                Download Yara Rule
                                APIs
                                • GetKeyboardLayoutNameA.USER32(?), ref: 00409ED3
                                  • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                                  • Part of subcall function 0041C515: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409F5B,00474EE0,?,00474EE0,00000000,00474EE0,00000000), ref: 0041C52A
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateFileKeyboardLayoutNameconnectsend
                                • String ID: XQG$NG$PG
                                • API String ID: 1634807452-3565412412
                                • Opcode ID: 3fb924593915bbdab49489ab510ca87b68c848884981a2accbe0ae65a1be58bc
                                • Instruction ID: e0ccbd324811511655e6ba18c086c0ffec884fa52ef92f7e14ea490dcf81b303
                                • Opcode Fuzzy Hash: 3fb924593915bbdab49489ab510ca87b68c848884981a2accbe0ae65a1be58bc
                                • Instruction Fuzzy Hash: BA5133315082415AC324F732D852AEFB3E5AFD4348F50493FF44A671E6EF78594AC649
                                Function 00442385 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                Download Yara Rule
                                APIs
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424DE
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424F3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                • String ID: `#D$`#D
                                • API String ID: 885266447-2450397995
                                • Opcode ID: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
                                • Instruction ID: d0478598ef992627c852fcfbe86add3ca1c9fa58067414995f231753f3186543
                                • Opcode Fuzzy Hash: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
                                • Instruction Fuzzy Hash: 78519071A00208AFDF18DF59C980AAEBBB2FB94314F59C19AF81897361D7B9DD41CB44
                                Function 0044B81F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101fileCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000,FF8BC35D,00000000,?,PkGNG,0044BB7E,?,00000000,FF8BC35D), ref: 0044B8D2
                                • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0044B900
                                • GetLastError.KERNEL32 ref: 0044B931
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharErrorFileLastMultiWideWrite
                                • String ID: PkGNG
                                • API String ID: 2456169464-263838557
                                • Opcode ID: f29f19b57bd44476b84c2158df793cbd226619e25f42890a5cb9caccfef44ccc
                                • Instruction ID: a4f89274a665815b2d7bd0a52cbb4c71b9b2878c435ac706d73e761117ab6cd9
                                • Opcode Fuzzy Hash: f29f19b57bd44476b84c2158df793cbd226619e25f42890a5cb9caccfef44ccc
                                • Instruction Fuzzy Hash: 18317271A002199FDB14DF59DC809EAB7B8EB48305F0444BEE90AD7260DB34ED80CBA4
                                Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                                  • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041B99F
                                  • Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E74), ref: 0041857E
                                  • Part of subcall function 00418568: CloseHandle.KERNEL32(t^F,?,?,004040F5,00465E74), ref: 00418587
                                  • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                                • Sleep.KERNEL32(000000FA,00465E74), ref: 00404138
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                • String ID: /sort "Visit Time" /stext "$0NG
                                • API String ID: 368326130-3219657780
                                • Opcode ID: 5844705bffbe932e08c9a339546c7ba6e86f4bc1b82537618e6767435229dddb
                                • Instruction ID: 62b88373b0174ac8ae4090b78ebfd0a8fca35ca34796720d8357018cc2c92f87
                                • Opcode Fuzzy Hash: 5844705bffbe932e08c9a339546c7ba6e86f4bc1b82537618e6767435229dddb
                                • Instruction Fuzzy Hash: E9316271A0011956CB15FBA6D8969EE7375AB90308F40007FF206B71E2EF385D89CA99
                                Function 0044EF58 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 91COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                  • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                  • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                  • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                  • Part of subcall function 0044F077: _abort.LIBCMT ref: 0044F0A9
                                  • Part of subcall function 0044F077: _free.LIBCMT ref: 0044F0DD
                                  • Part of subcall function 0044ECEC: GetOEMCP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED17
                                • _free.LIBCMT ref: 0044EFD0
                                • _free.LIBCMT ref: 0044F006
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ErrorLast_abort
                                • String ID: (Ss$(Ss
                                • API String ID: 2991157371-348277219
                                • Opcode ID: baf0a310567cc30cb88d0d4a2d208f706047bc877cc458132e60af230d18bea0
                                • Instruction ID: 3a29b68b49955ca98559fee15c42126097606514ccea0e67eec2104835090475
                                • Opcode Fuzzy Hash: baf0a310567cc30cb88d0d4a2d208f706047bc877cc458132e60af230d18bea0
                                • Instruction Fuzzy Hash: FD31D531904104BFFB10EB6AD440B9EB7E4FF40329F2540AFE5149B2A1DB399D45CB48
                                Function 0040B748 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 88COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                • __Init_thread_footer.LIBCMT ref: 0040B797
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: Init_thread_footer__onexit
                                • String ID: [End of clipboard]$[Text copied to clipboard]$hdF
                                • API String ID: 1881088180-1379921833
                                • Opcode ID: 324d16734c00dd0800ed2bf7710d2d62d1c0e2a3751a5b5203366b445deaa986
                                • Instruction ID: c7bebb0a0a15900a9cc4ffb6e17528162536323bfdf0e6139bd55c50ddf57f74
                                • Opcode Fuzzy Hash: 324d16734c00dd0800ed2bf7710d2d62d1c0e2a3751a5b5203366b445deaa986
                                • Instruction Fuzzy Hash: C0219F32A101054ACB14FB66D8829EDB379AF90318F10453FE505731E2EF386D4A8A9C
                                Function 004162E4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                                Download Yara Rule
                                APIs
                                • _wcslen.LIBCMT ref: 004162F5
                                  • Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                                  • Part of subcall function 00413877: RegSetValueExA.ADVAPI32(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
                                  • Part of subcall function 00413877: RegCloseKey.ADVAPI32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB
                                  • Part of subcall function 00409DE4: _wcslen.LIBCMT ref: 00409DFD
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: _wcslen$CloseCreateValue
                                • String ID: !D@$okmode$PG
                                • API String ID: 3411444782-3370592832
                                • Opcode ID: f3a158218bdd67d4c4b1fae7efd00a7e5adabf20f91f0610842615a967fde749
                                • Instruction ID: dff749dc984b923ba5de2327a6f3f9cc2e67bcaf748228c26ce3aec7d70e92d7
                                • Opcode Fuzzy Hash: f3a158218bdd67d4c4b1fae7efd00a7e5adabf20f91f0610842615a967fde749
                                • Instruction Fuzzy Hash: 10119371B442011ADB187B72D832ABD22969F94358F80443FF54AAF2E2DEBD4C51525D
                                Function 0040C5EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0040C4C3: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C4F6
                                • PathFileExistsW.SHLWAPI(00000000), ref: 0040C61D
                                • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C688
                                Strings
                                • User Data\Default\Network\Cookies, xrefs: 0040C603
                                • User Data\Profile ?\Network\Cookies, xrefs: 0040C635
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExistsFilePath
                                • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                • API String ID: 1174141254-1980882731
                                • Opcode ID: 3f8b8350712af9d240db3e3edefbc0b5893a2e7bcab5cac2a7822d9b4b4e7b0e
                                • Instruction ID: e6b9b9a8142aca5ff9e4641a3ff80a721fb4b0471daa7637ae592fad8ebd6223
                                • Opcode Fuzzy Hash: 3f8b8350712af9d240db3e3edefbc0b5893a2e7bcab5cac2a7822d9b4b4e7b0e
                                • Instruction Fuzzy Hash: B421037190011996CB14F7A2DC96CEEB738EE50319F40053FB502B31D2EF789A46C698
                                Function 0040C6BB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0040C526: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C559
                                • PathFileExistsW.SHLWAPI(00000000), ref: 0040C6EC
                                • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C757
                                Strings
                                • User Data\Default\Network\Cookies, xrefs: 0040C6D2
                                • User Data\Profile ?\Network\Cookies, xrefs: 0040C704
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExistsFilePath
                                • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                • API String ID: 1174141254-1980882731
                                • Opcode ID: 8e96e49e63ca3bf0ac1f2790d6dd37b6dab53323dba9b7dc4ed1c0216d558f84
                                • Instruction ID: 83f6a23093d6b0727a30a1d550f3d6f5bdb2bb72864fa742cd8a9fd6423befd9
                                • Opcode Fuzzy Hash: 8e96e49e63ca3bf0ac1f2790d6dd37b6dab53323dba9b7dc4ed1c0216d558f84
                                • Instruction Fuzzy Hash: AE21D37190011AD6CB05F7A2DC96CEEB778EE50719B50013FF502B31D2EF789A46C698
                                Function 0040A179 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                Download Yara Rule
                                APIs
                                • CreateThread.KERNEL32(00000000,00000000,0040A27D,004750F0,00000000,00000000), ref: 0040A1FE
                                • CreateThread.KERNEL32(00000000,00000000,0040A267,004750F0,00000000,00000000), ref: 0040A20E
                                • CreateThread.KERNEL32(00000000,00000000,0040A289,004750F0,00000000,00000000), ref: 0040A21A
                                  • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
                                  • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateThread$LocalTimewsprintf
                                • String ID: Offline Keylogger Started
                                • API String ID: 465354869-4114347211
                                • Opcode ID: 3bd749956e3e9a916655ad8ba54339a6dfc039012b8b1fa6949936b121210f93
                                • Instruction ID: bcf1cfbdc14a627f6781ea3a40f7cea6448602225ce5b2be95dc640702f6c2bd
                                • Opcode Fuzzy Hash: 3bd749956e3e9a916655ad8ba54339a6dfc039012b8b1fa6949936b121210f93
                                • Instruction Fuzzy Hash: DE1194B12003187AD220B7369C86CBB765DDA8139CB00057FF946222D2EA795D54CAFB
                                Function 0040AEEE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
                                  • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                                  • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                • CreateThread.KERNEL32(00000000,00000000,0040A267,?,00000000,00000000), ref: 0040AF6E
                                • CreateThread.KERNEL32(00000000,00000000,0040A289,?,00000000,00000000), ref: 0040AF7A
                                • CreateThread.KERNEL32(00000000,00000000,0040A295,?,00000000,00000000), ref: 0040AF86
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateThread$LocalTime$wsprintf
                                • String ID: Online Keylogger Started
                                • API String ID: 112202259-1258561607
                                • Opcode ID: 5352f84320cf4356fc5397d5242ef4f16cbe8c43bf069df42c05d2cedde61efe
                                • Instruction ID: a86b307176fed80e65d2d8085b20e14cf0e56bf63d45b36b749a5edd9f3e52e0
                                • Opcode Fuzzy Hash: 5352f84320cf4356fc5397d5242ef4f16cbe8c43bf069df42c05d2cedde61efe
                                • Instruction Fuzzy Hash: 1401C8A070031939E62076365C87D7F7A5DCA81398F40057FF645362C6D97D1C5586FB
                                Function 0044BD6C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • CloseHandle.KERNEL32(00000000,00000000,0040F3BB,?,0044BC8A,0040F3BB,0046EBB0,0000000C), ref: 0044BDC2
                                • GetLastError.KERNEL32(?,0044BC8A,0040F3BB,0046EBB0,0000000C), ref: 0044BDCC
                                • __dosmaperr.LIBCMT ref: 0044BDF7
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseErrorHandleLast__dosmaperr
                                • String ID: _t
                                • API String ID: 2583163307-2907138892
                                • Opcode ID: c386fb262ac1df75f9233a8cbac1a47ba8a32ae4ab5a4414f4170ecae5b11561
                                • Instruction ID: 6d8ae8a68538518658f59cc4ec35c635b4eb055c917d93d15d596e37dde74a72
                                • Opcode Fuzzy Hash: c386fb262ac1df75f9233a8cbac1a47ba8a32ae4ab5a4414f4170ecae5b11561
                                • Instruction Fuzzy Hash: 59010832A0426066E62462399C4577F6749CB92739F2546AFFD14872D3DB6CCC8182D9
                                Function 0041B4EF Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59timeCOMMON
                                Download Yara Rule
                                APIs
                                • GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: LocalTime
                                • String ID: | $%02i:%02i:%02i:%03i $PkGNG
                                • API String ID: 481472006-3277280411
                                • Opcode ID: 978051ae2d71d51f6a46a557316c11cd91a1cbdf249e5825d4a92e87c892c4af
                                • Instruction ID: b0c371a91d376d28eb23a1cf2c2b6b2589463c7c7bf84255da33bc44f247512a
                                • Opcode Fuzzy Hash: 978051ae2d71d51f6a46a557316c11cd91a1cbdf249e5825d4a92e87c892c4af
                                • Instruction Fuzzy Hash: 361181714082055AC304EB62D8419BFB3E9AB44348F50093FF895A21E1EF3CDA49C65A
                                Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                Download Yara Rule
                                APIs
                                • GetLocalTime.KERNEL32(?), ref: 00404F81
                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404FCD
                                • CreateThread.KERNEL32(00000000,00000000,00405150,?,00000000,00000000), ref: 00404FE0
                                Strings
                                • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: Create$EventLocalThreadTime
                                • String ID: KeepAlive | Enabled | Timeout:
                                • API String ID: 2532271599-1507639952
                                • Opcode ID: accc46308d134a6526fb08aee99d3eab32d11686313fa6232e89ca864bb3edf7
                                • Instruction ID: 982fc92e7e47f2769c776e0d9ab1702947c5453eb715a4cfed9cf45540ca89dc
                                • Opcode Fuzzy Hash: accc46308d134a6526fb08aee99d3eab32d11686313fa6232e89ca864bb3edf7
                                • Instruction Fuzzy Hash: A8110671904385AAC720A7778C0DEAB7FA8DBD2710F04046FF54163291DAB89445CBBA
                                Function 00406A63 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData), ref: 00406A82
                                • GetProcAddress.KERNEL32(00000000), ref: 00406A89
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressLibraryLoadProc
                                • String ID: CryptUnprotectData$crypt32
                                • API String ID: 2574300362-2380590389
                                • Opcode ID: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
                                • Instruction ID: d796ed41fc96dc9ef8d801536240fab0e9422483ab40f89d2a564a4d0f07de08
                                • Opcode Fuzzy Hash: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
                                • Instruction Fuzzy Hash: 6201B535B00216ABCB18DFAD9D449ABBBB8EB49300F14817EE95AE3341D674D9008BA4
                                Function 0044C253 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • SetFilePointerEx.KERNEL32(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,10558B1C,10558B1C,PkGNG,0044C302,FF8BC369,00000000,00000002,00000000,PkGNG), ref: 0044C28C
                                • GetLastError.KERNEL32 ref: 0044C296
                                • __dosmaperr.LIBCMT ref: 0044C29D
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorFileLastPointer__dosmaperr
                                • String ID: PkGNG
                                • API String ID: 2336955059-263838557
                                • Opcode ID: 60eaf30ffa5a6b77e16cdf42a69bcf8f7fa5cf007f91ab5b57ca5c6e56bd7837
                                • Instruction ID: 03228b3a5a263cac3d3762c0c6cb9bea0ee6cefe7ee70a3785aa569069518732
                                • Opcode Fuzzy Hash: 60eaf30ffa5a6b77e16cdf42a69bcf8f7fa5cf007f91ab5b57ca5c6e56bd7837
                                • Instruction Fuzzy Hash: 9E016D32A11104BBDF008FE9CC4089E3719FB86320B28039AF810A7290EAB5DC118B64
                                Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                                • CloseHandle.KERNEL32(?), ref: 004051CA
                                • SetEvent.KERNEL32(?), ref: 004051D9
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseEventHandleObjectSingleWait
                                • String ID: Connection Timeout
                                • API String ID: 2055531096-499159329
                                • Opcode ID: 6ba0741fc7cdd8782e8632b0dc009c189a51354901c2dba2396252722e458400
                                • Instruction ID: e4880b57ed2806ada623013920947221b56867654f576af2420d72dde76e11cf
                                • Opcode Fuzzy Hash: 6ba0741fc7cdd8782e8632b0dc009c189a51354901c2dba2396252722e458400
                                • Instruction Fuzzy Hash: 1201D831A40F40AFE7257B368D9552BBBE0FF01302704097FE68396AE2D6789800CF59
                                Function 0040E7C5 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                Download Yara Rule
                                APIs
                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E833
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: Exception@8Throw
                                • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                • API String ID: 2005118841-1866435925
                                • Opcode ID: 8dcc56bc0b3abd67e197b42ddab56c72444c781ea05e0f6efff8352e2a22a648
                                • Instruction ID: aca7d9cae529c24a85643cb8f0975e7fdd15ab88b82278639a3f13e82648cb6f
                                • Opcode Fuzzy Hash: 8dcc56bc0b3abd67e197b42ddab56c72444c781ea05e0f6efff8352e2a22a648
                                • Instruction Fuzzy Hash: 2C01B1315443086AE618F693C843FAA73585B10708F108C2FAA15761C2F67D6961C66B
                                Function 0041CAE1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42windowCOMMON
                                Download Yara Rule
                                APIs
                                • FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000,00474EF8,00474EF8,PkGNG,00404A40), ref: 0041CB09
                                • LocalFree.KERNEL32(?,?), ref: 0041CB2F
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: FormatFreeLocalMessage
                                • String ID: @J@$PkGNG
                                • API String ID: 1427518018-1416487119
                                • Opcode ID: e6692f477abb5315ab95d0a6b8ad5d72714dea7d13d74ae1a0c0e8a867cee630
                                • Instruction ID: 02a9d8e2c753fe243ccbc909122ce1ddd8f8b45a09ed5088e6b723b988b0f700
                                • Opcode Fuzzy Hash: e6692f477abb5315ab95d0a6b8ad5d72714dea7d13d74ae1a0c0e8a867cee630
                                • Instruction Fuzzy Hash: 5EF0A434B0021AAADF08A7A6DD4ADFF7769DB84305B10007FB606B21D1EEB86D05D659
                                Function 0040DFA6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                Download Yara Rule
                                APIs
                                • std::_Lockit::_Lockit.LIBCPMT ref: 0040DFB1
                                • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040DFF0
                                  • Part of subcall function 00435640: _Yarn.LIBCPMT ref: 0043565F
                                  • Part of subcall function 00435640: _Yarn.LIBCPMT ref: 00435683
                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E016
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                • String ID: bad locale name
                                • API String ID: 3628047217-1405518554
                                • Opcode ID: 03a3a1b6538e95a80bbc96a5a3230d3fb174e533ca0510e3d942a7448ac3be7a
                                • Instruction ID: c9d4814c50014869750c7e26a4e1a69426a580a77e14145940ab7c7d7e24a8db
                                • Opcode Fuzzy Hash: 03a3a1b6538e95a80bbc96a5a3230d3fb174e533ca0510e3d942a7448ac3be7a
                                • Instruction Fuzzy Hash: EAF081314006049AC634FA62D863B9AB7B89F14718F504A7FB906228D1EF7CBA1CCA4C
                                Function 0041376F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046611C), ref: 0041377E
                                • RegSetValueExA.ADVAPI32(0046611C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000), ref: 004137A6
                                • RegCloseKey.ADVAPI32(0046611C,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000,?,0040875D,00000001), ref: 004137B1
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseCreateValue
                                • String ID: Control Panel\Desktop
                                • API String ID: 1818849710-27424756
                                • Opcode ID: a1b035586d8a94c78f1a8b9bfdab4f73b16582c77fe3bde9cdb94950c835db19
                                • Instruction ID: c04290829ccef693e4e8b5b7d06cdf9a2950efbbd707a4c1379ff92f90edcb59
                                • Opcode Fuzzy Hash: a1b035586d8a94c78f1a8b9bfdab4f73b16582c77fe3bde9cdb94950c835db19
                                • Instruction Fuzzy Hash: B8F06272400118FBCB009FA1DD45DEA376CEF04B51F108566FD09A61A1D7359E14DB54
                                Function 00416C2D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                                Download Yara Rule
                                APIs
                                • CreateThread.KERNEL32(00000000,00000000,Function_0001D45D,00000000,00000000,00000000), ref: 00416C47
                                • ShowWindow.USER32(00000009), ref: 00416C61
                                • SetForegroundWindow.USER32 ref: 00416C6D
                                  • Part of subcall function 0041CD9B: AllocConsole.KERNEL32(00475338), ref: 0041CDA4
                                  • Part of subcall function 0041CD9B: GetConsoleWindow.KERNEL32 ref: 0041CDAA
                                  • Part of subcall function 0041CD9B: ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
                                  • Part of subcall function 0041CD9B: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: Window$Console$Show$AllocCreateForegroundOutputThread
                                • String ID: !D@
                                • API String ID: 186401046-604454484
                                • Opcode ID: cc4916408580e951ac93bfe67ce7d507046645e77a3ccf4d0f5d95b4476223b5
                                • Instruction ID: c1d0571eb829819ca76672189d51ce116019f2d3a91c4b5ec781e9fa27a10d2f
                                • Opcode Fuzzy Hash: cc4916408580e951ac93bfe67ce7d507046645e77a3ccf4d0f5d95b4476223b5
                                • Instruction Fuzzy Hash: 9EF05E70158201EAD720AB62EC45AFA7B69EB54351F00483BF849D14F2DB398C85C69D
                                Function 004160EE Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                Download Yara Rule
                                APIs
                                • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 00416130
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExecuteShell
                                • String ID: /C $cmd.exe$open
                                • API String ID: 587946157-3896048727
                                • Opcode ID: c4367f8ee6a7455f33dbff058f7f38a065b0826cdce92a2e59ef50dc08291be7
                                • Instruction ID: 0a18f3537a1213b4b5dca9b82f73c842755a7e35c30cee8a650de64661b344da
                                • Opcode Fuzzy Hash: c4367f8ee6a7455f33dbff058f7f38a065b0826cdce92a2e59ef50dc08291be7
                                • Instruction Fuzzy Hash: 0DE0C0B0208345AAC705E775CC95CBF73ADAA94749B50483F7142A20E2EF7C9D49C659
                                Function 00456C1A Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free
                                • String ID:
                                • API String ID: 269201875-0
                                • Opcode ID: a6e07d2e332d0ea6e1aa7b7f7b4c4c7b9128dbb8fddfed026ac15973f0d55745
                                • Instruction ID: e1ec1e089ae9cf4c30c2343e7c59e1c9a5dba52e91c7d03f0b1416238821c5a9
                                • Opcode Fuzzy Hash: a6e07d2e332d0ea6e1aa7b7f7b4c4c7b9128dbb8fddfed026ac15973f0d55745
                                • Instruction Fuzzy Hash: 7A415B31A001046BEB216BBA8C4566F3BB4EF41336F96061BFC24D7293DA7C880D566D
                                Function 0040C00C Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                • Cleared browsers logins and cookies., xrefs: 0040C0F5
                                • [Cleared browsers logins and cookies.], xrefs: 0040C0E4
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: Sleep
                                • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                • API String ID: 3472027048-1236744412
                                • Opcode ID: 37d1bfc06d07939eb796f91d911b97d059918d73889df1aded7d392522dc90d3
                                • Instruction ID: fac43f66edf0589ccdcbb227709f1a337e776f7542e83b73a027453bfa593f46
                                • Opcode Fuzzy Hash: 37d1bfc06d07939eb796f91d911b97d059918d73889df1aded7d392522dc90d3
                                • Instruction Fuzzy Hash: 2531C804348380E9D6116BF554567AB7B814E93744F08457FB9C42B3D3D97E4848C7AF
                                Function 0040A529 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0041C551: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041C561
                                  • Part of subcall function 0041C551: GetWindowTextLengthW.USER32(00000000), ref: 0041C56A
                                  • Part of subcall function 0041C551: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041C594
                                • Sleep.KERNEL32(000001F4), ref: 0040A573
                                • Sleep.KERNEL32(00000064), ref: 0040A5FD
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: Window$SleepText$ForegroundLength
                                • String ID: [ $ ]
                                • API String ID: 3309952895-93608704
                                • Opcode ID: 4603c95d7a0278816d05f17b1e103e1b56ebf32c1baad14edcc254fcbbfd146b
                                • Instruction ID: 97bd403738d1ca0cb59e80c1fc79ee6201ed0cb329172f4776a94889a39aca56
                                • Opcode Fuzzy Hash: 4603c95d7a0278816d05f17b1e103e1b56ebf32c1baad14edcc254fcbbfd146b
                                • Instruction Fuzzy Hash: FE119F315043006BC614BB65CC5399F77A8AF50308F40053FF552665E2FF79AA5886DB
                                Function 0041B7FF Relevance: 6.1, APIs: 4, Instructions: 63timesleepCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: SystemTimes$Sleep__aulldiv
                                • String ID:
                                • API String ID: 188215759-0
                                • Opcode ID: 1460bbf00a7581670417fcbf42b3a1dfd5e2489cdc62901d12e8026d78940c5d
                                • Instruction ID: 72b4c32e7059473e424b83a6cc96647c38f9827b21069785d395d2d8421d6a64
                                • Opcode Fuzzy Hash: 1460bbf00a7581670417fcbf42b3a1dfd5e2489cdc62901d12e8026d78940c5d
                                • Instruction Fuzzy Hash: B0113D7A5083456BD304FAB5CC85DEB7BACEAC4654F040A3EF54A82051FE68EA4886A5
                                Function 00443A33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 26aae147e3b4032e8d822610677c8b44980169b964e3a1f9465f38b9cd56633c
                                • Instruction ID: 17f232e73e96fb976a24982deb7d35e81c220cd9520ca4ef7e8dcf180de91df6
                                • Opcode Fuzzy Hash: 26aae147e3b4032e8d822610677c8b44980169b964e3a1f9465f38b9cd56633c
                                • Instruction Fuzzy Hash: 1301F2B36497067EFA202E786CC1F67220CDF41BBEB34032BB574712D1DA68CE404568
                                Function 00443AB2 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 544fafb264448ea5c1072d449201ab24ccf485d51590c339dd7f80fdded84d3d
                                • Instruction ID: 34d970f17befced98e3ca294e9c9a609e5e7bfbb0444a55afbb34e25ce639c56
                                • Opcode Fuzzy Hash: 544fafb264448ea5c1072d449201ab24ccf485d51590c339dd7f80fdded84d3d
                                • Instruction Fuzzy Hash: 0601A2B26096117EFA111E796CC4E27624CDB81BBF325032BF535612D6DA688E014169
                                Function 00448566 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,0044850D,?,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue), ref: 00448598
                                • GetLastError.KERNEL32(?,0044850D,?,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000,00000364,?,004482E7), ref: 004485A4
                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044850D,?,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000), ref: 004485B2
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: LibraryLoad$ErrorLast
                                • String ID:
                                • API String ID: 3177248105-0
                                • Opcode ID: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
                                • Instruction ID: d5df962f837ff7629ef00c7a8b4dcab40ba3e58d8e4ddb8b40c265455ff02ab4
                                • Opcode Fuzzy Hash: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
                                • Instruction Fuzzy Hash: AA012832602322FBD7214B289C4495B7798AB50B61B20053AFD05D3241DF34CD01CAE8
                                Function 0041C485 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                                • GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C4B2
                                • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C4D7
                                • CloseHandle.KERNEL32(00000000,?,00000000,0040412F,00465E74), ref: 0041C4E5
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseCreateHandleReadSize
                                • String ID:
                                • API String ID: 3919263394-0
                                • Opcode ID: c4d28c244904a0c4b31f6914b30dbe9704a3e03414ae878e480ac2c22075bc56
                                • Instruction ID: d938e931a51b81dfe9e25773ede9364464a286a3a3b97e7b856b7b87d8bf29b3
                                • Opcode Fuzzy Hash: c4d28c244904a0c4b31f6914b30dbe9704a3e03414ae878e480ac2c22075bc56
                                • Instruction Fuzzy Hash: 0FF0C2B1245308BFE6101B25ACD4EBB375CEB867A9F00053EF902A22C1CA298C05913A
                                Function 00439863 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • ___BuildCatchObject.LIBVCRUNTIME ref: 0043987A
                                  • Part of subcall function 00439EB2: ___AdjustPointer.LIBCMT ref: 00439EFC
                                • _UnwindNestedFrames.LIBCMT ref: 00439891
                                • ___FrameUnwindToState.LIBVCRUNTIME ref: 004398A3
                                • CallCatchBlock.LIBVCRUNTIME ref: 004398C7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                • String ID:
                                • API String ID: 2633735394-0
                                • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                • Instruction ID: dcee73c62e3621a690853eebe59cad03ae51e1002f288686f44977c5109bb855
                                • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                • Instruction Fuzzy Hash: 18011732000109BBCF12AF55CC01EDA3BBAEF9D754F04511AFD5861221C3BAE861DBA5
                                Function 004193E3 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                Download Yara Rule
                                APIs
                                • GetSystemMetrics.USER32(0000004C), ref: 004193F0
                                • GetSystemMetrics.USER32(0000004D), ref: 004193F6
                                • GetSystemMetrics.USER32(0000004E), ref: 004193FC
                                • GetSystemMetrics.USER32(0000004F), ref: 00419402
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: MetricsSystem
                                • String ID:
                                • API String ID: 4116985748-0
                                • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                • Instruction ID: 9a44d86f369c7068fc2c949f9b02ed5542bf43da40f6b7222f807aea32733f55
                                • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                • Instruction Fuzzy Hash: DFF0A471B043155BD744EA759C51A6F6BD5EBD4264F10043FF20887281EE78DC468785
                                Function 00438F31 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                Download Yara Rule
                                APIs
                                • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438F31
                                • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438F36
                                • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438F3B
                                  • Part of subcall function 0043A43A: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A44B
                                • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438F50
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                • String ID:
                                • API String ID: 1761009282-0
                                • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                • Instruction ID: 04dbcd9d80b8837b95b31ffc0e846904d80335f120ca5f78e3accc67d081205e
                                • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                • Instruction Fuzzy Hash: 59C04C15080781541C50B6B2210B2AE83461E7E38DFD074DFFCE0571038E4E043B653F
                                Function 00442C5D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                Download Yara Rule
                                APIs
                                • __startOneArgErrorHandling.LIBCMT ref: 00442CED
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorHandling__start
                                • String ID: pow
                                • API String ID: 3213639722-2276729525
                                • Opcode ID: ae0341c24035669086af68b363e9d44c4063f2ceb2f02d621ae22780893f867c
                                • Instruction ID: c2a334fe3ab53b67a82bc2a1da04863f7f1ed5e2a579c87dfbcc8ae8a095d349
                                • Opcode Fuzzy Hash: ae0341c24035669086af68b363e9d44c4063f2ceb2f02d621ae22780893f867c
                                • Instruction Fuzzy Hash: C6516DA1E0420296FB167B14CE4137B2BA4DB40751F704D7FF096823AAEB7D8C859A4F
                                Function 00449E3C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • WideCharToMultiByte.KERNEL32(000000FF,00000000,00000006,00000001,?,?,00000000,?,00000000,?,?,00000000,00000006,?,?,?), ref: 00449F0F
                                • GetLastError.KERNEL32 ref: 00449F2B
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharErrorLastMultiWide
                                • String ID: PkGNG
                                • API String ID: 203985260-263838557
                                • Opcode ID: 8762d6c9eb8cd6bb849928aa97b0b7335ecf1b8cbe6ccd937ce160abea437523
                                • Instruction ID: 5218313022fb824330162c1b3e1e252a07855a0508c927524b2412b0d5c8e50b
                                • Opcode Fuzzy Hash: 8762d6c9eb8cd6bb849928aa97b0b7335ecf1b8cbe6ccd937ce160abea437523
                                • Instruction Fuzzy Hash: A531F831600205EBEB21EF56C845BAB77A8DF55711F24416BF9048B3D1DB38CD41E7A9
                                Function 00418A92 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                                Download Yara Rule
                                APIs
                                • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418ABE
                                  • Part of subcall function 00418656: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418AD1,00000000,?,?,?,?,00000000), ref: 0041866A
                                • SHCreateMemStream.SHLWAPI(00000000), ref: 00418B0B
                                  • Part of subcall function 004186CB: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B27,00000000,?,?), ref: 004186DD
                                  • Part of subcall function 00418679: GdipDisposeImage.GDIPLUS(?,00418B82), ref: 00418682
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                • String ID: image/jpeg
                                • API String ID: 1291196975-3785015651
                                • Opcode ID: 8883413a241ecd6daa78ef1183ec8e175d09e4f7b2134cb7e7ff04ec22b53db4
                                • Instruction ID: 71c7567624fb1f0fb67e5b365d5baafb3eed0516d04e2b9615b8e3d4f66a2876
                                • Opcode Fuzzy Hash: 8883413a241ecd6daa78ef1183ec8e175d09e4f7b2134cb7e7ff04ec22b53db4
                                • Instruction Fuzzy Hash: 13317F71504300AFC301EF65CC84DAFB7E9FF8A704F00496EF985A7251DB7999448BA6
                                Function 00451B37 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                Download Yara Rule
                                APIs
                                • GetACP.KERNEL32(?,20001004,?,00000002), ref: 00451C12
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: ACP$OCP
                                • API String ID: 0-711371036
                                • Opcode ID: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
                                • Instruction ID: fc24b39bc158c677debbea649066bee6e1bba6d32f28379ebc1c8ba741b2d3ba
                                • Opcode Fuzzy Hash: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
                                • Instruction Fuzzy Hash: BA217D22A4010063DB34CF54C940B9B326ADF50B27F568166ED09C7322F73AED44C39C
                                Function 0044B731 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81fileCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,PkGNG,0044BB6E,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B7DB
                                • GetLastError.KERNEL32 ref: 0044B804
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorFileLastWrite
                                • String ID: PkGNG
                                • API String ID: 442123175-263838557
                                • Opcode ID: e2af8d231f6539d56f2593d6ace3ed0d4bab48f660b2d85d051dab4aa689f9d2
                                • Instruction ID: 56933c973e2243a1a9a6e47b5ff38ff3048756f5123006952a384074424e161b
                                • Opcode Fuzzy Hash: e2af8d231f6539d56f2593d6ace3ed0d4bab48f660b2d85d051dab4aa689f9d2
                                • Instruction Fuzzy Hash: 12319331A00619DBCB24CF59CD809DAB3F9EF88311F1445AAE509D7361D734ED81CB68
                                Function 0044B652 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77fileCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,PkGNG,0044BB8E,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B6ED
                                • GetLastError.KERNEL32 ref: 0044B716
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorFileLastWrite
                                • String ID: PkGNG
                                • API String ID: 442123175-263838557
                                • Opcode ID: 51546446b41bf805027a94335c0e64e4fe702750584376849c5da3291fd64da6
                                • Instruction ID: 12ef57d8ab414bd2a6c5914f5c8b73f84ca543b1ee1fc2f1adbb6bb6aefc8993
                                • Opcode Fuzzy Hash: 51546446b41bf805027a94335c0e64e4fe702750584376849c5da3291fd64da6
                                • Instruction Fuzzy Hash: 6C21B435600219DFCB14CF69C980BE9B3F8EB48302F1044AAE94AD7351D734ED81CB64
                                Function 00418B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                Download Yara Rule
                                APIs
                                • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418BAA
                                  • Part of subcall function 00418656: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418AD1,00000000,?,?,?,?,00000000), ref: 0041866A
                                • SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,?,?,?,?,00000000), ref: 00418BCF
                                  • Part of subcall function 004186CB: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B27,00000000,?,?), ref: 004186DD
                                  • Part of subcall function 00418679: GdipDisposeImage.GDIPLUS(?,00418B82), ref: 00418682
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                • String ID: image/png
                                • API String ID: 1291196975-2966254431
                                • Opcode ID: 6411a8012ecf1a64a1773f4eaa23e3f4fcdf1f742ac8238d8550c3e8c78666f9
                                • Instruction ID: c6f894421d6f6d4ca6915e56eba1d7ff3797fde04a376feef2065c2e579c4a83
                                • Opcode Fuzzy Hash: 6411a8012ecf1a64a1773f4eaa23e3f4fcdf1f742ac8238d8550c3e8c78666f9
                                • Instruction Fuzzy Hash: 30219371204211AFC705EB61CC88CBFBBADEFCA754F10092EF54693161DB399945CBA6
                                Function 00449BF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                Download Yara Rule
                                APIs
                                • GetStdHandle.KERNEL32(000000F6), ref: 00449C3C
                                • GetFileType.KERNEL32(00000000), ref: 00449C4E
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: FileHandleType
                                • String ID: (ot
                                • API String ID: 3000768030-2081557511
                                • Opcode ID: b34b3b4b83b21344277d15047b5fba51ecc245e821c78927fd7bd009bf1ff183
                                • Instruction ID: 67a772f1b96ce562b336c628e562ce1c63ba93f9b2d947f4b03656f810f331b8
                                • Opcode Fuzzy Hash: b34b3b4b83b21344277d15047b5fba51ecc245e821c78927fd7bd009bf1ff183
                                • Instruction Fuzzy Hash: E61160315047524AE7304E3E8CC86677AD5AB56335B380B2FD5B6876F1C638DC82AA49
                                Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                Download Yara Rule
                                APIs
                                • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405030
                                  • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405087
                                Strings
                                • KeepAlive | Enabled | Timeout: , xrefs: 0040501F
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: LocalTime
                                • String ID: KeepAlive | Enabled | Timeout:
                                • API String ID: 481472006-1507639952
                                • Opcode ID: 23b0d405c7df8ea3eb93e7c73b3042e9bf9b9ce6517dcb05167bfa0c68009315
                                • Instruction ID: 59903f388a44bacb81d563bcbf5ab321eb0051b597eccb46fab67989b44e7fd4
                                • Opcode Fuzzy Hash: 23b0d405c7df8ea3eb93e7c73b3042e9bf9b9ce6517dcb05167bfa0c68009315
                                • Instruction Fuzzy Hash: 1D21F2719046405BD710B7259C0676F7B64E751308F40087EE8491B2A6DA7D5A88CBEF
                                Function 0043C0F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free
                                • String ID: (ot
                                • API String ID: 269201875-2081557511
                                • Opcode ID: 84a0aec2fcd2e2198f060eb42423dc6b0e3e67b852f19c5b56d6cf535939c4c8
                                • Instruction ID: 33e0fe0941749f3336bda6be3c0f63978f5ebcf9e4adac19a04b7d23778c801b
                                • Opcode Fuzzy Hash: 84a0aec2fcd2e2198f060eb42423dc6b0e3e67b852f19c5b56d6cf535939c4c8
                                • Instruction Fuzzy Hash: A511D371A002104BEF209F39AC81B567294A714734F14162BF929EA2D5D6BCD8815F89
                                Function 0041663B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
                                Download Yara Rule
                                APIs
                                • Sleep.KERNEL32 ref: 00416640
                                • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166A2
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: DownloadFileSleep
                                • String ID: !D@
                                • API String ID: 1931167962-604454484
                                • Opcode ID: 67dfb507ba3ddc82345b7865ce065edb943c59958e882518e560ee8acae80623
                                • Instruction ID: f21b004d79e7af0ef9ad63e4b6518ad07bb10e0138b316cec4f8e9f86784bb19
                                • Opcode Fuzzy Hash: 67dfb507ba3ddc82345b7865ce065edb943c59958e882518e560ee8acae80623
                                • Instruction Fuzzy Hash: C6115171A083029AC714FF72D8969BE77A8AF54348F400C3FF546621E2EE3C9949C65A
                                Function 0041AD17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                Download Yara Rule
                                APIs
                                • PathFileExistsW.SHLWAPI(00000000), ref: 0041AD3C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExistsFilePath
                                • String ID: alarm.wav$hYG
                                • API String ID: 1174141254-2782910960
                                • Opcode ID: 03e35b0c78ecaf780253322939ef9894f1bf68fcbaf7cdf3e29ba7f04c14b924
                                • Instruction ID: 1ebdaa4a32a078914063a8122a991a3a49773bb3edac1861de613ef54c78e1f6
                                • Opcode Fuzzy Hash: 03e35b0c78ecaf780253322939ef9894f1bf68fcbaf7cdf3e29ba7f04c14b924
                                • Instruction Fuzzy Hash: 7A01F5B064460156C604F37698167EE37464B80319F00447FF68A266E2EFBC9D99C68F
                                Function 0040B051 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
                                  • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                                  • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                • CloseHandle.KERNEL32(?), ref: 0040B0B4
                                • UnhookWindowsHookEx.USER32 ref: 0040B0C7
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                • String ID: Online Keylogger Stopped
                                • API String ID: 1623830855-1496645233
                                • Opcode ID: bec78cf3eedf1b186c8e89cd18ae9734a19b2f7b120e1a552bb6b5e0ab87ed89
                                • Instruction ID: 2e372e3e3892c4e8816e9c8053feed756abc81e7e35a03d4dadb391bbfa0e77d
                                • Opcode Fuzzy Hash: bec78cf3eedf1b186c8e89cd18ae9734a19b2f7b120e1a552bb6b5e0ab87ed89
                                • Instruction Fuzzy Hash: 0101F5306002049BD7217B35C80B3BF7BA59B41305F40007FE642226D2EBB91845D7DE
                                Function 00448BB3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,73E85006,00000001,?,0043CE55), ref: 00448C24
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: String
                                • String ID: LCMapStringEx$PkGNG
                                • API String ID: 2568140703-1065776982
                                • Opcode ID: 6176356b550008225c45ed95f9c308570f022b01c1c57b82113652449518e224
                                • Instruction ID: 91dcaeff4e4508283399e99d6512adb219adb357de156da575c9a111b1dd59a7
                                • Opcode Fuzzy Hash: 6176356b550008225c45ed95f9c308570f022b01c1c57b82113652449518e224
                                • Instruction Fuzzy Hash: 3F016532500209FBCF029F90DC01EEE7F62EF08351F10452AFE0925161CA3A8971AB99
                                Function 00449A5C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00445888: EnterCriticalSection.KERNEL32(?,?,00442FDB,00000000,0046E928,0000000C,00442F96,?,?,?,00445B26,?,?,004482CA,00000001,00000364), ref: 00445897
                                • DeleteCriticalSection.KERNEL32(?,?,?,?,?,0046EB30,00000010,0043C1D5), ref: 00449ABE
                                • _free.LIBCMT ref: 00449ACC
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: CriticalSection$DeleteEnter_free
                                • String ID: (ot
                                • API String ID: 1836352639-2081557511
                                • Opcode ID: 54980ce14eb4704881cc4366b9e02da215daae199b46963b1b84cecc0170e34b
                                • Instruction ID: d8668749b8f053f3b87a5db4b07a71174a174bb0d30b2be9e7ca2d93a8738622
                                • Opcode Fuzzy Hash: 54980ce14eb4704881cc4366b9e02da215daae199b46963b1b84cecc0170e34b
                                • Instruction Fuzzy Hash: 491161315002149FE720DFA9D846B5D73B0FB04315F10455AE959AB2E6CBBCEC82DB0D
                                Function 0044F077 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                  • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                  • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                  • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                • _abort.LIBCMT ref: 0044F0A9
                                • _free.LIBCMT ref: 0044F0DD
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast_abort_free
                                • String ID: (Ss
                                • API String ID: 289325740-2441470043
                                • Opcode ID: 2e9ada046b615cce909465303d253cbb0255e834f3ab9ea9ae3315e12a655f22
                                • Instruction ID: 2af8ca7d7d9da888dd2a293bb18e2fdfe9fbdc3dbac3c8495f7aa1b7b8b1e2f7
                                • Opcode Fuzzy Hash: 2e9ada046b615cce909465303d253cbb0255e834f3ab9ea9ae3315e12a655f22
                                • Instruction Fuzzy Hash: F2010871D01A218FEB30AF6A840125EB7A0BF44715B15422FE52863352CB7C6D46CFCE
                                Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                Download Yara Rule
                                APIs
                                • waveInPrepareHeader.WINMM(0073DA00,00000020,?,?,00476B50,00474EE0,?,00000000,00401A15), ref: 00401849
                                • waveInAddBuffer.WINMM(0073DA00,00000020,?,00000000,00401A15), ref: 0040185F
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: wave$BufferHeaderPrepare
                                • String ID: {s
                                • API String ID: 2315374483-3268091721
                                • Opcode ID: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                                • Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
                                • Opcode Fuzzy Hash: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                                • Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8
                                Function 0044378C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free
                                • String ID: $G
                                • API String ID: 269201875-4251033865
                                • Opcode ID: 061f1d377262398e84625751e00800f7b3b9231d747b7f71bcbf8f837b64f860
                                • Instruction ID: ffc8389238c956ab6c1ca4f2b01b58cd1871601a5e35f3520dab429f03a8b914
                                • Opcode Fuzzy Hash: 061f1d377262398e84625751e00800f7b3b9231d747b7f71bcbf8f837b64f860
                                • Instruction Fuzzy Hash: 7DE0E592A0182014F6717A3F6C0575B0545CBC2B7FF11833BF538861C1CFAC4A46519E
                                Function 00448AE6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                Download Yara Rule
                                APIs
                                • IsValidLocale.KERNEL32(00000000,JD,00000000,00000001,?,?,00444AEA,?,?,004444CA,?,00000004), ref: 00448B32
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: LocaleValid
                                • String ID: IsValidLocaleName$JD
                                • API String ID: 1901932003-2234456777
                                • Opcode ID: 98bf4732c76f9d0cbfb8c103c3b900cf5be1bffc9926f7dc5154a94851103fac
                                • Instruction ID: c43517d2c5aad0833927174c53c021eab8a1ac695cd7bc198788f3b2bcf9e263
                                • Opcode Fuzzy Hash: 98bf4732c76f9d0cbfb8c103c3b900cf5be1bffc9926f7dc5154a94851103fac
                                • Instruction Fuzzy Hash: D6F05230A80308F7DB106B60DC06FAEBF58CB04B52F10017EFD046B291CE786E05929E
                                Function 0040C4C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                Download Yara Rule
                                APIs
                                • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C4F6
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExistsFilePath
                                • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                • API String ID: 1174141254-4188645398
                                • Opcode ID: d709a8515617d2ba673b64f2c8ca347ecdfd9c2513b907f156fef7f1ca1e605e
                                • Instruction ID: 529cceb54bdbac8586af3e6ebd5273a77adcdcd577382419881006e182ae29c8
                                • Opcode Fuzzy Hash: d709a8515617d2ba673b64f2c8ca347ecdfd9c2513b907f156fef7f1ca1e605e
                                • Instruction Fuzzy Hash: 96F05E31A00219A6C604BBF69C478BF7B3C9D50709B50017FBA01B61D3EE789945C6EE
                                Function 0040C526 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                Download Yara Rule
                                APIs
                                • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C559
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExistsFilePath
                                • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                • API String ID: 1174141254-2800177040
                                • Opcode ID: b1940e908fbd14d97542ecab4e0f5363c75517eb77e1add574f14eb0b46c354c
                                • Instruction ID: 330371ab8f71d6844e3501a7b0875f3b866c8fe31c1dcac5d822fe972055fe7f
                                • Opcode Fuzzy Hash: b1940e908fbd14d97542ecab4e0f5363c75517eb77e1add574f14eb0b46c354c
                                • Instruction Fuzzy Hash: ECF05E31A00219A6CA14B7B69C47CEF7B6C9D50705B10017FB602B61D2EE78994186EE
                                Function 0040C589 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                Download Yara Rule
                                APIs
                                • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 0040C5BC
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExistsFilePath
                                • String ID: AppData$\Opera Software\Opera Stable\
                                • API String ID: 1174141254-1629609700
                                • Opcode ID: d275befd3fa61f8c1a69313b9e352693d74fa3e6e400107db78181a14dff6bc9
                                • Instruction ID: 49b076bb86b4c8db4da1bdedad10e463925805c403c57d636a3174f469f12df7
                                • Opcode Fuzzy Hash: d275befd3fa61f8c1a69313b9e352693d74fa3e6e400107db78181a14dff6bc9
                                • Instruction Fuzzy Hash: 13F05E31A00319A6CA14B7B69C47CEF7B7C9D10709B40017BB601B61D2EE789D4586EA
                                Function 004437E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free
                                • String ID: $G
                                • API String ID: 269201875-4251033865
                                • Opcode ID: 0ad43b1214ad8572508d9786c92e0b088e9d3dbafa2474dd36ac496255489d68
                                • Instruction ID: d76a88c3c7e0b504eff74fb84b9f6db8507cba8af1ea4ea387731c34734dfbbf
                                • Opcode Fuzzy Hash: 0ad43b1214ad8572508d9786c92e0b088e9d3dbafa2474dd36ac496255489d68
                                • Instruction Fuzzy Hash: AAE0E562A0182040F675BA3F2D05B9B49C5DB8173BF11433BF538861C1DFAC4A4251AE
                                Function 0040B646 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                Download Yara Rule
                                APIs
                                • GetKeyState.USER32(00000011), ref: 0040B64B
                                  • Part of subcall function 0040A3E0: GetForegroundWindow.USER32 ref: 0040A416
                                  • Part of subcall function 0040A3E0: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
                                  • Part of subcall function 0040A3E0: GetKeyboardLayout.USER32(00000000), ref: 0040A429
                                  • Part of subcall function 0040A3E0: GetKeyState.USER32(00000010), ref: 0040A433
                                  • Part of subcall function 0040A3E0: GetKeyboardState.USER32(?), ref: 0040A43E
                                  • Part of subcall function 0040A3E0: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A461
                                  • Part of subcall function 0040A3E0: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4C1
                                  • Part of subcall function 0040A636: SetEvent.KERNEL32(00000000,?,00000000,0040B20A,00000000), ref: 0040A662
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                • String ID: [AltL]$[AltR]
                                • API String ID: 2738857842-2658077756
                                • Opcode ID: b517c3644f2a0ff5b445e5d425ade51854f5aabe0ba9e4ed4d9bf29b6b0d38c2
                                • Instruction ID: e48b288e44f9d4c6b211653e2fe3bcc76c2b66b59b43e84e4aaf588e4500f4a3
                                • Opcode Fuzzy Hash: b517c3644f2a0ff5b445e5d425ade51854f5aabe0ba9e4ed4d9bf29b6b0d38c2
                                • Instruction Fuzzy Hash: 3BE0652134021052C828323E592F6BE2D51C742754B86057FF9826B6C5DABF4D1542CF
                                Function 0044ECEC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                                Download Yara Rule
                                APIs
                                • GetOEMCP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED17
                                • GetACP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED2E
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: uD
                                • API String ID: 0-2547262877
                                • Opcode ID: b77d3b663c6aed767531e5de151c2f7480185761a2f62c70c64f4560ad89233a
                                • Instruction ID: 19c10458df6b4aed5d20bc802b22671fd2b069e30d3a1616a3713fc20edc201d
                                • Opcode Fuzzy Hash: b77d3b663c6aed767531e5de151c2f7480185761a2f62c70c64f4560ad89233a
                                • Instruction Fuzzy Hash: A5F0C871800105CBEB20DB55DC897697771BF11335F144755E4394A6E2C7B98C81CF49
                                Function 00448957 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30timeCOMMON
                                Download Yara Rule
                                APIs
                                • GetSystemTimeAsFileTime.KERNEL32(00000000,0043AAB7), ref: 00448996
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: Time$FileSystem
                                • String ID: GetSystemTimePreciseAsFileTime$PkGNG
                                • API String ID: 2086374402-949981407
                                • Opcode ID: 14ade04f60bc73be69f0a8e2d41fd66075f217d790f0afe8d3aaf6a6c36f91f3
                                • Instruction ID: 0ece642104574987c61f359f6ab52f67772cb5eafdc88f944851b8b866d171c2
                                • Opcode Fuzzy Hash: 14ade04f60bc73be69f0a8e2d41fd66075f217d790f0afe8d3aaf6a6c36f91f3
                                • Instruction Fuzzy Hash: 55E0E571A41718E7D710AB259C02E7EBB54DB44B02B10027EFC0957382DE285D0496DE
                                Function 0041618A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                Download Yara Rule
                                APIs
                                • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161A8
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExecuteShell
                                • String ID: !D@$open
                                • API String ID: 587946157-1586967515
                                • Opcode ID: bb18f393a94152f83cce48417cccfa788a776dd848670c049a324d78068a8282
                                • Instruction ID: 73504a7432a82bf20c2cd712858cac99996ed9f8eaf32da6c0f13d1c3fa6c831
                                • Opcode Fuzzy Hash: bb18f393a94152f83cce48417cccfa788a776dd848670c049a324d78068a8282
                                • Instruction Fuzzy Hash: 2FE0ED712483059AD614EA72DC91AFE7358AB54755F40083FF506514E2EE3C5849C65A
                                Function 0045554B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • ___initconout.LIBCMT ref: 0045555B
                                  • Part of subcall function 00456B1D: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00455560,00000000,PkGNG,0044B59D,?,FF8BC35D,00000000,?,00000000), ref: 00456B30
                                • WriteConsoleW.KERNEL32(FFFFFFFE,FF8BC369,00000001,00000000,00000000,00000000,PkGNG,0044B59D,?,FF8BC35D,00000000,?,00000000,PkGNG,0044BB19,?), ref: 0045557E
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: ConsoleCreateFileWrite___initconout
                                • String ID: PkGNG
                                • API String ID: 3087715906-263838557
                                • Opcode ID: 4fd586c33a7e536def3848490aff3c82696797501ee569242fdde9145b290049
                                • Instruction ID: e84ccb038854987deafcb7b601af55b429ad8f27f18c1f17be9b2782bd97289a
                                • Opcode Fuzzy Hash: 4fd586c33a7e536def3848490aff3c82696797501ee569242fdde9145b290049
                                • Instruction Fuzzy Hash: 10E02B70500508BBD610CB64DC25EB63319EB003B1F600315FE25C72D1EB34DD44C759
                                Function 0040B6A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                Download Yara Rule
                                APIs
                                • GetKeyState.USER32(00000012), ref: 0040B6A5
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: State
                                • String ID: [CtrlL]$[CtrlR]
                                • API String ID: 1649606143-2446555240
                                • Opcode ID: c765968ff3d10558f6a95e5840c5c1bc63f6cd989c8fe2dffd6df2c532e6808f
                                • Instruction ID: bec5627f59812d2efb235ad4bfa8f6d19d2d97b3e0140e65676d9d4505e8418d
                                • Opcode Fuzzy Hash: c765968ff3d10558f6a95e5840c5c1bc63f6cd989c8fe2dffd6df2c532e6808f
                                • Instruction Fuzzy Hash: 6FE04F2160021052C524363D5A1E67D2911CB52754B42096FF882A76CADEBF891543CF
                                Function 0043C1C8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00449A5C: DeleteCriticalSection.KERNEL32(?,?,?,?,?,0046EB30,00000010,0043C1D5), ref: 00449ABE
                                  • Part of subcall function 00449A5C: _free.LIBCMT ref: 00449ACC
                                  • Part of subcall function 00449AFC: _free.LIBCMT ref: 00449B1E
                                • DeleteCriticalSection.KERNEL32(00746F08), ref: 0043C1F1
                                • _free.LIBCMT ref: 0043C205
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$CriticalDeleteSection
                                • String ID: (ot
                                • API String ID: 1906768660-2081557511
                                • Opcode ID: e906819441e1cb781d28dd4a1ea52947b9d71dae153e88ad857ccbc322e7c3cc
                                • Instruction ID: 43a050214315618beeb9c81765b0605937ca417edd614e55d144c525631042cd
                                • Opcode Fuzzy Hash: e906819441e1cb781d28dd4a1ea52947b9d71dae153e88ad857ccbc322e7c3cc
                                • Instruction Fuzzy Hash: 69E04F329145108FEB717F6AFD8595A73E49B4D325B11082FFC0DA316ACA6DAC809B8D
                                Function 0040E79F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                • __Init_thread_footer.LIBCMT ref: 00410F29
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: Init_thread_footer__onexit
                                • String ID: ,kG$0kG
                                • API String ID: 1881088180-2015055088
                                • Opcode ID: 55ded91c2411799c93627b1e27181bc6755349442ad5772556d3e3dbb5a5a571
                                • Instruction ID: c595ded0a674a2b9ccc74dbc71d20adb946c68f5a758ea4f5ad5526f3cc50642
                                • Opcode Fuzzy Hash: 55ded91c2411799c93627b1e27181bc6755349442ad5772556d3e3dbb5a5a571
                                • Instruction Fuzzy Hash: 35E0D8312149208EC214A32995829C93791DB4E335B61412BF414D72D5CBAEB8C1CA1D
                                Function 00413A23 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040D4CE,00000000,?,00000000), ref: 00413A31
                                • RegDeleteValueW.ADVAPI32(?,?,?,00000000), ref: 00413A45
                                Strings
                                • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A2F
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: DeleteOpenValue
                                • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                • API String ID: 2654517830-1051519024
                                • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                • Instruction ID: 6fb421a43559def270d35797bbb86f7c8bc210cd52a17bc53693ea6618a40a87
                                • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                • Instruction Fuzzy Hash: 99E0C23124420CFBDF104F71DD06FFA376CDB01F42F1006A5BA0692091C626DF049668
                                Function 0040B869 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON
                                Download Yara Rule
                                APIs
                                • DeleteFileW.KERNEL32(00000000,?,?,0040ACB3,0000005C,?,?,?,00000000), ref: 0040B876
                                • RemoveDirectoryW.KERNEL32(00000000,?,?,0040ACB3,0000005C,?,?,?,00000000), ref: 0040B8A1
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: DeleteDirectoryFileRemove
                                • String ID: hdF
                                • API String ID: 3325800564-665520524
                                • Opcode ID: df808ba8ebf8d5c0a6d1b72abb8ee9cce7734050c17300acf0bbb65a0f0efe9c
                                • Instruction ID: 8281cfb8de641f04b50c20d0c8e921e0d4b8d2282f61a3be21f0805504db5409
                                • Opcode Fuzzy Hash: df808ba8ebf8d5c0a6d1b72abb8ee9cce7734050c17300acf0bbb65a0f0efe9c
                                • Instruction Fuzzy Hash: 45E046321007119BCB14AB258C48AD6339CAF0031AF00486FA492A32A1DF38AC09CAA8
                                Function 0044F30A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: CommandLine
                                • String ID: %r
                                • API String ID: 3253501508-2999538795
                                • Opcode ID: 21ebb353eb9a5e230f63c7dd18cef58b922ecce08ae36afe23ca5bbaac6cd083
                                • Instruction ID: 694146ce0b361bd31d1980ce40e18c0a636997d79f12e70286e675221abc8fda
                                • Opcode Fuzzy Hash: 21ebb353eb9a5e230f63c7dd18cef58b922ecce08ae36afe23ca5bbaac6cd083
                                • Instruction Fuzzy Hash: CBB04878800753CB97108F21AA0C0853FA0B30820238020B6940A92A21EB7885868A08
                                Function 00440C91 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D27
                                • GetLastError.KERNEL32 ref: 00440D35
                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440D90
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharMultiWide$ErrorLast
                                • String ID:
                                • API String ID: 1717984340-0
                                • Opcode ID: a909a75f279edaa9992fcfd87f44a9f238bfc46e7277e37c8624290a99980dba
                                • Instruction ID: f204e272a103731937cf510deb2d9f687334ef06d731906aa630a644c7418207
                                • Opcode Fuzzy Hash: a909a75f279edaa9992fcfd87f44a9f238bfc46e7277e37c8624290a99980dba
                                • Instruction Fuzzy Hash: BA411871A00206EFEF218FA5C8447AB7BA5EF45310F10816BFA549B3A1DB38AD25C759
                                Function 00411B5F Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                Download Yara Rule
                                APIs
                                • IsBadReadPtr.KERNEL32(?,00000014,00000000,00000000,00000001,?,?,?,00411EF0), ref: 00411B8C
                                • IsBadReadPtr.KERNEL32(?,00000014,00411EF0), ref: 00411C58
                                • SetLastError.KERNEL32(0000007F), ref: 00411C7A
                                • SetLastError.KERNEL32(0000007E,00411EF0), ref: 00411C91
                                Memory Dump Source
                                • Source File: 00000000.00000002.1674314121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1674303018.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674352141.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674369287.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1674395001.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_FdSJYyDayo.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLastRead
                                • String ID:
                                • API String ID: 4100373531-0
                                • Opcode ID: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
                                • Instruction ID: 277f4bdee2933866d2d1c697a3b04f0a6a13197b354a533a519a822f1f8833ca
                                • Opcode Fuzzy Hash: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
                                • Instruction Fuzzy Hash: 37419C75244305DFE7248F18DC84BA7B3E8FB48711F00082EEA8A87661F739E845CB99

                                Execution Graph

                                Execution Coverage:1.1%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:0%
                                Total number of Nodes:518
                                Total number of Limit Nodes:9
                                execution_graph 46427 434887 46428 434893 ___BuildCatchObject 46427->46428 46453 434596 46428->46453 46430 43489a 46432 4348c3 46430->46432 46749 4349f9 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_get_show_window_mode 46430->46749 46439 434902 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 46432->46439 46750 444251 5 API calls __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 46432->46750 46434 4348dc 46436 4348e2 ___BuildCatchObject 46434->46436 46751 4441f5 5 API calls __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 46434->46751 46437 434962 46464 434b14 46437->46464 46439->46437 46752 4433e7 35 API calls 4 library calls 46439->46752 46448 43498e 46450 434997 46448->46450 46753 4433c2 28 API calls _Atexit 46448->46753 46754 43470d 13 API calls 2 library calls 46450->46754 46454 43459f 46453->46454 46755 434c52 IsProcessorFeaturePresent 46454->46755 46456 4345ab 46756 438f31 10 API calls 4 library calls 46456->46756 46458 4345b0 46463 4345b4 46458->46463 46757 4440bf IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 46458->46757 46460 4345bd 46461 4345cb 46460->46461 46758 438f5a 8 API calls 3 library calls 46460->46758 46461->46430 46463->46430 46759 436e90 46464->46759 46467 434968 46468 4441a2 46467->46468 46761 44f059 46468->46761 46470 4441ab 46472 434971 46470->46472 46765 446815 35 API calls 46470->46765 46473 40e9c5 46472->46473 46767 41cb50 LoadLibraryA GetProcAddress 46473->46767 46475 40e9e1 GetModuleFileNameW 46772 40f3c3 46475->46772 46477 40e9fd 46787 4020f6 46477->46787 46480 4020f6 28 API calls 46481 40ea1b 46480->46481 46793 41be1b 46481->46793 46485 40ea2d 46819 401e8d 46485->46819 46487 40ea36 46488 40ea93 46487->46488 46489 40ea49 46487->46489 46825 401e65 22 API calls 46488->46825 46849 40fbb3 95 API calls 46489->46849 46492 40eaa3 46826 401e65 22 API calls 46492->46826 46493 40ea5b 46850 401e65 22 API calls 46493->46850 46495 40ea67 46851 410f37 36 API calls __EH_prolog 46495->46851 46497 40eac2 46827 40531e 28 API calls 46497->46827 46500 40ead1 46828 406383 28 API calls 46500->46828 46501 40ea79 46852 40fb64 77 API calls 46501->46852 46504 40eadd 46829 401fe2 46504->46829 46505 40ea82 46853 40f3b0 70 API calls 46505->46853 46511 401fd8 11 API calls 46513 40eefb 46511->46513 46512 401fd8 11 API calls 46514 40eafb 46512->46514 46744 4432f6 GetModuleHandleW 46513->46744 46841 401e65 22 API calls 46514->46841 46516 40eb04 46842 401fc0 28 API calls 46516->46842 46518 40eb0f 46843 401e65 22 API calls 46518->46843 46520 40eb28 46844 401e65 22 API calls 46520->46844 46522 40eb43 46523 40ebae 46522->46523 46854 406c1e 28 API calls 46522->46854 46845 401e65 22 API calls 46523->46845 46526 40eb70 46527 401fe2 28 API calls 46526->46527 46528 40eb7c 46527->46528 46531 401fd8 11 API calls 46528->46531 46529 40ec02 46846 40d069 46529->46846 46530 40ebbb 46530->46529 46856 413549 RegOpenKeyExA RegQueryValueExA RegCloseKey 46530->46856 46532 40eb85 46531->46532 46855 413549 RegOpenKeyExA RegQueryValueExA RegCloseKey 46532->46855 46534 40ec08 46536 40ea8b 46534->46536 46858 41b2c3 34 API calls 46534->46858 46536->46511 46539 40eba4 46539->46523 46541 40f34f 46539->46541 46540 40ec23 46543 40ec76 46540->46543 46859 407716 RegOpenKeyExA RegQueryValueExA RegCloseKey 46540->46859 46941 4139a9 30 API calls 46541->46941 46542 40ebe6 46542->46529 46857 4139a9 30 API calls 46542->46857 46864 401e65 22 API calls 46543->46864 46548 40f365 46942 412475 65 API calls ___scrt_get_show_window_mode 46548->46942 46549 40ec7f 46558 40ec90 46549->46558 46559 40ec8b 46549->46559 46550 40ec3e 46552 40ec42 46550->46552 46553 40ec4c 46550->46553 46860 407738 30 API calls 46552->46860 46862 401e65 22 API calls 46553->46862 46555 40f34d 46943 41bc5e 28 API calls 46555->46943 46866 401e65 22 API calls 46558->46866 46865 407755 CreateProcessA CloseHandle CloseHandle ___scrt_get_show_window_mode 46559->46865 46560 40ec47 46861 407260 97 API calls 46560->46861 46562 40f37f 46944 413a23 RegOpenKeyExW RegDeleteValueW 46562->46944 46565 40ec99 46867 41bc5e 28 API calls 46565->46867 46567 40ec55 46567->46543 46571 40ec71 46567->46571 46568 40eca4 46868 401f13 28 API calls 46568->46868 46863 407260 97 API calls 46571->46863 46572 40f392 46945 401f09 11 API calls 46572->46945 46573 40ecaf 46869 401f09 11 API calls 46573->46869 46577 40f39c 46946 401f09 11 API calls 46577->46946 46578 40ecb8 46870 401e65 22 API calls 46578->46870 46581 40f3a5 46947 40dd42 27 API calls 46581->46947 46582 40ecc1 46871 401e65 22 API calls 46582->46871 46584 40f3aa 46948 414f2a 169 API calls 46584->46948 46588 40ecdb 46872 401e65 22 API calls 46588->46872 46590 40ecf5 46873 401e65 22 API calls 46590->46873 46592 40ed80 46594 40ed8a 46592->46594 46601 40ef06 ___scrt_get_show_window_mode 46592->46601 46593 40ed0e 46593->46592 46874 401e65 22 API calls 46593->46874 46596 40ed93 46594->46596 46604 40ee0f 46594->46604 46880 401e65 22 API calls 46596->46880 46598 40ed9c 46881 401e65 22 API calls 46598->46881 46599 40ed23 _wcslen 46599->46592 46875 401e65 22 API calls 46599->46875 46891 4136f8 RegOpenKeyExA RegQueryValueExA RegCloseKey 46601->46891 46603 40edae 46882 401e65 22 API calls 46603->46882 46627 40ee0a ___scrt_get_show_window_mode 46604->46627 46605 40ed3e 46606 40ed45 46605->46606 46876 401e65 22 API calls 46606->46876 46610 40edc0 46883 401e65 22 API calls 46610->46883 46611 40ed53 46877 40da34 32 API calls 46611->46877 46612 40ef51 46892 401e65 22 API calls 46612->46892 46615 40ef76 46893 402093 28 API calls 46615->46893 46617 40ede9 46884 401e65 22 API calls 46617->46884 46618 40ed66 46878 401f13 28 API calls 46618->46878 46622 40ed72 46879 401f09 11 API calls 46622->46879 46623 40edfa 46885 40cdf9 46 API calls _wcslen 46623->46885 46624 40ef88 46894 41376f 14 API calls 46624->46894 46626 40ed7b 46626->46592 46627->46604 46886 413947 31 API calls 46627->46886 46631 40eea3 ctype 46887 401e65 22 API calls 46631->46887 46632 40ef9e 46895 401e65 22 API calls 46632->46895 46634 40efaa 46896 43baac 39 API calls _swprintf 46634->46896 46637 40efb7 46639 40efe4 46637->46639 46897 41cd9b 87 API calls ___scrt_get_show_window_mode 46637->46897 46638 40eeba 46638->46612 46888 401e65 22 API calls 46638->46888 46898 402093 28 API calls 46639->46898 46642 40eed7 46889 41bc5e 28 API calls 46642->46889 46643 40efc8 CreateThread 46643->46639 47055 41d45d 10 API calls 46643->47055 46646 40eff9 46899 402093 28 API calls 46646->46899 46647 40eee3 46890 40f474 106 API calls 46647->46890 46650 40f008 46900 41b4ef 79 API calls 46650->46900 46651 40eee8 46651->46612 46653 40eeef 46651->46653 46653->46536 46654 40f00d 46901 401e65 22 API calls 46654->46901 46656 40f019 46902 401e65 22 API calls 46656->46902 46658 40f02b 46903 401e65 22 API calls 46658->46903 46660 40f04b 46904 43baac 39 API calls _swprintf 46660->46904 46662 40f058 46905 401e65 22 API calls 46662->46905 46664 40f063 46906 401e65 22 API calls 46664->46906 46666 40f074 46907 401e65 22 API calls 46666->46907 46668 40f089 46908 401e65 22 API calls 46668->46908 46670 40f09a 46671 40f0a1 StrToIntA 46670->46671 46909 409de4 171 API calls _wcslen 46671->46909 46673 40f0b3 46910 401e65 22 API calls 46673->46910 46675 40f101 46919 401e65 22 API calls 46675->46919 46676 40f0bc 46676->46675 46911 4344ea 46676->46911 46681 40f0e4 46684 40f0eb CreateThread 46681->46684 46682 40f159 46921 401e65 22 API calls 46682->46921 46683 40f111 46683->46682 46685 4344ea new 22 API calls 46683->46685 46684->46675 47058 419fb4 112 API calls __EH_prolog 46684->47058 46687 40f126 46685->46687 46920 401e65 22 API calls 46687->46920 46689 40f138 46692 40f13f CreateThread 46689->46692 46690 40f1cc 46927 401e65 22 API calls 46690->46927 46691 40f162 46691->46690 46922 401e65 22 API calls 46691->46922 46692->46682 47056 419fb4 112 API calls __EH_prolog 46692->47056 46695 40f17e 46923 401e65 22 API calls 46695->46923 46696 40f1d5 46697 40f21a 46696->46697 46928 401e65 22 API calls 46696->46928 46932 41b60d 80 API calls 46697->46932 46700 40f193 46924 40d9e8 32 API calls 46700->46924 46702 40f1ea 46929 401e65 22 API calls 46702->46929 46703 40f223 46933 401f13 28 API calls 46703->46933 46705 40f22e 46934 401f09 11 API calls 46705->46934 46709 40f1a6 46925 401f13 28 API calls 46709->46925 46710 40f237 CreateThread 46715 40f264 46710->46715 46716 40f258 CreateThread 46710->46716 47057 40f7a7 120 API calls 46710->47057 46711 40f1ff 46930 43baac 39 API calls _swprintf 46711->46930 46714 40f1b2 46926 401f09 11 API calls 46714->46926 46718 40f279 46715->46718 46719 40f26d CreateThread 46715->46719 46716->46715 47059 4120f7 138 API calls 46716->47059 46723 40f2cc 46718->46723 46935 402093 28 API calls 46718->46935 46719->46718 47060 4126db 38 API calls ___scrt_get_show_window_mode 46719->47060 46721 40f1bb CreateThread 46721->46690 47054 401be9 49 API calls 46721->47054 46722 40f20c 46931 40c162 7 API calls 46722->46931 46937 4134ff RegOpenKeyExA RegQueryValueExA RegCloseKey 46723->46937 46726 40f29c 46936 4052fd 28 API calls 46726->46936 46730 40f2e4 46730->46581 46938 41bc5e 28 API calls 46730->46938 46735 40f2fd 46939 41361b 31 API calls 46735->46939 46739 40f313 46940 401f09 11 API calls 46739->46940 46741 40f346 DeleteFileW 46741->46555 46742 40f31e 46741->46742 46742->46555 46742->46741 46743 40f334 Sleep 46742->46743 46743->46742 46745 434984 46744->46745 46745->46448 46746 44341f 46745->46746 47062 44319c 46746->47062 46749->46430 46750->46434 46751->46439 46752->46437 46753->46450 46754->46436 46755->46456 46756->46458 46757->46460 46758->46463 46760 434b27 GetStartupInfoW 46759->46760 46760->46467 46762 44f06b 46761->46762 46763 44f062 46761->46763 46762->46470 46766 44ef58 48 API calls 5 library calls 46763->46766 46765->46470 46766->46762 46768 41cb8f LoadLibraryA GetProcAddress 46767->46768 46769 41cb7f GetModuleHandleA GetProcAddress 46767->46769 46770 41cbb8 44 API calls 46768->46770 46771 41cba8 LoadLibraryA GetProcAddress 46768->46771 46769->46768 46770->46475 46771->46770 46949 41b4a8 FindResourceA 46772->46949 46776 40f3ed _Yarn 46959 4020b7 46776->46959 46779 401fe2 28 API calls 46780 40f413 46779->46780 46781 401fd8 11 API calls 46780->46781 46782 40f41c 46781->46782 46783 43bd51 _Yarn 21 API calls 46782->46783 46784 40f42d _Yarn 46783->46784 46965 406dd8 46784->46965 46786 40f460 46786->46477 46788 40210c 46787->46788 46789 4023ce 11 API calls 46788->46789 46790 402126 46789->46790 46791 402569 28 API calls 46790->46791 46792 402134 46791->46792 46792->46480 47002 4020df 46793->47002 46795 41be9e 46796 401fd8 11 API calls 46795->46796 46797 41bed0 46796->46797 46799 401fd8 11 API calls 46797->46799 46798 41bea0 47018 4041a2 28 API calls 46798->47018 46802 41bed8 46799->46802 46803 401fd8 11 API calls 46802->46803 46805 40ea24 46803->46805 46804 41beac 46806 401fe2 28 API calls 46804->46806 46815 40fb17 46805->46815 46808 41beb5 46806->46808 46807 401fe2 28 API calls 46814 41be2e 46807->46814 46809 401fd8 11 API calls 46808->46809 46811 41bebd 46809->46811 46810 401fd8 11 API calls 46810->46814 46812 41ce34 28 API calls 46811->46812 46812->46795 46814->46795 46814->46798 46814->46807 46814->46810 47006 4041a2 28 API calls 46814->47006 47007 41ce34 46814->47007 46816 40fb23 46815->46816 46818 40fb2a 46815->46818 47044 402163 11 API calls 46816->47044 46818->46485 46820 402163 46819->46820 46824 40219f 46820->46824 47045 402730 11 API calls 46820->47045 46822 402184 47046 402712 11 API calls std::_Deallocate 46822->47046 46824->46487 46825->46492 46826->46497 46827->46500 46828->46504 46830 401ff1 46829->46830 46837 402039 46829->46837 46831 4023ce 11 API calls 46830->46831 46832 401ffa 46831->46832 46833 40203c 46832->46833 46835 402015 46832->46835 47048 40267a 11 API calls 46833->47048 47047 403098 28 API calls 46835->47047 46838 401fd8 46837->46838 46839 4023ce 11 API calls 46838->46839 46840 401fe1 46839->46840 46840->46512 46841->46516 46842->46518 46843->46520 46844->46522 46845->46530 47049 401fab 46846->47049 46848 40d073 CreateMutexA GetLastError 46848->46534 46849->46493 46850->46495 46851->46501 46852->46505 46854->46526 46855->46539 46856->46542 46857->46529 46858->46540 46859->46550 46860->46560 46861->46553 46862->46567 46863->46543 46864->46549 46865->46558 46866->46565 46867->46568 46868->46573 46869->46578 46870->46582 46871->46588 46872->46590 46873->46593 46874->46599 46875->46605 46876->46611 46877->46618 46878->46622 46879->46626 46880->46598 46881->46603 46882->46610 46883->46617 46884->46623 46885->46627 46886->46631 46887->46638 46888->46642 46889->46647 46890->46651 46891->46612 46892->46615 46893->46624 46894->46632 46895->46634 46896->46637 46897->46643 46898->46646 46899->46650 46900->46654 46901->46656 46902->46658 46903->46660 46904->46662 46905->46664 46906->46666 46907->46668 46908->46670 46909->46673 46910->46676 46913 4344ef 46911->46913 46912 43bd51 _Yarn 21 API calls 46912->46913 46913->46912 46914 40f0d1 46913->46914 47050 442f80 7 API calls 2 library calls 46913->47050 47051 434c35 RaiseException Concurrency::cancel_current_task __CxxThrowException@8 46913->47051 47052 43526e RaiseException Concurrency::cancel_current_task __CxxThrowException@8 46913->47052 46918 401e65 22 API calls 46914->46918 46918->46681 46919->46683 46920->46689 46921->46691 46922->46695 46923->46700 46924->46709 46925->46714 46926->46721 46927->46696 46928->46702 46929->46711 46930->46722 46931->46697 46932->46703 46933->46705 46934->46710 46935->46726 46937->46730 46938->46735 46939->46739 46940->46742 46941->46548 46943->46562 46944->46572 46945->46577 46946->46581 46947->46584 47053 41ad17 105 API calls 46948->47053 46950 41b4c5 LoadResource LockResource SizeofResource 46949->46950 46951 40f3de 46949->46951 46950->46951 46952 43bd51 46951->46952 46957 446137 __Getctype 46952->46957 46953 446175 46969 4405dd 20 API calls _Atexit 46953->46969 46954 446160 RtlAllocateHeap 46956 446173 46954->46956 46954->46957 46956->46776 46957->46953 46957->46954 46968 442f80 7 API calls 2 library calls 46957->46968 46960 4020bf 46959->46960 46970 4023ce 46960->46970 46962 4020ca 46974 40250a 46962->46974 46964 4020d9 46964->46779 46966 4020b7 28 API calls 46965->46966 46967 406dec 46966->46967 46967->46786 46968->46957 46969->46956 46971 402428 46970->46971 46972 4023d8 46970->46972 46971->46962 46972->46971 46981 4027a7 11 API calls std::_Deallocate 46972->46981 46975 40251a 46974->46975 46976 402520 46975->46976 46977 402535 46975->46977 46982 402569 46976->46982 46992 4028e8 28 API calls 46977->46992 46980 402533 46980->46964 46981->46971 46993 402888 46982->46993 46984 40257d 46985 402592 46984->46985 46986 4025a7 46984->46986 46998 402a34 22 API calls 46985->46998 47000 4028e8 28 API calls 46986->47000 46989 40259b 46999 4029da 22 API calls 46989->46999 46991 4025a5 46991->46980 46992->46980 46994 402890 46993->46994 46995 402898 46994->46995 47001 402ca3 22 API calls 46994->47001 46995->46984 46998->46989 46999->46991 47000->46991 47003 4020e7 47002->47003 47004 4023ce 11 API calls 47003->47004 47005 4020f2 47004->47005 47005->46814 47006->46814 47008 41ce41 47007->47008 47009 41cea0 47008->47009 47013 41ce51 47008->47013 47010 41ceba 47009->47010 47011 41cfe0 28 API calls 47009->47011 47028 41d146 28 API calls 47010->47028 47011->47010 47014 41ce89 47013->47014 47019 41cfe0 47013->47019 47027 41d146 28 API calls 47014->47027 47015 41ce9c 47015->46814 47018->46804 47021 41cfe8 47019->47021 47020 41d01a 47020->47014 47021->47020 47022 41d01e 47021->47022 47025 41d002 47021->47025 47039 402725 22 API calls 47022->47039 47029 41d051 47025->47029 47027->47015 47028->47015 47030 41d05b __EH_prolog 47029->47030 47040 402717 22 API calls 47030->47040 47032 41d06e 47041 41d15d 11 API calls 47032->47041 47034 41d094 47035 41d0cc 47034->47035 47042 402730 11 API calls 47034->47042 47035->47020 47037 41d0b3 47043 402712 11 API calls std::_Deallocate 47037->47043 47040->47032 47041->47034 47042->47037 47043->47035 47044->46818 47045->46822 47046->46824 47047->46837 47048->46837 47050->46913 47061 4127ee 61 API calls 47059->47061 47063 4431a8 _Atexit 47062->47063 47064 4431c0 47063->47064 47065 4432f6 _Atexit GetModuleHandleW 47063->47065 47084 445888 EnterCriticalSection 47064->47084 47067 4431b4 47065->47067 47067->47064 47096 44333a GetModuleHandleExW 47067->47096 47068 443266 47085 4432a6 47068->47085 47071 4431c8 47071->47068 47073 44323d 47071->47073 47104 443f50 20 API calls _Atexit 47071->47104 47076 443255 47073->47076 47105 4441f5 5 API calls __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 47073->47105 47074 443283 47088 4432b5 47074->47088 47075 4432af 47107 457729 5 API calls __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 47075->47107 47106 4441f5 5 API calls __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 47076->47106 47084->47071 47108 4458d0 LeaveCriticalSection 47085->47108 47087 44327f 47087->47074 47087->47075 47109 448cc9 47088->47109 47091 4432e3 47093 44333a _Atexit 8 API calls 47091->47093 47092 4432c3 GetPEB 47092->47091 47094 4432d3 GetCurrentProcess TerminateProcess 47092->47094 47095 4432eb ExitProcess 47093->47095 47094->47091 47097 443364 GetProcAddress 47096->47097 47098 443387 47096->47098 47099 443379 47097->47099 47100 443396 47098->47100 47101 44338d FreeLibrary 47098->47101 47099->47098 47102 434fcb __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 47100->47102 47101->47100 47103 4433a0 47102->47103 47103->47064 47104->47073 47105->47076 47106->47068 47108->47087 47110 448cee 47109->47110 47114 448ce4 47109->47114 47115 4484ca 47110->47115 47113 4432bf 47113->47091 47113->47092 47122 434fcb 47114->47122 47116 4484fa 47115->47116 47119 4484f6 47115->47119 47116->47114 47117 44851a 47117->47116 47120 448526 GetProcAddress 47117->47120 47119->47116 47119->47117 47129 448566 47119->47129 47121 448536 __crt_fast_encode_pointer 47120->47121 47121->47116 47123 434fd6 IsProcessorFeaturePresent 47122->47123 47124 434fd4 47122->47124 47126 435018 47123->47126 47124->47113 47136 434fdc SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 47126->47136 47128 4350fb 47128->47113 47130 448587 LoadLibraryExW 47129->47130 47131 44857c 47129->47131 47132 4485a4 GetLastError 47130->47132 47135 4485bc 47130->47135 47131->47119 47133 4485af LoadLibraryExW 47132->47133 47132->47135 47133->47135 47134 4485d3 FreeLibrary 47134->47131 47135->47131 47135->47134 47136->47128 47137 404e26 WaitForSingleObject 47138 404e40 SetEvent FindCloseChangeNotification 47137->47138 47139 404e57 closesocket 47137->47139 47140 404ed8 47138->47140 47141 404e64 47139->47141 47142 404e7a 47141->47142 47150 4050e4 83 API calls 47141->47150 47143 404e8c WaitForSingleObject 47142->47143 47144 404ece SetEvent CloseHandle 47142->47144 47151 41e711 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 47143->47151 47144->47140 47147 404e9b SetEvent WaitForSingleObject 47152 41e711 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 47147->47152 47149 404eb3 SetEvent CloseHandle CloseHandle 47149->47144 47150->47142 47151->47147 47152->47149 47153 40165e 47154 401666 47153->47154 47155 401669 47153->47155 47156 4016a8 47155->47156 47158 401696 47155->47158 47157 4344ea new 22 API calls 47156->47157 47159 40169c 47157->47159 47160 4344ea new 22 API calls 47158->47160 47160->47159

                                Executed Functions

                                Function 0040E9C5 Relevance: 84.8, APIs: 14, Strings: 34, Instructions: 795COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 5 40e9c5-40ea47 call 41cb50 GetModuleFileNameW call 40f3c3 call 4020f6 * 2 call 41be1b call 40fb17 call 401e8d call 43fd00 22 40ea93-40eb5b call 401e65 call 401fab call 401e65 call 40531e call 406383 call 401fe2 call 401fd8 * 2 call 401e65 call 401fc0 call 405aa6 call 401e65 call 4051e3 call 401e65 call 4051e3 5->22 23 40ea49-40ea8e call 40fbb3 call 401e65 call 401fab call 410f37 call 40fb64 call 40f3b0 5->23 69 40eb5d-40eba8 call 406c1e call 401fe2 call 401fd8 call 401fab call 413549 22->69 70 40ebae-40ebc9 call 401e65 call 40b9bd 22->70 48 40eef2-40ef03 call 401fd8 23->48 69->70 102 40f34f-40f36a call 401fab call 4139a9 call 412475 69->102 79 40ec03 call 40d069 70->79 80 40ebcb-40ebea call 401fab call 413549 70->80 87 40ec08-40ec0a 79->87 80->79 98 40ebec-40ec02 call 401fab call 4139a9 80->98 90 40ec13-40ec1a 87->90 91 40ec0c-40ec0e 87->91 92 40ec1c 90->92 93 40ec1e-40ec2a call 41b2c3 90->93 96 40eef1 91->96 92->93 103 40ec33-40ec37 93->103 104 40ec2c-40ec2e 93->104 96->48 98->79 124 40f36f-40f3a0 call 41bc5e call 401f04 call 413a23 call 401f09 * 2 102->124 107 40ec76-40ec89 call 401e65 call 401fab 103->107 108 40ec39-40ec40 call 407716 103->108 104->103 129 40ec90-40ed18 call 401e65 call 41bc5e call 401f13 call 401f09 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab 107->129 130 40ec8b call 407755 107->130 121 40ec42-40ec47 call 407738 call 407260 108->121 122 40ec4c-40ec5f call 401e65 call 401fab 108->122 121->122 122->107 141 40ec61-40ec67 122->141 157 40f3a5-40f3af call 40dd42 call 414f2a 124->157 177 40ed80-40ed84 129->177 178 40ed1a-40ed33 call 401e65 call 401fab call 43bad6 129->178 130->129 141->107 144 40ec69-40ec6f 141->144 144->107 147 40ec71 call 407260 144->147 147->107 179 40ef06-40ef66 call 436e90 call 40247c call 401fab * 2 call 4136f8 call 409057 177->179 180 40ed8a-40ed91 177->180 178->177 202 40ed35-40ed3e call 401e65 178->202 233 40ef6b-40efbf call 401e65 call 401fab call 402093 call 401fab call 41376f call 401e65 call 401fab call 43baac 179->233 182 40ed93-40ee0d call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 40cdf9 180->182 183 40ee0f-40ee19 call 409057 180->183 192 40ee1e-40ee42 call 40247c call 434798 182->192 183->192 213 40ee51 192->213 214 40ee44-40ee4f call 436e90 192->214 216 40ed40-40ed7b call 401fab call 401e65 call 401fab call 40da34 call 401f13 call 401f09 202->216 217 40ee53-40eec8 call 401f04 call 43f809 call 40247c call 401fab call 40247c call 401fab call 413947 call 4347a1 call 401e65 call 40b9bd 213->217 214->217 216->177 217->233 288 40eece-40eeed call 401e65 call 41bc5e call 40f474 217->288 286 40efc1 233->286 287 40efdc-40efde 233->287 289 40efc3-40efda call 41cd9b CreateThread 286->289 290 40efe0-40efe2 287->290 291 40efe4 287->291 288->233 306 40eeef 288->306 294 40efea-40f0c6 call 402093 * 2 call 41b4ef call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 43baac call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab StrToIntA call 409de4 call 401e65 call 401fab 289->294 290->289 291->294 344 40f101 294->344 345 40f0c8-40f0ff call 4344ea call 401e65 call 401fab CreateThread 294->345 306->96 347 40f103-40f11b call 401e65 call 401fab 344->347 345->347 356 40f159-40f16c call 401e65 call 401fab 347->356 357 40f11d-40f154 call 4344ea call 401e65 call 401fab CreateThread 347->357 368 40f1cc-40f1df call 401e65 call 401fab 356->368 369 40f16e-40f1c7 call 401e65 call 401fab call 401e65 call 401fab call 40d9e8 call 401f13 call 401f09 CreateThread 356->369 357->356 379 40f1e1-40f215 call 401e65 call 401fab call 401e65 call 401fab call 43baac call 40c162 368->379 380 40f21a-40f23e call 41b60d call 401f13 call 401f09 368->380 369->368 379->380 400 40f240 380->400 401 40f243-40f256 CreateThread 380->401 400->401 404 40f264-40f26b 401->404 405 40f258-40f262 CreateThread 401->405 408 40f279-40f280 404->408 409 40f26d-40f277 CreateThread 404->409 405->404 412 40f282-40f285 408->412 413 40f28e 408->413 409->408 415 40f287-40f28c 412->415 416 40f2cc-40f2e7 call 401fab call 4134ff 412->416 418 40f293-40f2c7 call 402093 call 4052fd call 402093 call 41b4ef call 401fd8 413->418 415->418 416->157 428 40f2ed-40f32d call 41bc5e call 401f04 call 41361b call 401f09 call 401f04 416->428 418->416 443 40f346-40f34b DeleteFileW 428->443 444 40f34d 443->444 445 40f32f-40f332 443->445 444->124 445->124 446 40f334-40f341 Sleep call 401f04 445->446 446->443
                                APIs
                                  • Part of subcall function 0041CB50: LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB65
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB6E
                                  • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB88
                                  • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CB9A
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB9D
                                  • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CBAE
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBB1
                                  • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040E9E1), ref: 0041CBC3
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBC6
                                  • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040E9E1), ref: 0041CBD2
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBD5
                                  • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBE9
                                  • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBFD
                                  • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040E9E1), ref: 0041CC0E
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC11
                                  • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC25
                                  • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC39
                                  • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC4D
                                  • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC61
                                  • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC75
                                  • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040E9E1), ref: 0041CC83
                                • GetModuleFileNameW.KERNEL32(00000000,C:\ProgramData\27 de Junio\27 de Junio.exe,00000104), ref: 0040E9EE
                                  • Part of subcall function 00410F37: __EH_prolog.LIBCMT ref: 00410F3C
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                • String ID: SG$ SG$8SG$8SG$Access Level: $Administrator$C:\ProgramData\27 de Junio\27 de Junio.exe$Exe$Inj$PSG$Remcos Agent initialized$Software\$User$dMG$del$del$exepath$licence$license_code.txt$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG
                                • API String ID: 2830904901-2943174168
                                • Opcode ID: 735e378773a5fcea21e10fe25e3fe89480e497fe400f9236ad1c93da947b15b4
                                • Instruction ID: d4e128c763ae9979da4f7e35a5cae12564b96cb69b39ecb6445d524eb2b23fe8
                                • Opcode Fuzzy Hash: 735e378773a5fcea21e10fe25e3fe89480e497fe400f9236ad1c93da947b15b4
                                • Instruction Fuzzy Hash: 6332D860B043412BDA24B7729C67B6E26994F81748F50483FB9467B2E3EFBC4D45839E
                                Function 004432B5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20COMMONLIBRARYCODE
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 465 4432b5-4432c1 call 448cc9 468 4432e3-4432ef call 44333a ExitProcess 465->468 469 4432c3-4432d1 GetPEB 465->469 469->468 471 4432d3-4432dd GetCurrentProcess TerminateProcess 469->471 471->468
                                APIs
                                • GetCurrentProcess.KERNEL32(00000003,PkGNG,0044328B,00000003,0046E948,0000000C,004433E2,00000003,00000002,00000000,PkGNG,00446136,00000003), ref: 004432D6
                                • TerminateProcess.KERNEL32(00000000), ref: 004432DD
                                • ExitProcess.KERNEL32 ref: 004432EF
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$CurrentExitTerminate
                                • String ID: PkGNG
                                • API String ID: 1703294689-263838557
                                • Opcode ID: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
                                • Instruction ID: 3be6e6b92543006147ef5d7b2afd166c5ab2c5ffe072a920593a5ac20c7500e8
                                • Opcode Fuzzy Hash: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
                                • Instruction Fuzzy Hash: D6E0BF31400244FBDF126F55DD0AA993B69FB40757F044469F90946232CB7ADE42CA98
                                Function 0041CB50 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB65
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CB6E
                                • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CB88
                                • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CB9A
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CB9D
                                • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CBAE
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CBB1
                                • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040E9E1), ref: 0041CBC3
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CBC6
                                • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040E9E1), ref: 0041CBD2
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CBD5
                                • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CBE9
                                • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CBFD
                                • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040E9E1), ref: 0041CC0E
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC11
                                • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC25
                                • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC39
                                • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC4D
                                • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC61
                                • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC75
                                • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040E9E1), ref: 0041CC83
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC86
                                • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040E9E1), ref: 0041CC97
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC9A
                                • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040E9E1), ref: 0041CCA7
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CCAA
                                • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040E9E1), ref: 0041CCB7
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CCBA
                                • LoadLibraryA.KERNELBASE(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040E9E1), ref: 0041CCCC
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CCCF
                                • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040E9E1), ref: 0041CCDC
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CCDF
                                • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040E9E1), ref: 0041CCF0
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CCF3
                                • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040E9E1), ref: 0041CD04
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD07
                                • LoadLibraryA.KERNELBASE(Rstrtmgr,RmStartSession,?,?,?,?,0040E9E1), ref: 0041CD19
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD1C
                                • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,0040E9E1), ref: 0041CD29
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD2C
                                • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,0040E9E1), ref: 0041CD39
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD3C
                                • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,0040E9E1), ref: 0041CD49
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD4C
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$LibraryLoad$HandleModule
                                • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                • API String ID: 4236061018-3687161714
                                • Opcode ID: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
                                • Instruction ID: 43d5c3d51f8f0173c8b3474e0c84bdc355f07b7b5b23ff39ae26555794408ecb
                                • Opcode Fuzzy Hash: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
                                • Instruction Fuzzy Hash: 31419EA0EC035879DA107BB66DCDE3B3E5CD9857953214837B15CA7150EBBCD8408EAE
                                Function 00404E26 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 65synchronizationCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00474EF8,PkGNG,00000000,00474EF8,00404CA8,00000000,00000000,00000000,?,00474EF8,?), ref: 00404E38
                                • SetEvent.KERNEL32(00000000), ref: 00404E43
                                • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00404E4C
                                • closesocket.WS2_32(FFFFFFFF), ref: 00404E5A
                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00404E91
                                • SetEvent.KERNEL32(00000000), ref: 00404EA2
                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00404EA9
                                • SetEvent.KERNEL32(00000000), ref: 00404EBA
                                • CloseHandle.KERNEL32(00000000), ref: 00404EBF
                                • CloseHandle.KERNEL32(00000000), ref: 00404EC4
                                • SetEvent.KERNEL32(00000000), ref: 00404ED1
                                • CloseHandle.KERNEL32(00000000), ref: 00404ED6
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseEvent$HandleObjectSingleWait$ChangeFindNotificationclosesocket
                                • String ID: PkGNG
                                • API String ID: 2403171778-263838557
                                • Opcode ID: 87d744648c5afa45b50529b6b6d14d146fbf4d1d8295755f98280c9be6f36435
                                • Instruction ID: 0c11cd9b042c69dc9d4dd2828563f6d61870a883144e53252efabab5b24bcc37
                                • Opcode Fuzzy Hash: 87d744648c5afa45b50529b6b6d14d146fbf4d1d8295755f98280c9be6f36435
                                • Instruction Fuzzy Hash: BF21E871104B04AFDB216B26DC49B27BBA1FF40326F104A2EE2E211AF1CB75B851DB58
                                Function 00448566 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 473 448566-44857a 474 448587-4485a2 LoadLibraryExW 473->474 475 44857c-448585 473->475 477 4485a4-4485ad GetLastError 474->477 478 4485cb-4485d1 474->478 476 4485de-4485e0 475->476 479 4485bc 477->479 480 4485af-4485ba LoadLibraryExW 477->480 481 4485d3-4485d4 FreeLibrary 478->481 482 4485da 478->482 483 4485be-4485c0 479->483 480->483 481->482 484 4485dc-4485dd 482->484 483->478 485 4485c2-4485c9 483->485 484->476 485->484
                                APIs
                                • LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,?,00000000,00000000,?,0044850D,?,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue), ref: 00448598
                                • GetLastError.KERNEL32(?,0044850D,?,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000,00000364,?,004482E7), ref: 004485A4
                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044850D,?,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000), ref: 004485B2
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: LibraryLoad$ErrorLast
                                • String ID:
                                • API String ID: 3177248105-0
                                • Opcode ID: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
                                • Instruction ID: d5df962f837ff7629ef00c7a8b4dcab40ba3e58d8e4ddb8b40c265455ff02ab4
                                • Opcode Fuzzy Hash: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
                                • Instruction Fuzzy Hash: AA012832602322FBD7214B289C4495B7798AB50B61B20053AFD05D3241DF34CD01CAE8
                                Function 0040D069 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 486 40d069-40d095 call 401fab CreateMutexA GetLastError
                                APIs
                                • CreateMutexA.KERNELBASE(00000000,00000001,00000000,0040EC08,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0040D078
                                • GetLastError.KERNEL32 ref: 0040D083
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateErrorLastMutex
                                • String ID: SG
                                • API String ID: 1925916568-3189917014
                                • Opcode ID: 801f4fab6620dad4192684c1acb97daf4a6912092659b95b34e50827bd09c0e4
                                • Instruction ID: 95155ffd2f5cf2c34283977deb482d2843c3ccfb5002447f486bda260673b364
                                • Opcode Fuzzy Hash: 801f4fab6620dad4192684c1acb97daf4a6912092659b95b34e50827bd09c0e4
                                • Instruction Fuzzy Hash: 18D012B0604701EBD7181770ED5975839959744702F40487AB50BD99F1CBAC88908519
                                Function 004484CA Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 503 4484ca-4484f4 504 4484f6-4484f8 503->504 505 44855f 503->505 507 4484fe-448504 504->507 508 4484fa-4484fc 504->508 506 448561-448565 505->506 509 448506-448508 call 448566 507->509 510 448520 507->510 508->506 513 44850d-448510 509->513 512 448522-448524 510->512 514 448526-448534 GetProcAddress 512->514 515 44854f-44855d 512->515 516 448541-448547 513->516 517 448512-448518 513->517 518 448536-44853f call 43436e 514->518 519 448549 514->519 515->505 516->512 517->509 520 44851a 517->520 518->508 519->515 520->510
                                APIs
                                • GetProcAddress.KERNEL32(00000000,?), ref: 0044852A
                                • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00448537
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc__crt_fast_encode_pointer
                                • String ID:
                                • API String ID: 2279764990-0
                                • Opcode ID: 8089c10b092d0b8b49c4e4c687cc442f2ac99aa31dc0a9ae19eeba6ee39a8a7d
                                • Instruction ID: 198cd69cd453a5762926ca534f03dc7b1e1ac857a4a5158ec5eb6717dc05f104
                                • Opcode Fuzzy Hash: 8089c10b092d0b8b49c4e4c687cc442f2ac99aa31dc0a9ae19eeba6ee39a8a7d
                                • Instruction Fuzzy Hash: C3113A37A00131AFEB21DE1CDC4195F7391EB80724716452AFC08AB354DF34EC4186D8
                                Function 0040165E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 523 40165e-401664 524 401666-401668 523->524 525 401669-401674 523->525 526 401676 525->526 527 40167b-401685 525->527 526->527 528 401687-40168d 527->528 529 4016a8-4016a9 call 4344ea 527->529 528->529 530 40168f-401694 528->530 533 4016ae-4016af 529->533 530->526 532 401696-4016a6 call 4344ea 530->532 535 4016b1-4016b3 532->535 533->535
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: dd3aabd753e8fbc850dd588cbaeb9a0baf8afa37155383fde8690b9b823aeb90
                                • Instruction ID: 20740d68f627359004b4f50e822579efa7e6dd26000e0d34fcfb16e84f8f3500
                                • Opcode Fuzzy Hash: dd3aabd753e8fbc850dd588cbaeb9a0baf8afa37155383fde8690b9b823aeb90
                                • Instruction Fuzzy Hash: 6EF0E2706042015BDB1C8B34CD60B2A36955B84315F288F3FF01AD61E0C73EC8918A0D
                                Function 00446137 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 537 446137-446143 538 446175-446180 call 4405dd 537->538 539 446145-446147 537->539 546 446182-446184 538->546 540 446160-446171 RtlAllocateHeap 539->540 541 446149-44614a 539->541 544 446173 540->544 545 44614c-446153 call 445545 540->545 541->540 544->546 545->538 549 446155-44615e call 442f80 545->549 549->538 549->540
                                APIs
                                • RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: AllocateHeap
                                • String ID:
                                • API String ID: 1279760036-0
                                • Opcode ID: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
                                • Instruction ID: 4903450aafda00484806ba385278610c2731405ed8485190d5fd86014b6ab98c
                                • Opcode Fuzzy Hash: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
                                • Instruction Fuzzy Hash: 92E0ED3120062577FB2226669D05B5B365D9F033A2F160127EC0AA2283DF7CCC0081EF

                                Non-executed Functions

                                Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON
                                Download Yara Rule
                                APIs
                                • __Init_thread_footer.LIBCMT ref: 004056E6
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                • __Init_thread_footer.LIBCMT ref: 00405723
                                • CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660BC,00000000), ref: 004057B6
                                • CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
                                • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
                                • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                                • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
                                • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                                  • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90,004660C0,00000062,004660A4), ref: 004059E4
                                • Sleep.KERNEL32(00000064,00000062,004660A4), ref: 004059FE
                                • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                                • CloseHandle.KERNEL32 ref: 00405A23
                                • CloseHandle.KERNEL32 ref: 00405A2B
                                • CloseHandle.KERNEL32 ref: 00405A3D
                                • CloseHandle.KERNEL32 ref: 00405A45
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                • String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
                                • API String ID: 2994406822-18413064
                                • Opcode ID: 46143a75dd4028347809439aaf74d6998f30d4825ee64e2d46a22c89c3e5df59
                                • Instruction ID: 70e6a120cd26ef4d63fea04585a98dfb86eec3f3f3d93349c630b188a9e88b71
                                • Opcode Fuzzy Hash: 46143a75dd4028347809439aaf74d6998f30d4825ee64e2d46a22c89c3e5df59
                                • Instruction Fuzzy Hash: 8891E471604604AFD711FB36ED42A6F369AEB84308F01443FF989A62E2DB7D9C448B5D
                                Function 004120F7 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcessId.KERNEL32 ref: 00412106
                                  • Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                                  • Part of subcall function 00413877: RegSetValueExA.ADVAPI32(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
                                  • Part of subcall function 00413877: RegCloseKey.ADVAPI32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB
                                • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00412146
                                • CloseHandle.KERNEL32(00000000), ref: 00412155
                                • CreateThread.KERNEL32(00000000,00000000,004127EE,00000000,00000000,00000000), ref: 004121AB
                                • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041241A
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                                • API String ID: 3018269243-13974260
                                • Opcode ID: 40b24dbe1f17985f058b8880f0b35abadd5faaf693f7cda90d1833beab63ca48
                                • Instruction ID: 8205490d34a3093c97c97cf0412c87f535f0d81ed9353c04b1464aab831027f3
                                • Opcode Fuzzy Hash: 40b24dbe1f17985f058b8880f0b35abadd5faaf693f7cda90d1833beab63ca48
                                • Instruction Fuzzy Hash: 2671813160430167C614FB72CD579AE73A4AF90308F50057FB546A61E2FFBC9949C69E
                                Function 0040BB30 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBAF
                                • FindClose.KERNEL32(00000000), ref: 0040BBC9
                                • FindNextFileA.KERNEL32(00000000,?), ref: 0040BCEC
                                • FindClose.KERNEL32(00000000), ref: 0040BD12
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$CloseFile$FirstNext
                                • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                • API String ID: 1164774033-3681987949
                                • Opcode ID: e60ef44db30208dd2162595bb00c9bb932e2c9896fc53afd5e517d704f3508ac
                                • Instruction ID: 0369a90be492857ee26322cec2c2e6bc6ddf3692cf68474a737f8ca2a3b0d98c
                                • Opcode Fuzzy Hash: e60ef44db30208dd2162595bb00c9bb932e2c9896fc53afd5e517d704f3508ac
                                • Instruction Fuzzy Hash: 13516E3190421A9ADB14F7B2DC56DEEB739AF11304F10057FF406721E2EF785A89CA89
                                Function 004168C1 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 80clipboardmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • OpenClipboard.USER32 ref: 004168C2
                                • EmptyClipboard.USER32 ref: 004168D0
                                • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004168F0
                                • GlobalLock.KERNEL32(00000000), ref: 004168F9
                                • GlobalUnlock.KERNEL32(00000000), ref: 0041692F
                                • SetClipboardData.USER32(0000000D,00000000), ref: 00416938
                                • CloseClipboard.USER32 ref: 00416955
                                • OpenClipboard.USER32 ref: 0041695C
                                • GetClipboardData.USER32(0000000D), ref: 0041696C
                                • GlobalLock.KERNEL32(00000000), ref: 00416975
                                • GlobalUnlock.KERNEL32(00000000), ref: 0041697E
                                • CloseClipboard.USER32 ref: 00416984
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                • String ID: !D@$hdF
                                • API String ID: 3520204547-3475379602
                                • Opcode ID: 7bdf44ed23baddef4cf62a28d7db66ec7c3cdf26bf7aa0f36eb4a81407acbbaf
                                • Instruction ID: 9e7c9e91df33a813dd3aefbd505e3631e00017b2d00f6ad0929271c723fa7fba
                                • Opcode Fuzzy Hash: 7bdf44ed23baddef4cf62a28d7db66ec7c3cdf26bf7aa0f36eb4a81407acbbaf
                                • Instruction Fuzzy Hash: 9F212171604301DBD714BB71DC5DABE36A9AF88746F40043EF946921E2EF3C8D45C66A
                                Function 004132D2 Relevance: 18.2, APIs: 12, Instructions: 153fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413417
                                • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413425
                                • GetFileSize.KERNEL32(?,00000000), ref: 00413432
                                • UnmapViewOfFile.KERNEL32(00000000), ref: 00413452
                                • CloseHandle.KERNEL32(00000000), ref: 0041345F
                                • CloseHandle.KERNEL32(?), ref: 00413465
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                                • String ID:
                                • API String ID: 297527592-0
                                • Opcode ID: 1b52e587fb9d9e89c8408f811d16bdaf082f1bab315b69f0c216b55e30adf48b
                                • Instruction ID: 9e0538afe5582c7c3c7070a3da709670e2bb39b60280b40541f30be5467d1837
                                • Opcode Fuzzy Hash: 1b52e587fb9d9e89c8408f811d16bdaf082f1bab315b69f0c216b55e30adf48b
                                • Instruction Fuzzy Hash: ED41E631108305BBD7109F25DC4AF6B3BACEF89726F10092AFA14D51A2DF38DA40C66E
                                Function 004074FD Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                                Download Yara Rule
                                APIs
                                • _wcslen.LIBCMT ref: 00407521
                                • CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: Object_wcslen
                                • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                • API String ID: 240030777-3166923314
                                • Opcode ID: a3f0521951bb9342bb967e70cc438d07290dcccf7f3efa3b8b817ec6fb2293fa
                                • Instruction ID: 36c1a35fc662e139fbe0c3856e6c09b73c1590006896ac343f6f9e6a2f87480d
                                • Opcode Fuzzy Hash: a3f0521951bb9342bb967e70cc438d07290dcccf7f3efa3b8b817ec6fb2293fa
                                • Instruction Fuzzy Hash: 1D115172D04218BAD710E6959C45ADEB7A89B08714F15007BF904B2282E77CAA4486BA
                                Function 0041A748 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A75E
                                • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A7AD
                                • GetLastError.KERNEL32 ref: 0041A7BB
                                • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A7F3
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                • String ID:
                                • API String ID: 3587775597-0
                                • Opcode ID: f0a508092aeabfb754dac70d46392ce52f729929a0f06f3e8fb072e170aa9964
                                • Instruction ID: 0905bbee584710e72bd43cf86ffd47af08151029a50ddcda7611e9b1cb6672f7
                                • Opcode Fuzzy Hash: f0a508092aeabfb754dac70d46392ce52f729929a0f06f3e8fb072e170aa9964
                                • Instruction Fuzzy Hash: A1815F71104305ABC304EB61D885DAFB7A8FF94749F50092FF585521A2EF78EE48CB9A
                                Function 00419AF5 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 245fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileW.KERNEL32(00000000,?), ref: 00419D4B
                                • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419E17
                                  • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$Find$CreateFirstNext
                                • String ID: (eF$8SG$PXG$PXG$NG$PG
                                • API String ID: 341183262-875132146
                                • Opcode ID: 9126da1a63a3deeb360ac52cf0d05eacb2a0baae9e94e5365ddf0d5057da99c1
                                • Instruction ID: 96038134cf9b6260143958ba34f432c8b7c7433700823f8ab46a3e18139dd1a2
                                • Opcode Fuzzy Hash: 9126da1a63a3deeb360ac52cf0d05eacb2a0baae9e94e5365ddf0d5057da99c1
                                • Instruction Fuzzy Hash: D48152315083415AC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                                Function 0040C34D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C39B
                                • FindNextFileW.KERNEL32(00000000,?), ref: 0040C46E
                                • FindClose.KERNEL32(00000000), ref: 0040C47D
                                • FindClose.KERNEL32(00000000), ref: 0040C4A8
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$CloseFile$FirstNext
                                • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                • API String ID: 1164774033-405221262
                                • Opcode ID: f210557bed675ad5d36221f6052a79efeb781c0a156dbb9e3500e3c2c137b3c7
                                • Instruction ID: 975c513e22faa42ee1994afe11ceef4a5d9ff9fa3a88a4f7cb3cdca8b35e8719
                                • Opcode Fuzzy Hash: f210557bed675ad5d36221f6052a79efeb781c0a156dbb9e3500e3c2c137b3c7
                                • Instruction Fuzzy Hash: 4131513150021AA6CB14E7A1DC9ADFE7778AF10718F10017FB105B20D2EF789A49CA4D
                                Function 0041C291 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00474EE0,?), ref: 0041C2EC
                                • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00474EE0,?), ref: 0041C31C
                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00474EE0,?), ref: 0041C38E
                                • DeleteFileW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C39B
                                  • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C371
                                • GetLastError.KERNEL32(?,?,?,?,?,00474EE0,?), ref: 0041C3BC
                                • FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D2
                                • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D9
                                • FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3E2
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                • String ID:
                                • API String ID: 2341273852-0
                                • Opcode ID: 5daa9100e03deb39a4691b7b17906df9641a5acb862147602035c05749f1dd0e
                                • Instruction ID: c19bc5cae20e4253aafd1d57f534f4f4794eeb6ee7264df4fdb3445c687e6cd6
                                • Opcode Fuzzy Hash: 5daa9100e03deb39a4691b7b17906df9641a5acb862147602035c05749f1dd0e
                                • Instruction Fuzzy Hash: 1331827294031CAADB24E7A1DC88EDB736CAF04305F4405FBF955D2152EB39DAC88B68
                                Function 0040880C Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 186fileCOMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00408811
                                • FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
                                • __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
                                • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
                                • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A15
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                • String ID: hdF
                                • API String ID: 1771804793-665520524
                                • Opcode ID: e4bf9b104c2a4932abe6be63e8df5bb1645f0ee96392f376ac585c53c850bca5
                                • Instruction ID: 1e810be39857a3d86828f92fa26e793a4655b35e172fafea17edde612d57cc14
                                • Opcode Fuzzy Hash: e4bf9b104c2a4932abe6be63e8df5bb1645f0ee96392f376ac585c53c850bca5
                                • Instruction Fuzzy Hash: 16515F72900209AACF04FB61DD569ED7778AF11308F50417FB946B61E2EF389B48CB99
                                Function 004167B4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00417952: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
                                  • Part of subcall function 00417952: OpenProcessToken.ADVAPI32(00000000), ref: 00417966
                                  • Part of subcall function 00417952: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
                                  • Part of subcall function 00417952: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
                                  • Part of subcall function 00417952: GetLastError.KERNEL32 ref: 0041799D
                                • ExitWindowsEx.USER32(00000000,00000001), ref: 00416856
                                • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 0041686B
                                • GetProcAddress.KERNEL32(00000000), ref: 00416872
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                • String ID: !D@$PowrProf.dll$SetSuspendState
                                • API String ID: 1589313981-2876530381
                                • Opcode ID: 06b2ed81386eea833f57913314ae7cc45cedb7ecee8fca0ea64c9477fec69274
                                • Instruction ID: 15d3ae9bc4d358b9de40311b9e813ebd0b85961e95f80c383f5c7d57e5fc9640
                                • Opcode Fuzzy Hash: 06b2ed81386eea833f57913314ae7cc45cedb7ecee8fca0ea64c9477fec69274
                                • Instruction Fuzzy Hash: 6E21617060430256CB14FBB68856AAE63599F41788F41487FB442A72D3EF3CD845CBAE
                                Function 0040BA12 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                Download Yara Rule
                                APIs
                                • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA4E
                                • GetLastError.KERNEL32 ref: 0040BA58
                                Strings
                                • [Chrome StoredLogins not found], xrefs: 0040BA72
                                • [Chrome StoredLogins found, cleared!], xrefs: 0040BA7E
                                • UserProfile, xrefs: 0040BA1E
                                • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA19
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: DeleteErrorFileLast
                                • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                • API String ID: 2018770650-1062637481
                                • Opcode ID: 7df5978969732fb09709de34775d6ce1a623c26fc4145e618767f27fcf07f662
                                • Instruction ID: af402a2c9819bc64f7c9913ab42ffc044d60d1b3c88a69bbc3d4df1d4d30a246
                                • Opcode Fuzzy Hash: 7df5978969732fb09709de34775d6ce1a623c26fc4145e618767f27fcf07f662
                                • Instruction Fuzzy Hash: 2D01A7B17801056AC70477B6CD5B9BE77249911704F50057FF802725E2FE7D59098ADE
                                Function 00417952 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
                                • OpenProcessToken.ADVAPI32(00000000), ref: 00417966
                                • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
                                • GetLastError.KERNEL32 ref: 0041799D
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                • String ID: SeShutdownPrivilege
                                • API String ID: 3534403312-3733053543
                                • Opcode ID: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
                                • Instruction ID: b599e5caaba2c857c5a7044ea86e3d1b9a306509f9612008a7a3a71442eb1233
                                • Opcode Fuzzy Hash: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
                                • Instruction Fuzzy Hash: 1EF03AB1801229FBDB109BA0EC4DEEF7FBCEF05612F100461B809A1092D7388E04CAB5
                                Function 00409253 Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00409258
                                  • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                • __CxxThrowException@8.LIBVCRUNTIME ref: 004092F4
                                • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00409352
                                • FindNextFileW.KERNEL32(00000000,?), ref: 004093AA
                                • FindClose.KERNEL32(00000000), ref: 004093C1
                                  • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00474EF8,PkGNG,00000000,00474EF8,00404CA8,00000000,00000000,00000000,?,00474EF8,?), ref: 00404E38
                                  • Part of subcall function 00404E26: SetEvent.KERNEL32(00000000), ref: 00404E43
                                  • Part of subcall function 00404E26: FindCloseChangeNotification.KERNELBASE(00000000), ref: 00404E4C
                                • FindClose.KERNEL32(00000000), ref: 004095B9
                                  • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,00401A45,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000), ref: 00404B47
                                  • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000,?,?,?,?,?,00401A45), ref: 00404B75
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$Close$EventFileObjectSingleWait$ChangeException@8FirstH_prologNextNotificationThrowconnectsend
                                • String ID:
                                • API String ID: 2435342581-0
                                • Opcode ID: f9045dcdb2f3133ff8fba91c5ff4e6bf62ac57e12963de0168c3bd7490a17388
                                • Instruction ID: 125c9cc0036adb3739497efb01147483584b5989e706bb19fe9a4109aadf0594
                                • Opcode Fuzzy Hash: f9045dcdb2f3133ff8fba91c5ff4e6bf62ac57e12963de0168c3bd7490a17388
                                • Instruction Fuzzy Hash: DCB18D32900109AACB14EBA1DD96AED7779AF04318F10417FF506B60E2EF785E49CB98
                                Function 0040F7A7 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00413549: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,00000000), ref: 00413569
                                  • Part of subcall function 00413549: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 00413587
                                  • Part of subcall function 00413549: RegCloseKey.ADVAPI32(00000000), ref: 00413592
                                • Sleep.KERNEL32(00000BB8), ref: 0040F85B
                                • ExitProcess.KERNEL32 ref: 0040F8CA
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseExitOpenProcessQuerySleepValue
                                • String ID: 5.0.0 Pro$override$pth_unenc
                                • API String ID: 2281282204-3992771774
                                • Opcode ID: dc16a9e0874cea99cd6dbe969c2e4899a966a5c348296f3374b49b5e23af8a6f
                                • Instruction ID: 07d0e0dc4205ecb16ec703249a4fc897915f305b32a2beb09604d1d6565ffe0f
                                • Opcode Fuzzy Hash: dc16a9e0874cea99cd6dbe969c2e4899a966a5c348296f3374b49b5e23af8a6f
                                • Instruction Fuzzy Hash: F821F371B0420167C604767A485B6AE35A95B80718F90403FF505676D7FF7C8E0583EF
                                Function 0045243C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON
                                Download Yara Rule
                                APIs
                                • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 004524D5
                                • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 004524FE
                                • GetACP.KERNEL32 ref: 00452513
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: InfoLocale
                                • String ID: ACP$OCP
                                • API String ID: 2299586839-711371036
                                • Opcode ID: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
                                • Instruction ID: 65f7b5195a5790e2d5819d7d4b0c6b76a8aa59636dcad79128a037cfc813d78c
                                • Opcode Fuzzy Hash: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
                                • Instruction Fuzzy Hash: FD21F432600104A7DB348F54CF00AA773A6EB47B1AB168567EC09D7302F7BADD48C398
                                Function 0040783C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 86fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407857
                                • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040791F
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: FileFind$FirstNextsend
                                • String ID: (eF$XPG$XPG
                                • API String ID: 4113138495-1496965907
                                • Opcode ID: 7493802b9fea3f653f5859ff7eede1918c289d9ff4253d111e6d79fb62445a1f
                                • Instruction ID: 6b6d716c6ecdfe6ec78918620e47e684a121d368db73a1555a51ac38f2ecb6eb
                                • Opcode Fuzzy Hash: 7493802b9fea3f653f5859ff7eede1918c289d9ff4253d111e6d79fb62445a1f
                                • Instruction Fuzzy Hash: 212195325083419BC314FB61D855DEFB3ACAF90358F40493EF696621E1EF78AA09C65B
                                Function 00409665 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 0040966A
                                • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 004096E2
                                • FindNextFileW.KERNEL32(00000000,?), ref: 0040970B
                                • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00409722
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseFirstH_prologNext
                                • String ID:
                                • API String ID: 1157919129-0
                                • Opcode ID: 8a5ce0672f9b165c8b59fe5e999e5299a44c6451e72dbf911edcb1b5cbd094d9
                                • Instruction ID: bc6583c976318a9931a9d4e75bf6093b5b8d8c817350453c5398c0af4fd679c1
                                • Opcode Fuzzy Hash: 8a5ce0672f9b165c8b59fe5e999e5299a44c6451e72dbf911edcb1b5cbd094d9
                                • Instruction Fuzzy Hash: 59812B329001199BCB15EBA1DC969EDB378AF14318F10417FE506B71E2EF78AE49CB58
                                Function 00452610 Relevance: 7.7, APIs: 5, Instructions: 188COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                  • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                  • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                  • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                  • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                                  • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281
                                • GetUserDefaultLCID.KERNEL32 ref: 0045271C
                                • IsValidCodePage.KERNEL32(00000000), ref: 00452777
                                • IsValidLocale.KERNEL32(?,00000001), ref: 00452786
                                • GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 004527CE
                                • GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 004527ED
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                • String ID:
                                • API String ID: 745075371-0
                                • Opcode ID: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
                                • Instruction ID: 5597d49bf91f8be5c1e88387600e3254545b136a20640e737b6730ed74bf2304
                                • Opcode Fuzzy Hash: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
                                • Instruction Fuzzy Hash: 87518371900205ABDF10DFA5CD41ABF77B8AF19702F14047BFD04E7292E7B899488B69
                                Function 0041C9E2 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                Download Yara Rule
                                APIs
                                • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CAD7
                                  • Part of subcall function 0041376F: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046611C), ref: 0041377E
                                  • Part of subcall function 0041376F: RegSetValueExA.ADVAPI32(0046611C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000), ref: 004137A6
                                  • Part of subcall function 0041376F: RegCloseKey.ADVAPI32(0046611C,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000,?,0040875D,00000001), ref: 004137B1
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseCreateInfoParametersSystemValue
                                • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                • API String ID: 4127273184-3576401099
                                • Opcode ID: a05115c3504dfde330e24bf23dcfa1352310ad822a085fdd45549c78b87fb04f
                                • Instruction ID: 1197cbbb31bb874c57b9e92d70abebba424d259215afdbf251ae70ffa4d9d73d
                                • Opcode Fuzzy Hash: a05115c3504dfde330e24bf23dcfa1352310ad822a085fdd45549c78b87fb04f
                                • Instruction Fuzzy Hash: 7B1184B2BC021473D419313E5DABBBE28029743B51F94416BF6123A6C6E8DF0A8102CF
                                Function 004461F0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 464COMMONLIBRARYCODE
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: PkGNG
                                • API String ID: 0-263838557
                                • Opcode ID: 3af37b45e0065d2a9e4b628ca9eba3ad08e75ba8402ba2670485150a8c7006c8
                                • Instruction ID: a89a86a7c059f2ce1b75669fee0c4fca3fa64158462c9470c468cddaecc71d09
                                • Opcode Fuzzy Hash: 3af37b45e0065d2a9e4b628ca9eba3ad08e75ba8402ba2670485150a8c7006c8
                                • Instruction Fuzzy Hash: FB025D71E002199BEF14CFA9D8806AEBBF1FF49324F26416AD819E7344D734AE41CB85
                                Function 0040D420 Relevance: 49.3, APIs: 6, Strings: 22, Instructions: 282registryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,?,0040D80F), ref: 00412860
                                  • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF,?,0040D80F), ref: 00412873
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D51D
                                • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D530
                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D549
                                • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D579
                                  • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,00000000,?,0040D442,?,00000000), ref: 0040B8BB
                                  • Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
                                  • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A267,00000000,?,0040D442,?,00000000), ref: 0040B8D5
                                  • Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C510,00000000,00000000,00000000), ref: 0041C430
                                • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D7C4
                                • ExitProcess.KERNEL32 ref: 0040D7D0
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                • String ID: """, 0$")$0qF$0qF$8SG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$hdF$hpF$open$wend$while fso.FileExists("
                                • API String ID: 1861856835-2780701618
                                • Opcode ID: b551f3b2373885e39556138e865b175cc3d4ae26f9f03a76750746f939b0c8d9
                                • Instruction ID: f0dedf37b1d13a6a68a2ae87fd6fc042f686ba0b246118386f774540a9e6bc24
                                • Opcode Fuzzy Hash: b551f3b2373885e39556138e865b175cc3d4ae26f9f03a76750746f939b0c8d9
                                • Instruction Fuzzy Hash: 2191A4716082005AC315FB62D8529AFB7A9AF91309F10443FB14AA71E3FF7C9D49C65E
                                Function 004180EF Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418136
                                • GetProcAddress.KERNEL32(00000000), ref: 00418139
                                • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 0041814A
                                • GetProcAddress.KERNEL32(00000000), ref: 0041814D
                                • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041815E
                                • GetProcAddress.KERNEL32(00000000), ref: 00418161
                                • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 00418172
                                • GetProcAddress.KERNEL32(00000000), ref: 00418175
                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418217
                                • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041822F
                                • GetThreadContext.KERNEL32(?,00000000), ref: 00418245
                                • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 0041826B
                                • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004182ED
                                • TerminateProcess.KERNEL32(?,00000000), ref: 00418301
                                • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00418341
                                • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0041840B
                                • SetThreadContext.KERNEL32(?,00000000), ref: 00418428
                                • ResumeThread.KERNEL32(?), ref: 00418435
                                • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041844C
                                • GetCurrentProcess.KERNEL32(?), ref: 00418457
                                • TerminateProcess.KERNEL32(?,00000000), ref: 00418472
                                • GetLastError.KERNEL32 ref: 0041847A
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                • API String ID: 4188446516-3035715614
                                • Opcode ID: b936ea2c1396c7360966393650c98f262233681cd2418a1eb1ae5de04f4b839e
                                • Instruction ID: 216cb1b436b1bb1c0a39989cd20dfb1fea14fcd849b5832ba41dfff5d3f22c39
                                • Opcode Fuzzy Hash: b936ea2c1396c7360966393650c98f262233681cd2418a1eb1ae5de04f4b839e
                                • Instruction Fuzzy Hash: EDA16E70604305AFDB208F64CC85BAB7BE8FF48705F04482EF595D6291EB78D844CB1A
                                Function 0040D096 Relevance: 44.0, APIs: 6, Strings: 19, Instructions: 260registryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,?,0040D80F), ref: 00412860
                                  • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF,?,0040D80F), ref: 00412873
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1A5
                                • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1B8
                                • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E8
                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1F7
                                  • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,00000000,?,0040D442,?,00000000), ref: 0040B8BB
                                  • Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
                                  • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A267,00000000,?,0040D442,?,00000000), ref: 0040B8D5
                                  • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041B99F
                                • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D412
                                • ExitProcess.KERNEL32 ref: 0040D419
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                • String ID: ")$.vbs$8SG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$hdF$hpF$open$pth_unenc$wend$while fso.FileExists("
                                • API String ID: 3797177996-2616068718
                                • Opcode ID: 20ad542f7171711714ea231336f0bfedc48dcef2d82ad876a4b4a36a3752c16a
                                • Instruction ID: d7bb7cf55c4450259501d0c3086a2d123ad94ece798773e978a9ab54bd012bbb
                                • Opcode Fuzzy Hash: 20ad542f7171711714ea231336f0bfedc48dcef2d82ad876a4b4a36a3752c16a
                                • Instruction Fuzzy Hash: 9081B0716082005BC715FB62D8529AF77A8AFD1308F10483FB586A71E2EF7C9E49C65E
                                Function 00412475 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 190synchronizationsleepfileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750E4,00000003), ref: 00412494
                                • ExitProcess.KERNEL32(00000000), ref: 004124A0
                                • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0041251A
                                • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412529
                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00412534
                                • CloseHandle.KERNEL32(00000000), ref: 0041253B
                                • GetCurrentProcessId.KERNEL32 ref: 00412541
                                • PathFileExistsW.SHLWAPI(?), ref: 00412572
                                • GetTempPathW.KERNEL32(00000104,?), ref: 004125D5
                                • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 004125EF
                                • lstrcatW.KERNEL32(?,.exe), ref: 00412601
                                  • Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C510,00000000,00000000,00000000), ref: 0041C430
                                • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00412641
                                • Sleep.KERNEL32(000001F4), ref: 00412682
                                • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412697
                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126A2
                                • CloseHandle.KERNEL32(00000000), ref: 004126A9
                                • GetCurrentProcessId.KERNEL32 ref: 004126AF
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                • String ID: .exe$8SG$WDH$exepath$open$temp_
                                • API String ID: 2649220323-436679193
                                • Opcode ID: 146091e80e50a3233eb3da91dc212e53ef431cc0dfb42efe393cf7564aaa5dfb
                                • Instruction ID: 17e21f0bcac096b9b94ced5306d028ab2385f4d1d2402c2ee3c492442eb82615
                                • Opcode Fuzzy Hash: 146091e80e50a3233eb3da91dc212e53ef431cc0dfb42efe393cf7564aaa5dfb
                                • Instruction Fuzzy Hash: 4651B371A00315BBDB10ABA09C9AEFE336D9B04715F10406BF502E71D2EFBC8E85865D
                                Function 0041B047 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B13C
                                • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B150
                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660A4), ref: 0041B178
                                • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00474EE0,00000000), ref: 0041B18E
                                • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B1CF
                                • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B1E7
                                • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B1FC
                                • SetEvent.KERNEL32 ref: 0041B219
                                • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B22A
                                • CloseHandle.KERNEL32 ref: 0041B23A
                                • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B25C
                                • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B266
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
                                • API String ID: 738084811-2094122233
                                • Opcode ID: 6950fa60c67da0165606eeaae49d0d75b99f3a8629193b9fdbb0be8d76f71a2c
                                • Instruction ID: fe650b41180b39ed17604f18bcb9a712e211fca36760164052b554565c231c06
                                • Opcode Fuzzy Hash: 6950fa60c67da0165606eeaae49d0d75b99f3a8629193b9fdbb0be8d76f71a2c
                                • Instruction Fuzzy Hash: 0351A3B12842056AD314B771DC96ABF379CDB84358F10043FB64A521E2EF788D48CA6E
                                Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
                                • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
                                • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
                                • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
                                • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
                                • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
                                • WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
                                • WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
                                • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
                                • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
                                • WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
                                • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
                                • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$Write$Create
                                • String ID: RIFF$WAVE$data$fmt
                                • API String ID: 1602526932-4212202414
                                • Opcode ID: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
                                • Instruction ID: 2ec91bc18be8700290cedec85ec8f66933089e8d2246bcc6fed4c3761e19f715
                                • Opcode Fuzzy Hash: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
                                • Instruction Fuzzy Hash: EB414E72644308BAE210DA51DD86FBB7EECEB89B50F40441AF644D60C0D7A4E909DBB3
                                Function 00407270 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\ProgramData\27 de Junio\27 de Junio.exe,00000001,0040764D,C:\ProgramData\27 de Junio\27 de Junio.exe,00000003,00407675,004752D8,004076CE), ref: 00407284
                                • GetProcAddress.KERNEL32(00000000), ref: 0040728D
                                • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072A2
                                • GetProcAddress.KERNEL32(00000000), ref: 004072A5
                                • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072B6
                                • GetProcAddress.KERNEL32(00000000), ref: 004072B9
                                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 004072CA
                                • GetProcAddress.KERNEL32(00000000), ref: 004072CD
                                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 004072DE
                                • GetProcAddress.KERNEL32(00000000), ref: 004072E1
                                • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 004072F2
                                • GetProcAddress.KERNEL32(00000000), ref: 004072F5
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressHandleModuleProc
                                • String ID: C:\ProgramData\27 de Junio\27 de Junio.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                • API String ID: 1646373207-3654785504
                                • Opcode ID: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
                                • Instruction ID: f839149ce94c73eee9bda0254407c114f4740b95dc73f4bc012c28e2a4ae17e7
                                • Opcode Fuzzy Hash: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
                                • Instruction Fuzzy Hash: 520171E0E4431676DB216F3A6C54D4B6F9C9E5125131A087BB409E2292FEBCE800CE6D
                                Function 0041C01B Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlenW.KERNEL32(?), ref: 0041C036
                                • _memcmp.LIBVCRUNTIME ref: 0041C04E
                                • lstrlenW.KERNEL32(?), ref: 0041C067
                                • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041C0A2
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C0B5
                                • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C0F9
                                • lstrcmpW.KERNEL32(?,?), ref: 0041C114
                                • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C12C
                                • _wcslen.LIBCMT ref: 0041C13B
                                • FindVolumeClose.KERNEL32(?), ref: 0041C15B
                                • GetLastError.KERNEL32 ref: 0041C173
                                • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C1A0
                                • lstrcatW.KERNEL32(?,?), ref: 0041C1B9
                                • lstrcpyW.KERNEL32(?,?), ref: 0041C1C8
                                • GetLastError.KERNEL32 ref: 0041C1D0
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                • String ID: ?
                                • API String ID: 3941738427-1684325040
                                • Opcode ID: abe7e308a1a6702f98718e9be80ca678ae2d2d31c1c14d85f2c6eaae61ca29ed
                                • Instruction ID: a349862c8cee18361e8dc915c9858c0b302c9409c899df8dda18ff866c7f94c5
                                • Opcode Fuzzy Hash: abe7e308a1a6702f98718e9be80ca678ae2d2d31c1c14d85f2c6eaae61ca29ed
                                • Instruction Fuzzy Hash: 8B416171584316EBD720DFA0DC889EB77ECAB49755F00092BF545C2261EB78C988CBDA
                                Function 0044F42D Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$EnvironmentVariable$_wcschr
                                • String ID:
                                • API String ID: 3899193279-0
                                • Opcode ID: 138887d55368f9cf58208da3f492a4fc17d417063cec38a58e843e9613042db9
                                • Instruction ID: f75d98bba309171a1893162bbba9979c566f834f65d54a181aa040c21db392b6
                                • Opcode Fuzzy Hash: 138887d55368f9cf58208da3f492a4fc17d417063cec38a58e843e9613042db9
                                • Instruction Fuzzy Hash: C4D13672D007006BFB20AF799D81A6B77A4EF01318F05427FE919A7382EB3D99058799
                                Function 00412AB4 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 482sleepfileCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412ACD
                                  • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041B99F
                                  • Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E74), ref: 0041857E
                                  • Part of subcall function 00418568: CloseHandle.KERNEL32(t^F,?,?,004040F5,00465E74), ref: 00418587
                                • Sleep.KERNEL32(0000000A,00465E74), ref: 00412C1F
                                • Sleep.KERNEL32(0000000A,00465E74,00465E74), ref: 00412CC1
                                • Sleep.KERNEL32(0000000A,00465E74,00465E74,00465E74), ref: 00412D63
                                • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DC5
                                • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DFC
                                • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412E38
                                • Sleep.KERNEL32(000001F4,00465E74,00465E74,00465E74), ref: 00412E52
                                • Sleep.KERNEL32(00000064), ref: 00412E94
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                • String ID: /stext "$0TG$0TG$NG$NG
                                • API String ID: 1223786279-2576077980
                                • Opcode ID: 45816bd423e92bb8680930aa6a7d7804db8f63587a8a1e07c71b8186c8759938
                                • Instruction ID: 3b0169c2c8bc9f0d695cedb60fdc7b81a1931596247e975dd6f1dc47d42db627
                                • Opcode Fuzzy Hash: 45816bd423e92bb8680930aa6a7d7804db8f63587a8a1e07c71b8186c8759938
                                • Instruction Fuzzy Hash: 990255311083418AC325FB62D851AEFB3E5AFD4348F50483EF58A971E2EF785A49C65A
                                Function 00408B7A Relevance: 23.1, APIs: 8, Strings: 5, Instructions: 328fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00408CE3
                                • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D1B
                                • __aulldiv.LIBCMT ref: 00408D4D
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                  • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408E70
                                • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408E8B
                                • CloseHandle.KERNEL32(00000000), ref: 00408F64
                                • CloseHandle.KERNEL32(00000000,00000052), ref: 00408FAE
                                • CloseHandle.KERNEL32(00000000), ref: 00408FFC
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $hdF$NG
                                • API String ID: 3086580692-1206044436
                                • Opcode ID: 64cefbb928e21c2f7d127ca4721bf1c832eccef9f0ecc8420659d86e10d9b8ce
                                • Instruction ID: 4fd1ef8f0950b8c70c5ee12d710945c0a569e6ad21e20d2a74dcf75f3ec9a52d
                                • Opcode Fuzzy Hash: 64cefbb928e21c2f7d127ca4721bf1c832eccef9f0ecc8420659d86e10d9b8ce
                                • Instruction Fuzzy Hash: 95B193716083409BC314FB25C982AAFB7E5AFC4354F50492FF589622D2EF789945CB8B
                                Function 0040A726 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 163sleepCOMMON
                                Download Yara Rule
                                APIs
                                • Sleep.KERNEL32(00001388), ref: 0040A740
                                  • Part of subcall function 0040A675: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A74D), ref: 0040A6AB
                                  • Part of subcall function 0040A675: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
                                  • Part of subcall function 0040A675: Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
                                  • Part of subcall function 0040A675: CloseHandle.KERNEL32(00000000,?,?,?,0040A74D), ref: 0040A6EE
                                • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A77C
                                • GetFileAttributesW.KERNEL32(00000000), ref: 0040A78D
                                • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7A4
                                • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0040A81E
                                  • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                                • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466468,00000000,00000000,00000000), ref: 0040A927
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                • String ID: 8SG$8SG$hdF$pQG$pQG$PG$PG
                                • API String ID: 3795512280-4009011672
                                • Opcode ID: dd9c0471e25d076647664c84ec6971b7212badb5cce70a00efb0c7fa575d8801
                                • Instruction ID: 265ddfea45d140738b9a7e0f0353a6f5be26653907181caffe3561bb72ed66c0
                                • Opcode Fuzzy Hash: dd9c0471e25d076647664c84ec6971b7212badb5cce70a00efb0c7fa575d8801
                                • Instruction Fuzzy Hash: A7517E716043055ACB09BB32C866ABE739A9F80349F00483FB642B71E2DF7C9D09865E
                                Function 0041D58F Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                Download Yara Rule
                                APIs
                                • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D5DA
                                • GetCursorPos.USER32(?), ref: 0041D5E9
                                • SetForegroundWindow.USER32(?), ref: 0041D5F2
                                • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D60C
                                • Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D65D
                                • ExitProcess.KERNEL32 ref: 0041D665
                                • CreatePopupMenu.USER32 ref: 0041D66B
                                • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D680
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                • String ID: Close
                                • API String ID: 1657328048-3535843008
                                • Opcode ID: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
                                • Instruction ID: 483e3be36cf21f9f431d69439bfbb75804d706e25d1e382f075e68ac53faeb55
                                • Opcode Fuzzy Hash: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
                                • Instruction Fuzzy Hash: 392127B1944208FFDB194FA4ED0EAAA3B65FB08342F000135FA0A950B1D775EDA1EB5D
                                Function 0040F474 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 210processCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750E4,?,00475338), ref: 0040F48E
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F4B9
                                • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F4D5
                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F554
                                • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00475338), ref: 0040F563
                                  • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                  • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                                • CloseHandle.KERNEL32(00000000,?,00475338), ref: 0040F66E
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                                • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$hdF$hdF$ieinstal.exe$ielowutil.exe
                                • API String ID: 3756808967-3633479162
                                • Opcode ID: 7f89ee10989f3bd4abeff3972d4c872612047b4c43f3230c1fb09e73b354777b
                                • Instruction ID: b3f00c97eb68dcc530bbf6735eb7028ff3362e05d7342ed3a56d945b0ce45bff
                                • Opcode Fuzzy Hash: 7f89ee10989f3bd4abeff3972d4c872612047b4c43f3230c1fb09e73b354777b
                                • Instruction Fuzzy Hash: F6715E705083419BC724FB21D8959AEB7A5AF90348F50083FF586631E3EF78994ECB5A
                                Function 0040D7FF Relevance: 21.1, APIs: 3, Strings: 9, Instructions: 148COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,?,0040D80F), ref: 00412860
                                  • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF,?,0040D80F), ref: 00412873
                                  • Part of subcall function 004136F8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 00413714
                                  • Part of subcall function 004136F8: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 0041372D
                                  • Part of subcall function 004136F8: RegCloseKey.ADVAPI32(?), ref: 00413738
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D859
                                • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D9B8
                                • ExitProcess.KERNEL32 ref: 0040D9C4
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                • String ID: """, 0$.vbs$8SG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$hdF$open
                                • API String ID: 1913171305-51354631
                                • Opcode ID: f258cf52c1f85b39fd526d8af0fa5692be2d229592be5a4268ec070556a5325b
                                • Instruction ID: 6fc8d312854778a25908ca85050b1cee1951ef16e4956e50e312a563d71e527c
                                • Opcode Fuzzy Hash: f258cf52c1f85b39fd526d8af0fa5692be2d229592be5a4268ec070556a5325b
                                • Instruction Fuzzy Hash: 0C413A719001195ACB15FA62DC56DEEB778AF50309F10007FB10AB61E2EF785E4ACA98
                                Function 004048C8 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 144networkCOMMON
                                Download Yara Rule
                                APIs
                                • connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                                • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                                • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                                • WSAGetLastError.WS2_32 ref: 00404A21
                                  • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                • String ID: Connection Failed: $Connection Refused$PkGNG$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                • API String ID: 994465650-3229884001
                                • Opcode ID: 73075052d8b02f035b309482e82d4e6ffd926ef573fac63689623bdc7e9bf8aa
                                • Instruction ID: c5d57dbf39bf42eeb7f1fe8451fa1a1ddda5cb55b73798f96fdafd5064c5310c
                                • Opcode Fuzzy Hash: 73075052d8b02f035b309482e82d4e6ffd926ef573fac63689623bdc7e9bf8aa
                                • Instruction Fuzzy Hash: 3E41E8B47406016BD61877BA8D1B53E7A15AB81304B50017FE60267AD3EB7D9C108BDF
                                Function 004512C6 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • ___free_lconv_mon.LIBCMT ref: 0045130A
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 0045051F
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 00450531
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 00450543
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 00450555
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 00450567
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 00450579
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 0045058B
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 0045059D
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 004505AF
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 004505C1
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 004505D3
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 004505E5
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 004505F7
                                • _free.LIBCMT ref: 004512FF
                                  • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                  • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                • _free.LIBCMT ref: 00451321
                                • _free.LIBCMT ref: 00451336
                                • _free.LIBCMT ref: 00451341
                                • _free.LIBCMT ref: 00451363
                                • _free.LIBCMT ref: 00451376
                                • _free.LIBCMT ref: 00451384
                                • _free.LIBCMT ref: 0045138F
                                • _free.LIBCMT ref: 004513C7
                                • _free.LIBCMT ref: 004513CE
                                • _free.LIBCMT ref: 004513EB
                                • _free.LIBCMT ref: 00451403
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                • String ID:
                                • API String ID: 161543041-0
                                • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                • Instruction ID: 673b37a441ff9bbb7eb6cd98574e5fa8379d72fae64c09c4febd1ea684bb8cd8
                                • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                • Instruction Fuzzy Hash: 0E319E315007009FFB20AA7AD845B5B73E8EF0131AF50851FEC68D7662DF78AD448B59
                                Function 00450600 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free
                                • String ID:
                                • API String ID: 269201875-0
                                • Opcode ID: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
                                • Instruction ID: d910990a8472ee08c0279d8077499983e41ff25138a9859a729e4309013b5263
                                • Opcode Fuzzy Hash: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
                                • Instruction Fuzzy Hash: E2C17476D40204AFEB20DBA9CC83FDE77B8AB19705F14015AFE05EB283D6B49D458798
                                Function 00455BDB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004558A9: CreateFileW.KERNEL32(00000000,00000000,?,00455C84,?,?,00000000,?,00455C84,00000000,0000000C), ref: 004558C6
                                • GetLastError.KERNEL32 ref: 00455CEF
                                • __dosmaperr.LIBCMT ref: 00455CF6
                                • GetFileType.KERNEL32(00000000), ref: 00455D02
                                • GetLastError.KERNEL32 ref: 00455D0C
                                • __dosmaperr.LIBCMT ref: 00455D15
                                • CloseHandle.KERNEL32(00000000), ref: 00455D35
                                • CloseHandle.KERNEL32(?), ref: 00455E7F
                                • GetLastError.KERNEL32 ref: 00455EB1
                                • __dosmaperr.LIBCMT ref: 00455EB8
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                • String ID: H
                                • API String ID: 4237864984-2852464175
                                • Opcode ID: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
                                • Instruction ID: f4290dc4267d91ba683862cdaabef3013db21248f4240db41616def06e578eae
                                • Opcode Fuzzy Hash: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
                                • Instruction Fuzzy Hash: D5A155329106049FDF19AF68DC617BE3BA0EB06325F14415EEC11EB392CB398D5ACB59
                                Function 0044AC49 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 216COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,$C,0043EA24,?,?,PkGNG,0044AE9A,00000001,00000001,73E85006), ref: 0044ACA3
                                • __alloca_probe_16.LIBCMT ref: 0044ACDB
                                • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,PkGNG,0044AE9A,00000001,00000001,73E85006,?,?,?), ref: 0044AD29
                                • __alloca_probe_16.LIBCMT ref: 0044ADC0
                                • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,73E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AE23
                                • __freea.LIBCMT ref: 0044AE30
                                  • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                                • __freea.LIBCMT ref: 0044AE39
                                • __freea.LIBCMT ref: 0044AE5E
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                • String ID: $C$PkGNG
                                • API String ID: 3864826663-3740547665
                                • Opcode ID: 362257cb831b64f560ca9c305cbafbf1ddd2a76c4c9bcde51592d12c0f33465e
                                • Instruction ID: b5b01290aead076256688b5938d42e4b2a7c64905c3dece0b68445a47d4ef5f6
                                • Opcode Fuzzy Hash: 362257cb831b64f560ca9c305cbafbf1ddd2a76c4c9bcde51592d12c0f33465e
                                • Instruction Fuzzy Hash: 1F513A72680206AFFB258F64CC41EBF77AAEB44714F24462EFC14D6240EB38DC60875A
                                Function 00419627 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 0$1$2$3$4$5$6$7$VG
                                • API String ID: 0-1861860590
                                • Opcode ID: 41b7ed3079968531247989beadbe1f0bf299f88a528c0936b597c9f8fef39dcf
                                • Instruction ID: 08acf1e0be570df0aadc768861284cd9b307e7e5fc43d41925289fb9f64992c1
                                • Opcode Fuzzy Hash: 41b7ed3079968531247989beadbe1f0bf299f88a528c0936b597c9f8fef39dcf
                                • Instruction Fuzzy Hash: A771B2709183019FD304EF21D862BAB7B94DF95310F10492FF5A26B2D1DF78AA49CB96
                                Function 00450A25 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free
                                • String ID: \&G$\&G$`&G
                                • API String ID: 269201875-253610517
                                • Opcode ID: bf6a2d62285109b65615641ef8a9ee438ca725d72dbf644c1fcc8e573ee560d0
                                • Instruction ID: 0b3297c67b001fbc5a9f4fbe1fd197d652097ca420ae28a40b4f72db8b3ed5d1
                                • Opcode Fuzzy Hash: bf6a2d62285109b65615641ef8a9ee438ca725d72dbf644c1fcc8e573ee560d0
                                • Instruction Fuzzy Hash: 77610475900204AFDB20CFA9C882B9ABBF4EF05315F14416BED58EB342D774AD458B98
                                Function 00414BB0 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 65535$udp
                                • API String ID: 0-1267037602
                                • Opcode ID: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
                                • Instruction ID: ff24d6befd6f0703c902a6165bd45161ed4db0fb5f75d2635e7e580b9b2721aa
                                • Opcode Fuzzy Hash: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
                                • Instruction Fuzzy Hash: EF51E7756093019FDB209B58E9057BB37A4AFC4755F08082FF881973A1E76DCCC1865E
                                Function 0040DA34 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                Download Yara Rule
                                APIs
                                • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040DB9A
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: LongNamePath
                                • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                • API String ID: 82841172-425784914
                                • Opcode ID: 35529518f688bb00822c59c31e380965135d22232495089cf56779e66837349f
                                • Instruction ID: 0cc8b9c4d8a16f3fd89327f32322cd7e2fd47b59120d3573c9b2d8a81569e3eb
                                • Opcode Fuzzy Hash: 35529518f688bb00822c59c31e380965135d22232495089cf56779e66837349f
                                • Instruction Fuzzy Hash: FB414F715082019AC215FB61DC52DAEB3F8AE90718F10053FB546A60E2FFB8AE49C65F
                                Function 00416940 Relevance: 17.5, APIs: 8, Strings: 2, Instructions: 46clipboardCOMMON
                                Download Yara Rule
                                APIs
                                • OpenClipboard.USER32 ref: 00416941
                                • EmptyClipboard.USER32 ref: 0041694F
                                • CloseClipboard.USER32 ref: 00416955
                                • OpenClipboard.USER32 ref: 0041695C
                                • GetClipboardData.USER32(0000000D), ref: 0041696C
                                • GlobalLock.KERNEL32(00000000), ref: 00416975
                                • GlobalUnlock.KERNEL32(00000000), ref: 0041697E
                                • CloseClipboard.USER32 ref: 00416984
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                • String ID: !D@$hdF
                                • API String ID: 2172192267-3475379602
                                • Opcode ID: 217266dddd972f3c5e9f703bebafc66beb3104e9651149c41c4633369744174b
                                • Instruction ID: 305b70c8a6b081cbeb1fc088e42579eafb4add048c4ccd3ac1cf7446a02d8759
                                • Opcode Fuzzy Hash: 217266dddd972f3c5e9f703bebafc66beb3104e9651149c41c4633369744174b
                                • Instruction Fuzzy Hash: CC015E31214301DFC714BB72DC09AAE77A5AF88742F40047EF906821E2DF38CC44CA69
                                Function 0043A83A Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A892
                                • GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A89F
                                • __dosmaperr.LIBCMT ref: 0043A8A6
                                • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8D2
                                • GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8DC
                                • __dosmaperr.LIBCMT ref: 0043A8E3
                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A926
                                • GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A930
                                • __dosmaperr.LIBCMT ref: 0043A937
                                • _free.LIBCMT ref: 0043A943
                                • _free.LIBCMT ref: 0043A94A
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                • String ID:
                                • API String ID: 2441525078-0
                                • Opcode ID: 333218d4c374834d2f5605b8d1434d3a456e4a6d1d3d381f1630f1823c8abcb3
                                • Instruction ID: 785efe6d9c8e3fffb8b85045f967b8474775cb8629fdf0d32462ae01257f7f2e
                                • Opcode Fuzzy Hash: 333218d4c374834d2f5605b8d1434d3a456e4a6d1d3d381f1630f1823c8abcb3
                                • Instruction Fuzzy Hash: FF31F57140420AFFDF01AFA5CC45DAF3B68EF09325F10021AF950662A1DB38CD21DB6A
                                Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • SetEvent.KERNEL32(?,?), ref: 004054BF
                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040556F
                                • TranslateMessage.USER32(?), ref: 0040557E
                                • DispatchMessageA.USER32(?), ref: 00405589
                                • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
                                • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405679
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                • String ID: CloseChat$DisplayMessage$GetMessage
                                • API String ID: 2956720200-749203953
                                • Opcode ID: 98d7fc9a3a72e6d6bfbf6b27db268e5f85bba016a9b53e28ddd98716df2f9a1e
                                • Instruction ID: c1940132788662b917c5ec79ff16bb55de46c7435784779dc5fc992d72e4b12f
                                • Opcode Fuzzy Hash: 98d7fc9a3a72e6d6bfbf6b27db268e5f85bba016a9b53e28ddd98716df2f9a1e
                                • Instruction Fuzzy Hash: CE41A171604701ABCB14FB75DC5A86F37A9AB85704F40093EF916A36E1EF3C8905CB9A
                                Function 0041AB0D Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB1C
                                • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB33
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB40
                                • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB4F
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB60
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB63
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: Service$CloseHandle$Open$ControlManager
                                • String ID:
                                • API String ID: 221034970-0
                                • Opcode ID: c0082c5762a569dd6c794232c9d09aac69d1526d84f90b8f2ddcc8f825e948b5
                                • Instruction ID: 6fbe0b082825830d9e24babaefac53afed48758aa8e56b4d18e4903ff4329a9c
                                • Opcode Fuzzy Hash: c0082c5762a569dd6c794232c9d09aac69d1526d84f90b8f2ddcc8f825e948b5
                                • Instruction Fuzzy Hash: 41114C71901218AFD711AF64DCC4DFF3B7CDB42B62B000036FA05D2192DB289C46AAFA
                                Function 00448121 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                Download Yara Rule
                                APIs
                                • _free.LIBCMT ref: 00448135
                                  • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                  • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                • _free.LIBCMT ref: 00448141
                                • _free.LIBCMT ref: 0044814C
                                • _free.LIBCMT ref: 00448157
                                • _free.LIBCMT ref: 00448162
                                • _free.LIBCMT ref: 0044816D
                                • _free.LIBCMT ref: 00448178
                                • _free.LIBCMT ref: 00448183
                                • _free.LIBCMT ref: 0044818E
                                • _free.LIBCMT ref: 0044819C
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast
                                • String ID:
                                • API String ID: 776569668-0
                                • Opcode ID: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
                                • Instruction ID: 63500befab30bf138fa449b3e81d3956d19e40097f86fc95f12732a98ce5ff4f
                                • Opcode Fuzzy Hash: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
                                • Instruction Fuzzy Hash: C211B67A500508BFEB01EF96C842CDD3BA5FF05359B0240AAFA588F222DA35DF509BC5
                                Function 004114F5 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: Eventinet_ntoa
                                • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
                                • API String ID: 3578746661-3604713145
                                • Opcode ID: f0dba5d8d6864af02b3b645620e2b398742db76bd3d39d22f5ca39753edc038d
                                • Instruction ID: 71dfdc03858149a45142756d2b421c0b7bbb6d70992310a40494c7f1f0681c69
                                • Opcode Fuzzy Hash: f0dba5d8d6864af02b3b645620e2b398742db76bd3d39d22f5ca39753edc038d
                                • Instruction Fuzzy Hash: 0051C131A042015BC614FB36C91AAAE37A5AB85344F40453FF906A76F1EF7C8985C7DE
                                Function 0044B3BC Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152fileCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,PkGNG,0044BB31,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B3FE
                                • __fassign.LIBCMT ref: 0044B479
                                • __fassign.LIBCMT ref: 0044B494
                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B4BA
                                • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BB31,00000000,?,?,?,?,?,?,?,?,PkGNG,0044BB31,?), ref: 0044B4D9
                                • WriteFile.KERNEL32(?,?,00000001,0044BB31,00000000,?,?,?,?,?,?,?,?,PkGNG,0044BB31,?), ref: 0044B512
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                • String ID: PkGNG
                                • API String ID: 1324828854-263838557
                                • Opcode ID: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
                                • Instruction ID: 24f44d390d373c30b0d8a34eda065edd0bccebe0da4884afe324d1cece3cc5ea
                                • Opcode Fuzzy Hash: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
                                • Instruction Fuzzy Hash: 0751D270900208AFDB10CFA8D885AEEFBF4EF09305F14856BE955E7292D734D941CBA9
                                Function 0040186A Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 142threadCOMMON
                                Download Yara Rule
                                APIs
                                • __Init_thread_footer.LIBCMT ref: 004018BE
                                • ExitThread.KERNEL32 ref: 004018F6
                                • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00474EE0,00000000), ref: 00401A04
                                  • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                • String ID: [S$PkG$XMG$NG$NG
                                • API String ID: 1649129571-1645715370
                                • Opcode ID: a9a7ce0a0b90b44db80bc4e59ffcd89cd879969cdb5479c222021ee2e07a9105
                                • Instruction ID: 5b8630810f78da979eb204bf693be1d55f2004797ab3201abec5cd50ea38d472
                                • Opcode Fuzzy Hash: a9a7ce0a0b90b44db80bc4e59ffcd89cd879969cdb5479c222021ee2e07a9105
                                • Instruction Fuzzy Hash: BF41B4312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D49C75E
                                Function 00417495 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                Download Yara Rule
                                APIs
                                • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 004174F5
                                  • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                                • Sleep.KERNEL32(00000064), ref: 00417521
                                • DeleteFileW.KERNEL32(00000000), ref: 00417555
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CreateDeleteExecuteShellSleep
                                • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                • API String ID: 1462127192-2001430897
                                • Opcode ID: f10e294ee6a8c27b1349ad3ce0c7058653f24f1ec6cf567e6a5304385f617d5d
                                • Instruction ID: 51d64fe7c8a5c54eac4555a52c350958ac4104e8f54c8767ba2a87230734c78e
                                • Opcode Fuzzy Hash: f10e294ee6a8c27b1349ad3ce0c7058653f24f1ec6cf567e6a5304385f617d5d
                                • Instruction Fuzzy Hash: 1431307194011A9ADB04FB62DC96DED7779AF50309F40017EF606730E2EF785A8ACA9C
                                Function 004073AC Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcess.KERNEL32(00472B14,00000000,004752D8,00003000,00000004,00000000,00000001), ref: 004073DD
                                • GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407656,C:\ProgramData\27 de Junio\27 de Junio.exe), ref: 0040749E
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: CurrentProcess
                                • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                                • API String ID: 2050909247-4242073005
                                • Opcode ID: 539e8bced36223118afef646be0064b2910b8cfba0236f50484b60453eb32d25
                                • Instruction ID: f630994b7aed3d2c1b9b8fa2b3e4f68b22e8b08ead4833dea6669ff7d567ef23
                                • Opcode Fuzzy Hash: 539e8bced36223118afef646be0064b2910b8cfba0236f50484b60453eb32d25
                                • Instruction Fuzzy Hash: 7031A471A04700ABD321FF65ED46F167BB8AB44305F10087EF515A6292E7B8B8448B6F
                                Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON
                                Download Yara Rule
                                APIs
                                • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
                                • waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000,00000024), ref: 00401C8F
                                • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
                                • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
                                • waveInStart.WINMM ref: 00401CFE
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                • String ID: dMG$|MG$PG
                                • API String ID: 1356121797-532278878
                                • Opcode ID: 4847331a3159101abd2f471b23cb9d67ee169c85da226fed21ec568aa636ce6b
                                • Instruction ID: ba088f7df0b955e0db37e5e5e2d8d6799d5f59e9c832501e8260ac80857d70f0
                                • Opcode Fuzzy Hash: 4847331a3159101abd2f471b23cb9d67ee169c85da226fed21ec568aa636ce6b
                                • Instruction Fuzzy Hash: 53212A71604201AFC739DF6AEE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C
                                Function 0041D45D Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D476
                                  • Part of subcall function 0041D50F: RegisterClassExA.USER32(00000030), ref: 0041D55B
                                  • Part of subcall function 0041D50F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D576
                                  • Part of subcall function 0041D50F: GetLastError.KERNEL32 ref: 0041D580
                                • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D4AD
                                • lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D4C7
                                • Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D4DD
                                • TranslateMessage.USER32(?), ref: 0041D4E9
                                • DispatchMessageA.USER32(?), ref: 0041D4F3
                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041D500
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                • String ID: Remcos
                                • API String ID: 1970332568-165870891
                                • Opcode ID: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
                                • Instruction ID: 4ccd8a34d55b2cf311069b5b9598b364b65d9d4e2968dcdf9eb94a5ca0393a4d
                                • Opcode Fuzzy Hash: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
                                • Instruction Fuzzy Hash: AC015271800245EBD7109FA5EC4CFEABB7CEB85705F004026F515930A1D778E885CB98
                                Function 00445179 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                  • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                  • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                  • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                • _memcmp.LIBVCRUNTIME ref: 00445423
                                • _free.LIBCMT ref: 00445494
                                • _free.LIBCMT ref: 004454AD
                                • _free.LIBCMT ref: 004454DF
                                • _free.LIBCMT ref: 004454E8
                                • _free.LIBCMT ref: 004454F4
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ErrorLast$_abort_memcmp
                                • String ID: C
                                • API String ID: 1679612858-1037565863
                                • Opcode ID: a8f4e868e6027df86e14abe5e970da0ea11d1bbd4f9432e493711607e9b70df4
                                • Instruction ID: 551747f29a431029642ca2aca46be5bbca0cbe6c77a4b2ed9ddfbf6361621c56
                                • Opcode Fuzzy Hash: a8f4e868e6027df86e14abe5e970da0ea11d1bbd4f9432e493711607e9b70df4
                                • Instruction Fuzzy Hash: B2B13975A016199BEB24DF18C884BAEB7B4FF08308F5045EEE949A7351E774AE90CF44
                                Function 0041490A Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: tcp$udp
                                • API String ID: 0-3725065008
                                • Opcode ID: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
                                • Instruction ID: c6aeaafd44a905d145cb4251883953767b251f71b123717361be5a5837da4da2
                                • Opcode Fuzzy Hash: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
                                • Instruction Fuzzy Hash: 637177B06083028FDB24CF65C480BABB7E4AFD4395F15442FF88986351E778DD858B9A
                                Function 00407963 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00474EE0,00465FA4,?,00000000,00407FFC,00000000), ref: 004079C5
                                • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,00407FFC,00000000,?,?,0000000A,00000000), ref: 00407A0D
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                • CloseHandle.KERNEL32(00000000,?,00000000,00407FFC,00000000,?,?,0000000A,00000000), ref: 00407A4D
                                • MoveFileW.KERNEL32(00000000,00000000), ref: 00407A6A
                                • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407A95
                                • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AA5
                                  • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00474EF8,00404C49,00000000,00000000,00000000,?,00474EF8,?), ref: 00404BA5
                                  • Part of subcall function 00404B96: SetEvent.KERNEL32(00000000), ref: 00404BC3
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                • String ID: .part
                                • API String ID: 1303771098-3499674018
                                • Opcode ID: e279c082a0d0910cbf5de12e36227e1aa9d15681696cbfcdd7b3720dc44f8cc2
                                • Instruction ID: 3872d967715c28256f57216ae0d43a20e9ded80e7ed52efebe816600842ab993
                                • Opcode Fuzzy Hash: e279c082a0d0910cbf5de12e36227e1aa9d15681696cbfcdd7b3720dc44f8cc2
                                • Instruction Fuzzy Hash: 7F318371508341AFC210EB21DC4599FB7A8FF94359F00493EB545A2192EB78EE48CB9A
                                Function 0040A2B8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A2D3
                                • SetWindowsHookExA.USER32(0000000D,0040A2A4,00000000), ref: 0040A2E1
                                • GetLastError.KERNEL32 ref: 0040A2ED
                                  • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040A33B
                                • TranslateMessage.USER32(?), ref: 0040A34A
                                • DispatchMessageA.USER32(?), ref: 0040A355
                                Strings
                                • Keylogger initialization failure: error , xrefs: 0040A301
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                • String ID: Keylogger initialization failure: error
                                • API String ID: 3219506041-952744263
                                • Opcode ID: a226280b9444fdc9d85a987e0cc9a01563434beb77e8bedbb690ae4a652fbc74
                                • Instruction ID: 26c2bdf112627336efb266b6f5317542b4ef4d62b82d8858756ad59ca9dca42a
                                • Opcode Fuzzy Hash: a226280b9444fdc9d85a987e0cc9a01563434beb77e8bedbb690ae4a652fbc74
                                • Instruction Fuzzy Hash: FA11BF32604301ABCB107F76DC0A86B77ECEA95716B10457EFC85E21D1EA38C910CBAA
                                Function 0040A3E0 Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
                                Download Yara Rule
                                APIs
                                • GetForegroundWindow.USER32 ref: 0040A416
                                • GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
                                • GetKeyboardLayout.USER32(00000000), ref: 0040A429
                                • GetKeyState.USER32(00000010), ref: 0040A433
                                • GetKeyboardState.USER32(?), ref: 0040A43E
                                • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A461
                                • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4C1
                                • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A4FA
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                • String ID:
                                • API String ID: 1888522110-0
                                • Opcode ID: 4ba0a60493bf1cb7a04a280161e9af6e0206db9f66fbe83c406a8642f04fa518
                                • Instruction ID: 5ff565fa5b8df07833abad56ec5ecbabe923af01fc99f1944a330f9e709d98a3
                                • Opcode Fuzzy Hash: 4ba0a60493bf1cb7a04a280161e9af6e0206db9f66fbe83c406a8642f04fa518
                                • Instruction Fuzzy Hash: AE316D72504308FFD710DF94DC45F9BB7ECAB88705F01083AB645D61A0E7B5E9488BA6
                                Function 00419993 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON
                                Download Yara Rule
                                APIs
                                • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 004199CC
                                • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004199ED
                                • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A0D
                                • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A21
                                • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A37
                                • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00419A54
                                • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00419A6F
                                • SendInput.USER32(00000001,?,0000001C,?,00000000), ref: 00419A8B
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: InputSend
                                • String ID:
                                • API String ID: 3431551938-0
                                • Opcode ID: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
                                • Instruction ID: babcb3f23bbfeda7ed9031f98f3524dfd9ae94bb4b0c65128b251ed995bccade
                                • Opcode Fuzzy Hash: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
                                • Instruction Fuzzy Hash: CE31B471558349AEE310CF51DC41BEBBBDCEF98B54F00080FF6808A181D2A6A9C88B97
                                Function 00447571 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: __freea$__alloca_probe_16_free
                                • String ID: a/p$am/pm$zD
                                • API String ID: 2936374016-2723203690
                                • Opcode ID: ad0e661e8ca139f4988ec10911a06b569de76af7a8f23a444d27c6a0fba4a5cb
                                • Instruction ID: 9fbfa546a4d6e8c17a1525f8bb1fcc11d6b56032d3bbc67104e2604220ae0e85
                                • Opcode Fuzzy Hash: ad0e661e8ca139f4988ec10911a06b569de76af7a8f23a444d27c6a0fba4a5cb
                                • Instruction Fuzzy Hash: 6AD1D1B1918206CAFB249F68C845ABBB7B1FF05310F28415BE545AB351D33D9D43CBA9
                                Function 0041C6F3 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 182registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegEnumKeyExA.ADVAPI32 ref: 0041C6F5
                                • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 0041C726
                                • RegCloseKey.ADVAPI32(?), ref: 0041C9BF
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseEnumOpen
                                • String ID: DisplayName
                                • API String ID: 1332880857-3786665039
                                • Opcode ID: 9acb91869caa52ba962ff5e9cffe7dbf008cca4ae8889db815e50d5881a9b18e
                                • Instruction ID: 30dd124696def6d144da0f01c12024620090e461f41beb3abd2b2340f2562d2c
                                • Opcode Fuzzy Hash: 9acb91869caa52ba962ff5e9cffe7dbf008cca4ae8889db815e50d5881a9b18e
                                • Instruction Fuzzy Hash: E961F3711082419AD325EF11D851EEFB3E8BF94309F10493FB589921A2FF789E49CA5A
                                Function 00413A55 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
                                • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413AEB
                                • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00413B8B
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: Enum$InfoQueryValue
                                • String ID: [regsplt]$xUG$TG
                                • API String ID: 3554306468-1165877943
                                • Opcode ID: 93e1897ebdc99b88186db92230c2e95498abfdd16b02543cd39a55fa0a109888
                                • Instruction ID: b9c9d149d6e4de0395087b00820169330fa190b61d8fc59f93bff107e3475f49
                                • Opcode Fuzzy Hash: 93e1897ebdc99b88186db92230c2e95498abfdd16b02543cd39a55fa0a109888
                                • Instruction Fuzzy Hash: E5511D72900219AADB11EB95DC85EEFB77DAF04305F10007AF505F6191EF786B48CBA9
                                Function 0045112C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • MultiByteToWideChar.KERNEL32(?,00000000,000000FF,?,00000000,00000000,0043F8C8,?,00000000,?,00000001,?,000000FF,00000001,0043F8C8,?), ref: 00451179
                                • __alloca_probe_16.LIBCMT ref: 004511B1
                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00451202
                                • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00451214
                                • __freea.LIBCMT ref: 0045121D
                                  • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                • String ID: PkGNG
                                • API String ID: 313313983-263838557
                                • Opcode ID: bce85a8c1b82420839f42ccd06a1f385e5b5f24b7ce490b3fee2b1b7615d4ae7
                                • Instruction ID: 2862a929c21554b3885a63a70f5d1b49ed21d23a3953ed9914841bfcf42aa681
                                • Opcode Fuzzy Hash: bce85a8c1b82420839f42ccd06a1f385e5b5f24b7ce490b3fee2b1b7615d4ae7
                                • Instruction Fuzzy Hash: 6631D271A0020AABDF24DFA5DC41EAF7BA5EB04315F0445AAFC04D72A2E739CD55CB94
                                Function 0041B68A Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0041361B: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,004750E4), ref: 0041363D
                                  • Part of subcall function 0041361B: RegQueryValueExW.ADVAPI32(?,0040F313,00000000,00000000,?,00000400), ref: 0041365C
                                  • Part of subcall function 0041361B: RegCloseKey.ADVAPI32(?), ref: 00413665
                                  • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                  • Part of subcall function 0041BFB7: IsWow64Process.KERNEL32(00000000,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFCF
                                • _wcslen.LIBCMT ref: 0041B763
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
                                • String ID: .exe$8SG$http\shell\open\command$program files (x86)\$program files\
                                • API String ID: 3286818993-122982132
                                • Opcode ID: ff64268ecf0c31a6c4424bc126999b380d0383f46c80c29dc48f1e307bbff0a4
                                • Instruction ID: 0af867b59be632d30c611c6dccf556baefac66a2e67262e696d3f692bc65d575
                                • Opcode Fuzzy Hash: ff64268ecf0c31a6c4424bc126999b380d0383f46c80c29dc48f1e307bbff0a4
                                • Instruction Fuzzy Hash: 6721A472A002086BDB14BAB58CD6AFE766D9B85328F14043FF405B72C2EE7C9D494269
                                Function 00456B53 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 273ab8544d097714f5f9861dee4502037fec93a611cdb24e761043779f074d75
                                • Instruction ID: 6cb1fb7365923ae9cd4386fa22a0d7cc2d4bdc50975796c61f51bb0de8f74700
                                • Opcode Fuzzy Hash: 273ab8544d097714f5f9861dee4502037fec93a611cdb24e761043779f074d75
                                • Instruction Fuzzy Hash: B9110272504214BAEB216F728C0496F3AACEF85326B52422BFD11C7252DE38CC41CAA8
                                Function 0041B380 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                Download Yara Rule
                                APIs
                                • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B3A7
                                • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B3BD
                                • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B3D6
                                • InternetCloseHandle.WININET(00000000), ref: 0041B41C
                                • InternetCloseHandle.WININET(00000000), ref: 0041B41F
                                Strings
                                • http://geoplugin.net/json.gp, xrefs: 0041B3B7
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$CloseHandleOpen$FileRead
                                • String ID: http://geoplugin.net/json.gp
                                • API String ID: 3121278467-91888290
                                • Opcode ID: 1e9fec68a0fa9a491aeb73d0e269fc382ae80b43ef1841fb67e99dd13ca0ad51
                                • Instruction ID: bc766ab0241d3587a1949f89688fbc1c60562a782fd7f61c1deed4db1e92f461
                                • Opcode Fuzzy Hash: 1e9fec68a0fa9a491aeb73d0e269fc382ae80b43ef1841fb67e99dd13ca0ad51
                                • Instruction Fuzzy Hash: E711EB311053126BD224AB269C49EBF7F9CEF86755F00043EF905A2292DB68DC45C6FA
                                Function 00411163 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                Download Yara Rule
                                APIs
                                • std::_Lockit::_Lockit.LIBCPMT ref: 00411170
                                • int.LIBCPMT ref: 00411183
                                  • Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
                                  • Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC
                                • std::_Facet_Register.LIBCPMT ref: 004111C3
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 004111CC
                                • __CxxThrowException@8.LIBVCRUNTIME ref: 004111EA
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                • String ID: (mG
                                • API String ID: 2536120697-4059303827
                                • Opcode ID: 34a51a48ebffab58c1c893f3ae79879d0a70666fb45cbfefdea1ee74b3510b9f
                                • Instruction ID: 9d9da6683174d9a5c92fa95d325e3547e0845688fcbb555b93a4fb26f280994d
                                • Opcode Fuzzy Hash: 34a51a48ebffab58c1c893f3ae79879d0a70666fb45cbfefdea1ee74b3510b9f
                                • Instruction Fuzzy Hash: 1411EB32900518A7CB14BB9AD8058DEBB79DF44354F10456FBE04A72D1DB789D40C7D9
                                Function 0041B2C3 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                  • Part of subcall function 0041BFB7: IsWow64Process.KERNEL32(00000000,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFCF
                                  • Part of subcall function 004135A6: RegOpenKeyExA.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 004135CA
                                  • Part of subcall function 004135A6: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 004135E7
                                  • Part of subcall function 004135A6: RegCloseKey.ADVAPI32(?), ref: 004135F2
                                • StrToIntA.SHLWAPI(00000000,0046C9F8,00000000,00000000,00000000,004750E4,00000003,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0041B33C
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$CloseCurrentOpenQueryValueWow64
                                • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                • API String ID: 782494840-2070987746
                                • Opcode ID: f4059261ec9105722489d9fd436038e764cf76dffb1ecded69b4c09404498de6
                                • Instruction ID: 0537cd1ef0e49ffa1b211e53375311a7de90e31f2ded896f28e78de68f6ce99c
                                • Opcode Fuzzy Hash: f4059261ec9105722489d9fd436038e764cf76dffb1ecded69b4c09404498de6
                                • Instruction Fuzzy Hash: 42112370A4010566C704B3668C87EFF77198B95314F94013BF856A21E2FB6C599683AE
                                Function 0043A35A Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetLastError.KERNEL32(?,?,0043A351,004392BE), ref: 0043A368
                                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A376
                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A38F
                                • SetLastError.KERNEL32(00000000,?,0043A351,004392BE), ref: 0043A3E1
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLastValue___vcrt_
                                • String ID:
                                • API String ID: 3852720340-0
                                • Opcode ID: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
                                • Instruction ID: 5d53a0da36a7034647469206452edf011e0dcb0cee8899775f26e7a14c982385
                                • Opcode Fuzzy Hash: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
                                • Instruction Fuzzy Hash: 7F01283214C3519EA61526796C86A6B2648EB0A7B9F30133FF918815F1EF594C90514D
                                Function 004075B0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                Download Yara Rule
                                APIs
                                • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\ProgramData\27 de Junio\27 de Junio.exe), ref: 004075D0
                                  • Part of subcall function 004074FD: _wcslen.LIBCMT ref: 00407521
                                  • Part of subcall function 004074FD: CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582
                                • CoUninitialize.OLE32 ref: 00407629
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: InitializeObjectUninitialize_wcslen
                                • String ID: C:\ProgramData\27 de Junio\27 de Junio.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                • API String ID: 3851391207-3511993767
                                • Opcode ID: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
                                • Instruction ID: 681a2da4e9d4b9e6b45db6330fec0c9e961fb52a18ca78f8243115a9baea1a6b
                                • Opcode Fuzzy Hash: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
                                • Instruction Fuzzy Hash: B201D272B087016BE2245B25DC0EF6B7758DB81729F11083FF902A61C2EBA9BC0145AB
                                Function 0040BAA1 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                Download Yara Rule
                                APIs
                                • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BADD
                                • GetLastError.KERNEL32 ref: 0040BAE7
                                Strings
                                • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAA8
                                • UserProfile, xrefs: 0040BAAD
                                • [Chrome Cookies not found], xrefs: 0040BB01
                                • [Chrome Cookies found, cleared!], xrefs: 0040BB0D
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: DeleteErrorFileLast
                                • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                • API String ID: 2018770650-304995407
                                • Opcode ID: c69a48e60de484867d8b749c5ae4c270b90bc560c43d961a50d917c7878b2bfc
                                • Instruction ID: 6bc0ec4de36c0471385c24d45a27137009bd471b3f80e31671ebbef4da92dce6
                                • Opcode Fuzzy Hash: c69a48e60de484867d8b749c5ae4c270b90bc560c43d961a50d917c7878b2bfc
                                • Instruction Fuzzy Hash: 08018F31A402095ACA04BBBACD5B8BE7724E912714F50017BF802726E6FE7D5A059ADE
                                Function 00407260 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: SG$C:\ProgramData\27 de Junio\27 de Junio.exe$hdF
                                • API String ID: 0-3989489805
                                • Opcode ID: 1c629e4396ebd3af338879a422fac1621c8df490be40c15e87bc48e2ed270b23
                                • Instruction ID: 1b954d03a55cc3c1a25a26db856d3c6076ddce7f3b9fad0ad77fefb3a3407f05
                                • Opcode Fuzzy Hash: 1c629e4396ebd3af338879a422fac1621c8df490be40c15e87bc48e2ed270b23
                                • Instruction Fuzzy Hash: 2CF046B0F14A00EBCB0467655D186693A05A740356F404C77F907EA2F2EBBD5C41C61E
                                Function 0044333A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,PkGNG,004432EB,00000003,PkGNG,0044328B,00000003,0046E948,0000000C,004433E2,00000003,00000002), ref: 0044335A
                                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044336D
                                • FreeLibrary.KERNEL32(00000000,?,?,PkGNG,004432EB,00000003,PkGNG,0044328B,00000003,0046E948,0000000C,004433E2,00000003,00000002,00000000,PkGNG), ref: 00443390
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressFreeHandleLibraryModuleProc
                                • String ID: CorExitProcess$PkGNG$mscoree.dll
                                • API String ID: 4061214504-213444651
                                • Opcode ID: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
                                • Instruction ID: b4f1316bd170a33105784e50650a9bde6d9e9410588fddf83d5a1a7bf10dc45d
                                • Opcode Fuzzy Hash: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
                                • Instruction Fuzzy Hash: 6AF0A430A00208FBDB149F55DC09B9EBFB4EF04713F0041A9FC05A2261CB349E40CA98
                                Function 0043AADC Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                Download Yara Rule
                                APIs
                                • __allrem.LIBCMT ref: 0043AC69
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AC85
                                • __allrem.LIBCMT ref: 0043AC9C
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACBA
                                • __allrem.LIBCMT ref: 0043ACD1
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACEF
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                • String ID:
                                • API String ID: 1992179935-0
                                • Opcode ID: 62332627f6279ece4fdf0222086194dbbb93a47f3123b1b6f0685f97dcd8be1f
                                • Instruction ID: 0cac597ccac2158415e78c81c2c349525783c2449c9f0a8280db41f57d0428da
                                • Opcode Fuzzy Hash: 62332627f6279ece4fdf0222086194dbbb93a47f3123b1b6f0685f97dcd8be1f
                                • Instruction Fuzzy Hash: CC812B72640706ABE7209F29CC41B5BB3A9EF48324F24552FF590D7781EB7CE9108B5A
                                Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                                Download Yara Rule
                                APIs
                                • Sleep.KERNEL32(00000000,?), ref: 004044C4
                                  • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: H_prologSleep
                                • String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
                                • API String ID: 3469354165-3054508432
                                • Opcode ID: 8a9e07857626f41951fbfcdb48f17559f4f4407599368e7a9c0fb5409ee4abf5
                                • Instruction ID: 62663cdee79800d8a54f028f5a980ee1c6790ad11611a7059aef087dab150aaf
                                • Opcode Fuzzy Hash: 8a9e07857626f41951fbfcdb48f17559f4f4407599368e7a9c0fb5409ee4abf5
                                • Instruction Fuzzy Hash: 5C51E1B1A042116BCA14FB369D0A66E3755ABC5748F00053FFA06677E2EF7C8A45839E
                                Function 004458F9 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: __cftoe
                                • String ID:
                                • API String ID: 4189289331-0
                                • Opcode ID: 73f4726c011166e6bdcb5754414c0ade346116ed487fada7dd59cfb8b2f8224a
                                • Instruction ID: 6c78d09a6f5169ef6f707262af513c71f712f2c279f5202ad8aecd4a6012115a
                                • Opcode Fuzzy Hash: 73f4726c011166e6bdcb5754414c0ade346116ed487fada7dd59cfb8b2f8224a
                                • Instruction Fuzzy Hash: D951EA72900A05ABFF209B59CC81FAF77A9EF49334F14421FF515A6293DB39D900866C
                                Function 0044A004 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 305COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: __alldvrm$_strrchr
                                • String ID: PkGNG
                                • API String ID: 1036877536-263838557
                                • Opcode ID: 6e4ce0a9cd107544135c8758f381171db584a835852a0c7515be2cd765a07ccf
                                • Instruction ID: 0200e234d7a66e392568480c50467de0d06b46efb2a76a7ba0b74d69ca9a70f2
                                • Opcode Fuzzy Hash: 6e4ce0a9cd107544135c8758f381171db584a835852a0c7515be2cd765a07ccf
                                • Instruction Fuzzy Hash: 57A166319843869FFB21CF58C8817AEBBA1FF25304F1441AFE9859B382C27D8951C75A
                                Function 00448215 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                • _free.LIBCMT ref: 0044824C
                                • _free.LIBCMT ref: 00448274
                                • SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281
                                • SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                • _abort.LIBCMT ref: 00448293
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$_free$_abort
                                • String ID:
                                • API String ID: 3160817290-0
                                • Opcode ID: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
                                • Instruction ID: 1e51d54565af68f960eede883612623578b8b4ccb82fc25c91f14e3db4823c68
                                • Opcode Fuzzy Hash: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
                                • Instruction Fuzzy Hash: 15F0F935104F006AF611332A6C05B5F2515ABC276AF25066FF92892292DFACCC4581AD
                                Function 0041AAA6 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAB5
                                • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAC9
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAD6
                                • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAE5
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAF7
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAFA
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: Service$CloseHandle$Open$ControlManager
                                • String ID:
                                • API String ID: 221034970-0
                                • Opcode ID: 966b63bd912de40b5b615a00da15e5d8939a9a4c78db0212e4922df61029cb32
                                • Instruction ID: 651adf303b3d55a6ad93a9774d9c6d096703db2647e4265c62a250da7e042a32
                                • Opcode Fuzzy Hash: 966b63bd912de40b5b615a00da15e5d8939a9a4c78db0212e4922df61029cb32
                                • Instruction Fuzzy Hash: 68F0C231541218ABD711AF25AC49EFF3B6CDF45BA2F000026FE0992192DB68CD4695E9
                                Function 0041ABAA Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABB9
                                • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABCD
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABDA
                                • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABE9
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFB
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFE
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: Service$CloseHandle$Open$ControlManager
                                • String ID:
                                • API String ID: 221034970-0
                                • Opcode ID: 881ec567a8ecab9b5ae46dea35bb7569396cf57d6f42af84948da6ead9762d9b
                                • Instruction ID: cdcae22f94af1ce7d279f83afe572816001e75aa845eac4345c2c81124f82824
                                • Opcode Fuzzy Hash: 881ec567a8ecab9b5ae46dea35bb7569396cf57d6f42af84948da6ead9762d9b
                                • Instruction Fuzzy Hash: 84F0C231501218ABD6116F259C49DFF3B6CDB45B62F40002AFE0996192EB38DD4595F9
                                Function 0041AA4A Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A6A0,00000000), ref: 0041AA53
                                • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A6A0,00000000), ref: 0041AA68
                                • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA75
                                • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A6A0,00000000), ref: 0041AA80
                                • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA92
                                • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA95
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: Service$CloseHandle$Open$ManagerStart
                                • String ID:
                                • API String ID: 276877138-0
                                • Opcode ID: 3fc825cdaf5b3c830df2a570b4d58928aafbb4be2e2bcb8024994744d056a879
                                • Instruction ID: 9fefcdd13c5f6832e1e8d6374d810b05479d45f16fba084c356bea358aebaaee
                                • Opcode Fuzzy Hash: 3fc825cdaf5b3c830df2a570b4d58928aafbb4be2e2bcb8024994744d056a879
                                • Instruction Fuzzy Hash: FCF08971101325AFD2119B619C88DFF2B6CDF85BA6B00082AF945921919B68CD49E9B9
                                Function 00442801 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: PkGNG
                                • API String ID: 0-263838557
                                • Opcode ID: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
                                • Instruction ID: 497cf8d2f4a88fd96e7f98feeb1d24cd381d204b534fd1f3fd6e485e43360072
                                • Opcode Fuzzy Hash: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
                                • Instruction Fuzzy Hash: EA413871A00704BFF324AF79CD41B5EBBA9EB88710F10862FF105DB681E7B999418788
                                Function 0040B164 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
                                Download Yara Rule
                                APIs
                                • GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
                                • wsprintfW.USER32 ref: 0040B1F3
                                  • Part of subcall function 0040A636: SetEvent.KERNEL32(00000000,?,00000000,0040B20A,00000000), ref: 0040A662
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: EventLocalTimewsprintf
                                • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                • API String ID: 1497725170-248792730
                                • Opcode ID: a7c6f27475bfec295d022b2ba5d983e1240c8cfcb4a2fe4930fa699ea7be73b7
                                • Instruction ID: 81b60f5d3581edaaac31e3e44e1e4f5c322996b2d8bf5e7d6f89c643b346fb92
                                • Opcode Fuzzy Hash: a7c6f27475bfec295d022b2ba5d983e1240c8cfcb4a2fe4930fa699ea7be73b7
                                • Instruction Fuzzy Hash: 82117F72504118AACB18AB96EC558FE77BCEE48315B00012FF506A60E1FF7C9E46C6AC
                                Function 0040A675 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A74D), ref: 0040A6AB
                                • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
                                • Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
                                • CloseHandle.KERNEL32(00000000,?,?,?,0040A74D), ref: 0040A6EE
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseCreateHandleSizeSleep
                                • String ID: XQG
                                • API String ID: 1958988193-3606453820
                                • Opcode ID: 205b82dffe9b0f77f7c93e78d4092e9a7ef319f9f0d3ec4eb64b3aa0a1bff41f
                                • Instruction ID: 2d5b847f40b6dc6d65e682cb961bc0859910b41d7418e35cc132b68a4a9af338
                                • Opcode Fuzzy Hash: 205b82dffe9b0f77f7c93e78d4092e9a7ef319f9f0d3ec4eb64b3aa0a1bff41f
                                • Instruction Fuzzy Hash: AD112B30600740EEE631A7249895A5F3B6AEB41356F48083AF2C26B6D2C6799CA0C35E
                                Function 0041D50F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegisterClassExA.USER32(00000030), ref: 0041D55B
                                • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D576
                                • GetLastError.KERNEL32 ref: 0041D580
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: ClassCreateErrorLastRegisterWindow
                                • String ID: 0$MsgWindowClass
                                • API String ID: 2877667751-2410386613
                                • Opcode ID: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
                                • Instruction ID: 921741f364e14ac5d494c0d6481b3569f22aad0bbfd2e997b493b5423d792a6e
                                • Opcode Fuzzy Hash: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
                                • Instruction Fuzzy Hash: 910129B1D00219BBDB00DFD5ECC49EFBBBDEA04355F40053AF900A6240E77859058AA4
                                Function 00407755 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                Download Yara Rule
                                APIs
                                • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040779B
                                • CloseHandle.KERNEL32(?), ref: 004077AA
                                • CloseHandle.KERNEL32(?), ref: 004077AF
                                Strings
                                • C:\Windows\System32\cmd.exe, xrefs: 00407796
                                • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 00407791
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseHandle$CreateProcess
                                • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                • API String ID: 2922976086-4183131282
                                • Opcode ID: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
                                • Instruction ID: bcd6b2dc2297655d1c2a6c7a9d844aadd79638dc8707381bf3a952a3ff6736b4
                                • Opcode Fuzzy Hash: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
                                • Instruction Fuzzy Hash: BCF03676D4029D76CB20ABD6DC0EEDF7F7DEBC5B11F00056AF904A6141E6746404C6B9
                                Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EF8), ref: 00405120
                                • SetEvent.KERNEL32(?), ref: 0040512C
                                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00405137
                                • CloseHandle.KERNEL32(?), ref: 00405140
                                  • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                • String ID: KeepAlive | Disabled
                                • API String ID: 2993684571-305739064
                                • Opcode ID: c594fc0502ac089e8ceed4a366586e120d9a374f389bb2b837d8f1f373a196b1
                                • Instruction ID: c1447ea2195e795a2fa4d382ed9a15925dec3dc8ccf256ab7d783030aa8980db
                                • Opcode Fuzzy Hash: c594fc0502ac089e8ceed4a366586e120d9a374f389bb2b837d8f1f373a196b1
                                • Instruction Fuzzy Hash: 4CF06271904711BBDB103B758D0A66B7A54AB02311F0009BEF982916E2D6798840CF9A
                                Function 0041B4A8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                Download Yara Rule
                                APIs
                                • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041B4B9
                                • LoadResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4CD
                                • LockResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4D4
                                • SizeofResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4E3
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: Resource$FindLoadLockSizeof
                                • String ID: SETTINGS
                                • API String ID: 3473537107-594951305
                                • Opcode ID: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
                                • Instruction ID: 65170a014006dd87783428e4339c5f85687a52ee3761dac8d56b05c0676c202a
                                • Opcode Fuzzy Hash: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
                                • Instruction Fuzzy Hash: 8AE01A36200B22EBEB311BA5AC4CD473E29F7C97637100075F90596232CB798840DAA8
                                Function 0044139A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 333ae2597f59f70c30e2a138da7d2dacca2148bf7cc6369c5742e0f4ac8aaabd
                                • Instruction ID: 3288ceb70b28299b768e57bc56a65f905b411dc47ae91625c595fe6b39b3afde
                                • Opcode Fuzzy Hash: 333ae2597f59f70c30e2a138da7d2dacca2148bf7cc6369c5742e0f4ac8aaabd
                                • Instruction Fuzzy Hash: 4D71C431900256ABEF21CF55C884AFFBBB5EF95350F14012BE812A72A1D7748CC1CBA9
                                Function 0040F8FD Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                  • Part of subcall function 0041BFB7: IsWow64Process.KERNEL32(00000000,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFCF
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F91B
                                • Process32FirstW.KERNEL32(00000000,?), ref: 0040F93F
                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F94E
                                • CloseHandle.KERNEL32(00000000), ref: 0040FB05
                                  • Part of subcall function 0041BFE5: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F5F9,00000000,?,?,00475338), ref: 0041BFFA
                                  • Part of subcall function 0041BFE5: IsWow64Process.KERNEL32(00000000,?,?,?,00475338), ref: 0041C005
                                  • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                  • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FAF6
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                • String ID:
                                • API String ID: 2180151492-0
                                • Opcode ID: af739ac690ee8d07d81366b8be29f9ccbff63967b6472fc478213852870bed76
                                • Instruction ID: d179df5438ecf7187d550cf9263b6860c2801d48d571b2859f9d543a591e132f
                                • Opcode Fuzzy Hash: af739ac690ee8d07d81366b8be29f9ccbff63967b6472fc478213852870bed76
                                • Instruction Fuzzy Hash: 784116311083419BC325F722DC55AEFB3A5AF94345F50493EF48A921E2EF385A49C75A
                                Function 0044F35A Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                Download Yara Rule
                                APIs
                                • GetEnvironmentStringsW.KERNEL32 ref: 0044F363
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F386
                                  • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F3AC
                                • _free.LIBCMT ref: 0044F3BF
                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F3CE
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                • String ID:
                                • API String ID: 336800556-0
                                • Opcode ID: 02a97bdb6e6c5d26fe886d3a9ae646317caea956d8251916105bf2d3fe3a3540
                                • Instruction ID: 8337c1946637dec1c7c9c61cb05458c13fbc509b7d73539ecc926bc10a2836fd
                                • Opcode Fuzzy Hash: 02a97bdb6e6c5d26fe886d3a9ae646317caea956d8251916105bf2d3fe3a3540
                                • Instruction Fuzzy Hash: 2301B173601755BB37211ABA5C8CC7F6A6CDAC6FA5315013FFD14C2202EA68CD0581B9
                                Function 0041C3F1 Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C510,00000000,00000000,00000000), ref: 0041C430
                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C44D
                                • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C459
                                • WriteFile.KERNEL32(00000000,00000000,00000000,00406F85,00000000,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C46A
                                • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C477
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseHandle$CreatePointerWrite
                                • String ID:
                                • API String ID: 1852769593-0
                                • Opcode ID: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
                                • Instruction ID: 5cb8be75c3dc4c1e2f747800af3fbfd5a98fa41e64789a84fd548ad7506a8702
                                • Opcode Fuzzy Hash: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
                                • Instruction Fuzzy Hash: B0110471288220FFEA104B24ACD9EFB739CEB46375F10462AF592C22C1C7259C81863A
                                Function 00448299 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetLastError.KERNEL32(?,00000000,?,0043BC87,00000000,?,?,0043BD0B,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0044829E
                                • _free.LIBCMT ref: 004482D3
                                • _free.LIBCMT ref: 004482FA
                                • SetLastError.KERNEL32(00000000), ref: 00448307
                                • SetLastError.KERNEL32(00000000), ref: 00448310
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$_free
                                • String ID:
                                • API String ID: 3170660625-0
                                • Opcode ID: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
                                • Instruction ID: 817e1e76de570c2b023109a843fda652767a1b5a915d0172e9d2adf04509528a
                                • Opcode Fuzzy Hash: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
                                • Instruction Fuzzy Hash: 5601F936500B0067F3112A2A5C8596F2559EBC2B7A735452FFD19A22D2EFADCC01816D
                                Function 0041C1DD Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                Download Yara Rule
                                APIs
                                • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                                • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0041C228
                                • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C233
                                • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C23B
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$CloseHandleOpen$FileImageName
                                • String ID:
                                • API String ID: 2951400881-0
                                • Opcode ID: f9441541d1e055ebec971b28555d0febc4d5c2f8e157a993c91f5ce795852cd2
                                • Instruction ID: 502f13a9e38f74389cb09c542eced9ec4ef47df168bad581006c654e14f0d55b
                                • Opcode Fuzzy Hash: f9441541d1e055ebec971b28555d0febc4d5c2f8e157a993c91f5ce795852cd2
                                • Instruction Fuzzy Hash: 53012BB1680315ABD61057D49C89FB7B27CDB84796F0000A7FA04D21D2EF748C818679
                                Function 004509BC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • _free.LIBCMT ref: 004509D4
                                  • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                  • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                • _free.LIBCMT ref: 004509E6
                                • _free.LIBCMT ref: 004509F8
                                • _free.LIBCMT ref: 00450A0A
                                • _free.LIBCMT ref: 00450A1C
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast
                                • String ID:
                                • API String ID: 776569668-0
                                • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                • Instruction ID: 8e1836d4b3683ea2f551dac33bf8b94159c93f8dbbc189607f67f5fa0db289e6
                                • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                • Instruction Fuzzy Hash: F3F04F76504600B79620EB5DE8C2C1B73D9EA0571A795891BF66CDB612CB38FCC0869C
                                Function 00444048 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                Download Yara Rule
                                APIs
                                • _free.LIBCMT ref: 00444066
                                  • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                  • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                • _free.LIBCMT ref: 00444078
                                • _free.LIBCMT ref: 0044408B
                                • _free.LIBCMT ref: 0044409C
                                • _free.LIBCMT ref: 004440AD
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast
                                • String ID:
                                • API String ID: 776569668-0
                                • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                • Instruction ID: c4ed0220327abb1134bcf7d54e43c2409a3611c90002b0fe773cef56a7474a4d
                                • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                • Instruction Fuzzy Hash: 11F03AB18009208FA631AF2DBD414053B61E705769346822BF62C62A70C7B94ED2CFCF
                                Function 0044BA37 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: PkGNG
                                • API String ID: 0-263838557
                                • Opcode ID: 6a83c2428ddcf6ea71a3f14a315267ad78d224b448d93c685a7e270e7132f7c7
                                • Instruction ID: 56b21f6c39f874414c878b072b89285690216c2d241c0ad811085e1835033e53
                                • Opcode Fuzzy Hash: 6a83c2428ddcf6ea71a3f14a315267ad78d224b448d93c685a7e270e7132f7c7
                                • Instruction Fuzzy Hash: 1B51B271D00249AAEF14DFA9C885FAFBBB8EF45314F14015FE400A7291DB78D901CBA9
                                Function 00415AEA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: CountEventTick
                                • String ID: !D@$NG
                                • API String ID: 180926312-2721294649
                                • Opcode ID: 6aba0e1526872b8ea9430f636792efb423e8d3bccf8b99a8d979ce72e9a1f28a
                                • Instruction ID: 1740d3d485f2be3f914829e5aa2a54ae858af1ae40273f66f7ff2800e9d96298
                                • Opcode Fuzzy Hash: 6aba0e1526872b8ea9430f636792efb423e8d3bccf8b99a8d979ce72e9a1f28a
                                • Instruction Fuzzy Hash: 7E51A1316083019AC724FB32D852AEF73A5AF94314F50493FF54A671E2EF3C5949C68A
                                Function 00442385 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                Download Yara Rule
                                APIs
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424DE
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424F3
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                • String ID: `#D$`#D
                                • API String ID: 885266447-2450397995
                                • Opcode ID: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
                                • Instruction ID: d0478598ef992627c852fcfbe86add3ca1c9fa58067414995f231753f3186543
                                • Opcode Fuzzy Hash: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
                                • Instruction Fuzzy Hash: 78519071A00208AFDF18DF59C980AAEBBB2FB94314F59C19AF81897361D7B9DD41CB44
                                Function 00443435 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameA.KERNEL32(00000000,C:\ProgramData\27 de Junio\27 de Junio.exe,00000104), ref: 00443475
                                • _free.LIBCMT ref: 00443540
                                • _free.LIBCMT ref: 0044354A
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$FileModuleName
                                • String ID: C:\ProgramData\27 de Junio\27 de Junio.exe
                                • API String ID: 2506810119-1775220897
                                • Opcode ID: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
                                • Instruction ID: 78b8e4ab202bb8962dfea6a4c95dea7b8c186c0554b41bb8e719afd17783d6d0
                                • Opcode Fuzzy Hash: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
                                • Instruction Fuzzy Hash: 2E31C471A00258BFEB21DF999C8199EBBBCEF85B15F10406BF50497311D6B89F81CB98
                                Function 0044B81F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101fileCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000,FF8BC35D,00000000,?,PkGNG,0044BB7E,?,00000000,FF8BC35D), ref: 0044B8D2
                                • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0044B900
                                • GetLastError.KERNEL32 ref: 0044B931
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharErrorFileLastMultiWideWrite
                                • String ID: PkGNG
                                • API String ID: 2456169464-263838557
                                • Opcode ID: f29f19b57bd44476b84c2158df793cbd226619e25f42890a5cb9caccfef44ccc
                                • Instruction ID: a4f89274a665815b2d7bd0a52cbb4c71b9b2878c435ac706d73e761117ab6cd9
                                • Opcode Fuzzy Hash: f29f19b57bd44476b84c2158df793cbd226619e25f42890a5cb9caccfef44ccc
                                • Instruction Fuzzy Hash: 18317271A002199FDB14DF59DC809EAB7B8EB48305F0444BEE90AD7260DB34ED80CBA4
                                Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                                  • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041B99F
                                  • Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E74), ref: 0041857E
                                  • Part of subcall function 00418568: CloseHandle.KERNEL32(t^F,?,?,004040F5,00465E74), ref: 00418587
                                  • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                                • Sleep.KERNEL32(000000FA,00465E74), ref: 00404138
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                • String ID: /sort "Visit Time" /stext "$0NG
                                • API String ID: 368326130-3219657780
                                • Opcode ID: 5844705bffbe932e08c9a339546c7ba6e86f4bc1b82537618e6767435229dddb
                                • Instruction ID: 62b88373b0174ac8ae4090b78ebfd0a8fca35ca34796720d8357018cc2c92f87
                                • Opcode Fuzzy Hash: 5844705bffbe932e08c9a339546c7ba6e86f4bc1b82537618e6767435229dddb
                                • Instruction Fuzzy Hash: E9316271A0011956CB15FBA6D8969EE7375AB90308F40007FF206B71E2EF385D89CA99
                                Function 0040B748 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 88COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                • __Init_thread_footer.LIBCMT ref: 0040B797
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: Init_thread_footer__onexit
                                • String ID: [End of clipboard]$[Text copied to clipboard]$hdF
                                • API String ID: 1881088180-1379921833
                                • Opcode ID: 324d16734c00dd0800ed2bf7710d2d62d1c0e2a3751a5b5203366b445deaa986
                                • Instruction ID: c7bebb0a0a15900a9cc4ffb6e17528162536323bfdf0e6139bd55c50ddf57f74
                                • Opcode Fuzzy Hash: 324d16734c00dd0800ed2bf7710d2d62d1c0e2a3751a5b5203366b445deaa986
                                • Instruction Fuzzy Hash: C0219F32A101054ACB14FB66D8829EDB379AF90318F10453FE505731E2EF386D4A8A9C
                                Function 004162E4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                                Download Yara Rule
                                APIs
                                • _wcslen.LIBCMT ref: 004162F5
                                  • Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                                  • Part of subcall function 00413877: RegSetValueExA.ADVAPI32(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
                                  • Part of subcall function 00413877: RegCloseKey.ADVAPI32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB
                                  • Part of subcall function 00409DE4: _wcslen.LIBCMT ref: 00409DFD
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: _wcslen$CloseCreateValue
                                • String ID: !D@$okmode$PG
                                • API String ID: 3411444782-3370592832
                                • Opcode ID: f3a158218bdd67d4c4b1fae7efd00a7e5adabf20f91f0610842615a967fde749
                                • Instruction ID: dff749dc984b923ba5de2327a6f3f9cc2e67bcaf748228c26ce3aec7d70e92d7
                                • Opcode Fuzzy Hash: f3a158218bdd67d4c4b1fae7efd00a7e5adabf20f91f0610842615a967fde749
                                • Instruction Fuzzy Hash: 10119371B442011ADB187B72D832ABD22969F94358F80443FF54AAF2E2DEBD4C51525D
                                Function 0040C5EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0040C4C3: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C4F6
                                • PathFileExistsW.SHLWAPI(00000000), ref: 0040C61D
                                • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C688
                                Strings
                                • User Data\Default\Network\Cookies, xrefs: 0040C603
                                • User Data\Profile ?\Network\Cookies, xrefs: 0040C635
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExistsFilePath
                                • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                • API String ID: 1174141254-1980882731
                                • Opcode ID: 3f8b8350712af9d240db3e3edefbc0b5893a2e7bcab5cac2a7822d9b4b4e7b0e
                                • Instruction ID: e6b9b9a8142aca5ff9e4641a3ff80a721fb4b0471daa7637ae592fad8ebd6223
                                • Opcode Fuzzy Hash: 3f8b8350712af9d240db3e3edefbc0b5893a2e7bcab5cac2a7822d9b4b4e7b0e
                                • Instruction Fuzzy Hash: B421037190011996CB14F7A2DC96CEEB738EE50319F40053FB502B31D2EF789A46C698
                                Function 0040C6BB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0040C526: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C559
                                • PathFileExistsW.SHLWAPI(00000000), ref: 0040C6EC
                                • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C757
                                Strings
                                • User Data\Default\Network\Cookies, xrefs: 0040C6D2
                                • User Data\Profile ?\Network\Cookies, xrefs: 0040C704
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExistsFilePath
                                • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                • API String ID: 1174141254-1980882731
                                • Opcode ID: 8e96e49e63ca3bf0ac1f2790d6dd37b6dab53323dba9b7dc4ed1c0216d558f84
                                • Instruction ID: 83f6a23093d6b0727a30a1d550f3d6f5bdb2bb72864fa742cd8a9fd6423befd9
                                • Opcode Fuzzy Hash: 8e96e49e63ca3bf0ac1f2790d6dd37b6dab53323dba9b7dc4ed1c0216d558f84
                                • Instruction Fuzzy Hash: AE21D37190011AD6CB05F7A2DC96CEEB778EE50719B50013FF502B31D2EF789A46C698
                                Function 0040A179 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                Download Yara Rule
                                APIs
                                • CreateThread.KERNEL32(00000000,00000000,0040A27D,004750F0,00000000,00000000), ref: 0040A1FE
                                • CreateThread.KERNEL32(00000000,00000000,0040A267,004750F0,00000000,00000000), ref: 0040A20E
                                • CreateThread.KERNEL32(00000000,00000000,0040A289,004750F0,00000000,00000000), ref: 0040A21A
                                  • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
                                  • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateThread$LocalTimewsprintf
                                • String ID: Offline Keylogger Started
                                • API String ID: 465354869-4114347211
                                • Opcode ID: 3bd749956e3e9a916655ad8ba54339a6dfc039012b8b1fa6949936b121210f93
                                • Instruction ID: bcf1cfbdc14a627f6781ea3a40f7cea6448602225ce5b2be95dc640702f6c2bd
                                • Opcode Fuzzy Hash: 3bd749956e3e9a916655ad8ba54339a6dfc039012b8b1fa6949936b121210f93
                                • Instruction Fuzzy Hash: DE1194B12003187AD220B7369C86CBB765DDA8139CB00057FF946222D2EA795D54CAFB
                                Function 0041B4EF Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59timeCOMMON
                                Download Yara Rule
                                APIs
                                • GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: LocalTime
                                • String ID: | $%02i:%02i:%02i:%03i $PkGNG
                                • API String ID: 481472006-3277280411
                                • Opcode ID: 978051ae2d71d51f6a46a557316c11cd91a1cbdf249e5825d4a92e87c892c4af
                                • Instruction ID: b0c371a91d376d28eb23a1cf2c2b6b2589463c7c7bf84255da33bc44f247512a
                                • Opcode Fuzzy Hash: 978051ae2d71d51f6a46a557316c11cd91a1cbdf249e5825d4a92e87c892c4af
                                • Instruction Fuzzy Hash: 361181714082055AC304EB62D8419BFB3E9AB44348F50093FF895A21E1EF3CDA49C65A
                                Function 00406A63 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData), ref: 00406A82
                                • GetProcAddress.KERNEL32(00000000), ref: 00406A89
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressLibraryLoadProc
                                • String ID: CryptUnprotectData$crypt32
                                • API String ID: 2574300362-2380590389
                                • Opcode ID: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
                                • Instruction ID: d796ed41fc96dc9ef8d801536240fab0e9422483ab40f89d2a564a4d0f07de08
                                • Opcode Fuzzy Hash: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
                                • Instruction Fuzzy Hash: 6201B535B00216ABCB18DFAD9D449ABBBB8EB49300F14817EE95AE3341D674D9008BA4
                                Function 0044C253 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • SetFilePointerEx.KERNEL32(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,10558B1C,10558B1C,PkGNG,0044C302,FF8BC369,00000000,00000002,00000000,PkGNG), ref: 0044C28C
                                • GetLastError.KERNEL32 ref: 0044C296
                                • __dosmaperr.LIBCMT ref: 0044C29D
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorFileLastPointer__dosmaperr
                                • String ID: PkGNG
                                • API String ID: 2336955059-263838557
                                • Opcode ID: 60eaf30ffa5a6b77e16cdf42a69bcf8f7fa5cf007f91ab5b57ca5c6e56bd7837
                                • Instruction ID: 03228b3a5a263cac3d3762c0c6cb9bea0ee6cefe7ee70a3785aa569069518732
                                • Opcode Fuzzy Hash: 60eaf30ffa5a6b77e16cdf42a69bcf8f7fa5cf007f91ab5b57ca5c6e56bd7837
                                • Instruction Fuzzy Hash: 9E016D32A11104BBDF008FE9CC4089E3719FB86320B28039AF810A7290EAB5DC118B64
                                Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                                • CloseHandle.KERNEL32(?), ref: 004051CA
                                • SetEvent.KERNEL32(?), ref: 004051D9
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseEventHandleObjectSingleWait
                                • String ID: Connection Timeout
                                • API String ID: 2055531096-499159329
                                • Opcode ID: 6ba0741fc7cdd8782e8632b0dc009c189a51354901c2dba2396252722e458400
                                • Instruction ID: e4880b57ed2806ada623013920947221b56867654f576af2420d72dde76e11cf
                                • Opcode Fuzzy Hash: 6ba0741fc7cdd8782e8632b0dc009c189a51354901c2dba2396252722e458400
                                • Instruction Fuzzy Hash: 1201D831A40F40AFE7257B368D9552BBBE0FF01302704097FE68396AE2D6789800CF59
                                Function 0040E7C5 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                Download Yara Rule
                                APIs
                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E833
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: Exception@8Throw
                                • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                • API String ID: 2005118841-1866435925
                                • Opcode ID: 8dcc56bc0b3abd67e197b42ddab56c72444c781ea05e0f6efff8352e2a22a648
                                • Instruction ID: aca7d9cae529c24a85643cb8f0975e7fdd15ab88b82278639a3f13e82648cb6f
                                • Opcode Fuzzy Hash: 8dcc56bc0b3abd67e197b42ddab56c72444c781ea05e0f6efff8352e2a22a648
                                • Instruction Fuzzy Hash: 2C01B1315443086AE618F693C843FAA73585B10708F108C2FAA15761C2F67D6961C66B
                                Function 004017EC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                                Download Yara Rule
                                APIs
                                • waveInPrepareHeader.WINMM(00535B20,00000020,?,?,00476B50,00474EE0,?,00000000,00401A15), ref: 00401849
                                • waveInAddBuffer.WINMM(00535B20,00000020,?,00000000,00401A15), ref: 0040185F
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: wave$BufferHeaderPrepare
                                • String ID: [S$XMG
                                • API String ID: 2315374483-2881161687
                                • Opcode ID: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                                • Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
                                • Opcode Fuzzy Hash: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                                • Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8
                                Function 0041CAE1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42windowCOMMON
                                Download Yara Rule
                                APIs
                                • FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000,00474EF8,00474EF8,PkGNG,00404A40), ref: 0041CB09
                                • LocalFree.KERNEL32(?,?), ref: 0041CB2F
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: FormatFreeLocalMessage
                                • String ID: @J@$PkGNG
                                • API String ID: 1427518018-1416487119
                                • Opcode ID: e6692f477abb5315ab95d0a6b8ad5d72714dea7d13d74ae1a0c0e8a867cee630
                                • Instruction ID: 02a9d8e2c753fe243ccbc909122ce1ddd8f8b45a09ed5088e6b723b988b0f700
                                • Opcode Fuzzy Hash: e6692f477abb5315ab95d0a6b8ad5d72714dea7d13d74ae1a0c0e8a867cee630
                                • Instruction Fuzzy Hash: 5EF0A434B0021AAADF08A7A6DD4ADFF7769DB84305B10007FB606B21D1EEB86D05D659
                                Function 00413814 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegCreateKeyW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,?), ref: 0041381F
                                • RegSetValueExW.ADVAPI32(?,00000000,00000000,00000001,00000000,00000000,?,?,?,?,00000000,004752D8,74DF37E0,?), ref: 0041384D
                                • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,004752D8,74DF37E0,?,?,?,?,?,0040CFAA,?,00000000), ref: 00413858
                                Strings
                                • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0041381D
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseCreateValue
                                • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                • API String ID: 1818849710-1051519024
                                • Opcode ID: 7402a2b63bcdafcb128c4f053b5539bf219f88ac2658cd62b5e42ce82679dadc
                                • Instruction ID: 91b44a8789fefabe47d0aed0b401f4e945a8dec35bb1902c17c37083bf943f80
                                • Opcode Fuzzy Hash: 7402a2b63bcdafcb128c4f053b5539bf219f88ac2658cd62b5e42ce82679dadc
                                • Instruction Fuzzy Hash: 83F0C271440218FBDF10AFA1EC45FEE376CEF00B56F10452AF905A61A1E7359F04DA94
                                Function 0041376F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046611C), ref: 0041377E
                                • RegSetValueExA.ADVAPI32(0046611C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000), ref: 004137A6
                                • RegCloseKey.ADVAPI32(0046611C,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000,?,0040875D,00000001), ref: 004137B1
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseCreateValue
                                • String ID: Control Panel\Desktop
                                • API String ID: 1818849710-27424756
                                • Opcode ID: a1b035586d8a94c78f1a8b9bfdab4f73b16582c77fe3bde9cdb94950c835db19
                                • Instruction ID: c04290829ccef693e4e8b5b7d06cdf9a2950efbbd707a4c1379ff92f90edcb59
                                • Opcode Fuzzy Hash: a1b035586d8a94c78f1a8b9bfdab4f73b16582c77fe3bde9cdb94950c835db19
                                • Instruction Fuzzy Hash: B8F06272400118FBCB009FA1DD45DEA376CEF04B51F108566FD09A61A1D7359E14DB54
                                Function 004160EE Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                Download Yara Rule
                                APIs
                                • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 00416130
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExecuteShell
                                • String ID: /C $cmd.exe$open
                                • API String ID: 587946157-3896048727
                                • Opcode ID: c4367f8ee6a7455f33dbff058f7f38a065b0826cdce92a2e59ef50dc08291be7
                                • Instruction ID: 0a18f3537a1213b4b5dca9b82f73c842755a7e35c30cee8a650de64661b344da
                                • Opcode Fuzzy Hash: c4367f8ee6a7455f33dbff058f7f38a065b0826cdce92a2e59ef50dc08291be7
                                • Instruction Fuzzy Hash: 0DE0C0B0208345AAC705E775CC95CBF73ADAA94749B50483F7142A20E2EF7C9D49C659
                                Function 0040C00C Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                • [Cleared browsers logins and cookies.], xrefs: 0040C0E4
                                • Cleared browsers logins and cookies., xrefs: 0040C0F5
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: Sleep
                                • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                • API String ID: 3472027048-1236744412
                                • Opcode ID: 37d1bfc06d07939eb796f91d911b97d059918d73889df1aded7d392522dc90d3
                                • Instruction ID: fac43f66edf0589ccdcbb227709f1a337e776f7542e83b73a027453bfa593f46
                                • Opcode Fuzzy Hash: 37d1bfc06d07939eb796f91d911b97d059918d73889df1aded7d392522dc90d3
                                • Instruction Fuzzy Hash: 2531C804348380E9D6116BF554567AB7B814E93744F08457FB9C42B3D3D97E4848C7AF
                                Function 004194C4 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                Download Yara Rule
                                APIs
                                • EnumDisplayMonitors.USER32(00000000,00000000,004195CF,00000000), ref: 004194F5
                                • EnumDisplayDevicesW.USER32(?), ref: 00419525
                                • EnumDisplayDevicesW.USER32(?,?,?,00000000), ref: 0041959A
                                • EnumDisplayDevicesW.USER32(00000000,00000000,?,00000000), ref: 004195B7
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: DisplayEnum$Devices$Monitors
                                • String ID:
                                • API String ID: 1432082543-0
                                • Opcode ID: c3c799bd19875220888047b0ecefc3fe56039ce96ce98d62d0ecf08c91911ae4
                                • Instruction ID: 9f89b1fc864c89aa53311e19646eec67f909338e1adf78e73a6452d568b12732
                                • Opcode Fuzzy Hash: c3c799bd19875220888047b0ecefc3fe56039ce96ce98d62d0ecf08c91911ae4
                                • Instruction Fuzzy Hash: 6F218072108314ABD221DF26DC49EABBBECEBD1764F00053FF459D3190EB749A49C66A
                                Function 004126DB Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004136F8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 00413714
                                  • Part of subcall function 004136F8: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 0041372D
                                  • Part of subcall function 004136F8: RegCloseKey.ADVAPI32(?), ref: 00413738
                                • Sleep.KERNEL32(00000BB8), ref: 0041277A
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseOpenQuerySleepValue
                                • String ID: 8SG$exepath$hdF
                                • API String ID: 4119054056-3379396883
                                • Opcode ID: bfa7946a20d0ba0244eb19560f4c3b0d7a78169555de0d07121ed9ca0cce8570
                                • Instruction ID: f3cf03c5a64ef847c6da3637c810c9cb64e8e240b2c65477c235684d5dc29c85
                                • Opcode Fuzzy Hash: bfa7946a20d0ba0244eb19560f4c3b0d7a78169555de0d07121ed9ca0cce8570
                                • Instruction Fuzzy Hash: B52148A0B0030427DA00B7366D46EBF724E8B84318F40443FB916E72D3EEBC9C48426D
                                Function 004493AD Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON
                                Download Yara Rule
                                APIs
                                • _free.LIBCMT ref: 004493BD
                                  • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                  • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                • GetTimeZoneInformation.KERNEL32 ref: 004493CF
                                • WideCharToMultiByte.KERNEL32(00000000,?,00472764,000000FF,?,0000003F,?,?), ref: 00449447
                                • WideCharToMultiByte.KERNEL32(00000000,?,004727B8,000000FF,?,0000003F,?,?,?,00472764,000000FF,?,0000003F,?,?), ref: 00449474
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
                                • String ID:
                                • API String ID: 806657224-0
                                • Opcode ID: 633092c3bba77b0065560d4fdbd9d9f897920caf7f9bf618c5d01735725c6ecb
                                • Instruction ID: 1863d2ad967fb4723a60e4ea427cb143a9fbff6035582c54e6546b9b7662ab80
                                • Opcode Fuzzy Hash: 633092c3bba77b0065560d4fdbd9d9f897920caf7f9bf618c5d01735725c6ecb
                                • Instruction Fuzzy Hash: E1312570908201EFDB18DF69DE8086EBBB8FF0572071442AFE054973A1D3748D42DB18
                                Function 0040A529 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0041C551: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041C561
                                  • Part of subcall function 0041C551: GetWindowTextLengthW.USER32(00000000), ref: 0041C56A
                                  • Part of subcall function 0041C551: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041C594
                                • Sleep.KERNEL32(000001F4), ref: 0040A573
                                • Sleep.KERNEL32(00000064), ref: 0040A5FD
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: Window$SleepText$ForegroundLength
                                • String ID: [ $ ]
                                • API String ID: 3309952895-93608704
                                • Opcode ID: 4603c95d7a0278816d05f17b1e103e1b56ebf32c1baad14edcc254fcbbfd146b
                                • Instruction ID: 97bd403738d1ca0cb59e80c1fc79ee6201ed0cb329172f4776a94889a39aca56
                                • Opcode Fuzzy Hash: 4603c95d7a0278816d05f17b1e103e1b56ebf32c1baad14edcc254fcbbfd146b
                                • Instruction Fuzzy Hash: FE119F315043006BC614BB65CC5399F77A8AF50308F40053FF552665E2FF79AA5886DB
                                Function 0041B7FF Relevance: 6.1, APIs: 4, Instructions: 63timesleepCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: SystemTimes$Sleep__aulldiv
                                • String ID:
                                • API String ID: 188215759-0
                                • Opcode ID: 1460bbf00a7581670417fcbf42b3a1dfd5e2489cdc62901d12e8026d78940c5d
                                • Instruction ID: 72b4c32e7059473e424b83a6cc96647c38f9827b21069785d395d2d8421d6a64
                                • Opcode Fuzzy Hash: 1460bbf00a7581670417fcbf42b3a1dfd5e2489cdc62901d12e8026d78940c5d
                                • Instruction Fuzzy Hash: B0113D7A5083456BD304FAB5CC85DEB7BACEAC4654F040A3EF54A82051FE68EA4886A5
                                Function 00443A33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 26aae147e3b4032e8d822610677c8b44980169b964e3a1f9465f38b9cd56633c
                                • Instruction ID: 17f232e73e96fb976a24982deb7d35e81c220cd9520ca4ef7e8dcf180de91df6
                                • Opcode Fuzzy Hash: 26aae147e3b4032e8d822610677c8b44980169b964e3a1f9465f38b9cd56633c
                                • Instruction Fuzzy Hash: 1301F2B36497067EFA202E786CC1F67220CDF41BBEB34032BB574712D1DA68CE404568
                                Function 00443AB2 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 544fafb264448ea5c1072d449201ab24ccf485d51590c339dd7f80fdded84d3d
                                • Instruction ID: 34d970f17befced98e3ca294e9c9a609e5e7bfbb0444a55afbb34e25ce639c56
                                • Opcode Fuzzy Hash: 544fafb264448ea5c1072d449201ab24ccf485d51590c339dd7f80fdded84d3d
                                • Instruction Fuzzy Hash: 0601A2B26096117EFA111E796CC4E27624CDB81BBF325032BF535612D6DA688E014169
                                Function 0041C485 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                                • GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C4B2
                                • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C4D7
                                • CloseHandle.KERNEL32(00000000,?,00000000,0040412F,00465E74), ref: 0041C4E5
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseCreateHandleReadSize
                                • String ID:
                                • API String ID: 3919263394-0
                                • Opcode ID: c4d28c244904a0c4b31f6914b30dbe9704a3e03414ae878e480ac2c22075bc56
                                • Instruction ID: d938e931a51b81dfe9e25773ede9364464a286a3a3b97e7b856b7b87d8bf29b3
                                • Opcode Fuzzy Hash: c4d28c244904a0c4b31f6914b30dbe9704a3e03414ae878e480ac2c22075bc56
                                • Instruction Fuzzy Hash: 0FF0C2B1245308BFE6101B25ACD4EBB375CEB867A9F00053EF902A22C1CA298C05913A
                                Function 00439863 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • ___BuildCatchObject.LIBVCRUNTIME ref: 0043987A
                                  • Part of subcall function 00439EB2: ___AdjustPointer.LIBCMT ref: 00439EFC
                                • _UnwindNestedFrames.LIBCMT ref: 00439891
                                • ___FrameUnwindToState.LIBVCRUNTIME ref: 004398A3
                                • CallCatchBlock.LIBVCRUNTIME ref: 004398C7
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                • String ID:
                                • API String ID: 2633735394-0
                                • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                • Instruction ID: dcee73c62e3621a690853eebe59cad03ae51e1002f288686f44977c5109bb855
                                • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                • Instruction Fuzzy Hash: 18011732000109BBCF12AF55CC01EDA3BBAEF9D754F04511AFD5861221C3BAE861DBA5
                                Function 004193E3 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                Download Yara Rule
                                APIs
                                • GetSystemMetrics.USER32(0000004C), ref: 004193F0
                                • GetSystemMetrics.USER32(0000004D), ref: 004193F6
                                • GetSystemMetrics.USER32(0000004E), ref: 004193FC
                                • GetSystemMetrics.USER32(0000004F), ref: 00419402
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: MetricsSystem
                                • String ID:
                                • API String ID: 4116985748-0
                                • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                • Instruction ID: 9a44d86f369c7068fc2c949f9b02ed5542bf43da40f6b7222f807aea32733f55
                                • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                • Instruction Fuzzy Hash: DFF0A471B043155BD744EA759C51A6F6BD5EBD4264F10043FF20887281EE78DC468785
                                Function 00442C5D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                Download Yara Rule
                                APIs
                                • __startOneArgErrorHandling.LIBCMT ref: 00442CED
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorHandling__start
                                • String ID: pow
                                • API String ID: 3213639722-2276729525
                                • Opcode ID: ae0341c24035669086af68b363e9d44c4063f2ceb2f02d621ae22780893f867c
                                • Instruction ID: c2a334fe3ab53b67a82bc2a1da04863f7f1ed5e2a579c87dfbcc8ae8a095d349
                                • Opcode Fuzzy Hash: ae0341c24035669086af68b363e9d44c4063f2ceb2f02d621ae22780893f867c
                                • Instruction Fuzzy Hash: C6516DA1E0420296FB167B14CE4137B2BA4DB40751F704D7FF096823AAEB7D8C859A4F
                                Function 00418A92 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                                Download Yara Rule
                                APIs
                                • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418ABE
                                  • Part of subcall function 00418656: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418AD1,00000000,?,?,?,?,00000000), ref: 0041866A
                                • SHCreateMemStream.SHLWAPI(00000000), ref: 00418B0B
                                  • Part of subcall function 004186CB: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B27,00000000,?,?), ref: 004186DD
                                  • Part of subcall function 00418679: GdipDisposeImage.GDIPLUS(?,00418B82), ref: 00418682
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                • String ID: image/jpeg
                                • API String ID: 1291196975-3785015651
                                • Opcode ID: 8883413a241ecd6daa78ef1183ec8e175d09e4f7b2134cb7e7ff04ec22b53db4
                                • Instruction ID: 71c7567624fb1f0fb67e5b365d5baafb3eed0516d04e2b9615b8e3d4f66a2876
                                • Opcode Fuzzy Hash: 8883413a241ecd6daa78ef1183ec8e175d09e4f7b2134cb7e7ff04ec22b53db4
                                • Instruction Fuzzy Hash: 13317F71504300AFC301EF65CC84DAFB7E9FF8A704F00496EF985A7251DB7999448BA6
                                Function 00451B37 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                Download Yara Rule
                                APIs
                                • GetACP.KERNEL32(?,20001004,?,00000002), ref: 00451C12
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: ACP$OCP
                                • API String ID: 0-711371036
                                • Opcode ID: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
                                • Instruction ID: fc24b39bc158c677debbea649066bee6e1bba6d32f28379ebc1c8ba741b2d3ba
                                • Opcode Fuzzy Hash: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
                                • Instruction Fuzzy Hash: BA217D22A4010063DB34CF54C940B9B326ADF50B27F568166ED09C7322F73AED44C39C
                                Function 0044B731 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81fileCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,PkGNG,0044BB6E,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B7DB
                                • GetLastError.KERNEL32 ref: 0044B804
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorFileLastWrite
                                • String ID: PkGNG
                                • API String ID: 442123175-263838557
                                • Opcode ID: e2af8d231f6539d56f2593d6ace3ed0d4bab48f660b2d85d051dab4aa689f9d2
                                • Instruction ID: 56933c973e2243a1a9a6e47b5ff38ff3048756f5123006952a384074424e161b
                                • Opcode Fuzzy Hash: e2af8d231f6539d56f2593d6ace3ed0d4bab48f660b2d85d051dab4aa689f9d2
                                • Instruction Fuzzy Hash: 12319331A00619DBCB24CF59CD809DAB3F9EF88311F1445AAE509D7361D734ED81CB68
                                Function 0044B652 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77fileCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,PkGNG,0044BB8E,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B6ED
                                • GetLastError.KERNEL32 ref: 0044B716
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorFileLastWrite
                                • String ID: PkGNG
                                • API String ID: 442123175-263838557
                                • Opcode ID: 51546446b41bf805027a94335c0e64e4fe702750584376849c5da3291fd64da6
                                • Instruction ID: 12ef57d8ab414bd2a6c5914f5c8b73f84ca543b1ee1fc2f1adbb6bb6aefc8993
                                • Opcode Fuzzy Hash: 51546446b41bf805027a94335c0e64e4fe702750584376849c5da3291fd64da6
                                • Instruction Fuzzy Hash: 6C21B435600219DFCB14CF69C980BE9B3F8EB48302F1044AAE94AD7351D734ED81CB64
                                Function 00418B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                Download Yara Rule
                                APIs
                                • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418BAA
                                  • Part of subcall function 00418656: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418AD1,00000000,?,?,?,?,00000000), ref: 0041866A
                                • SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,?,?,?,?,00000000), ref: 00418BCF
                                  • Part of subcall function 004186CB: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B27,00000000,?,?), ref: 004186DD
                                  • Part of subcall function 00418679: GdipDisposeImage.GDIPLUS(?,00418B82), ref: 00418682
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                • String ID: image/png
                                • API String ID: 1291196975-2966254431
                                • Opcode ID: 6411a8012ecf1a64a1773f4eaa23e3f4fcdf1f742ac8238d8550c3e8c78666f9
                                • Instruction ID: c6f894421d6f6d4ca6915e56eba1d7ff3797fde04a376feef2065c2e579c4a83
                                • Opcode Fuzzy Hash: 6411a8012ecf1a64a1773f4eaa23e3f4fcdf1f742ac8238d8550c3e8c78666f9
                                • Instruction Fuzzy Hash: 30219371204211AFC705EB61CC88CBFBBADEFCA754F10092EF54693161DB399945CBA6
                                Function 0041663B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
                                Download Yara Rule
                                APIs
                                • Sleep.KERNEL32 ref: 00416640
                                • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166A2
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: DownloadFileSleep
                                • String ID: !D@
                                • API String ID: 1931167962-604454484
                                • Opcode ID: a90b17389d552f859138a2ff04c1bfca78c07f5b9cdbef66eb6a080414a1bef4
                                • Instruction ID: f21b004d79e7af0ef9ad63e4b6518ad07bb10e0138b316cec4f8e9f86784bb19
                                • Opcode Fuzzy Hash: a90b17389d552f859138a2ff04c1bfca78c07f5b9cdbef66eb6a080414a1bef4
                                • Instruction Fuzzy Hash: C6115171A083029AC714FF72D8969BE77A8AF54348F400C3FF546621E2EE3C9949C65A
                                Function 0040B051 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
                                  • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                                  • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                • CloseHandle.KERNEL32(?), ref: 0040B0B4
                                • UnhookWindowsHookEx.USER32 ref: 0040B0C7
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                • String ID: Online Keylogger Stopped
                                • API String ID: 1623830855-1496645233
                                • Opcode ID: bec78cf3eedf1b186c8e89cd18ae9734a19b2f7b120e1a552bb6b5e0ab87ed89
                                • Instruction ID: 2e372e3e3892c4e8816e9c8053feed756abc81e7e35a03d4dadb391bbfa0e77d
                                • Opcode Fuzzy Hash: bec78cf3eedf1b186c8e89cd18ae9734a19b2f7b120e1a552bb6b5e0ab87ed89
                                • Instruction Fuzzy Hash: 0101F5306002049BD7217B35C80B3BF7BA59B41305F40007FE642226D2EBB91845D7DE
                                Function 00448BB3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,73E85006,00000001,?,0043CE55), ref: 00448C24
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: String
                                • String ID: LCMapStringEx$PkGNG
                                • API String ID: 2568140703-1065776982
                                • Opcode ID: 20edb6311ff80fd52f273064eb78c9c2f4c40470f2fa2ad589d6478c135721a4
                                • Instruction ID: 91dcaeff4e4508283399e99d6512adb219adb357de156da575c9a111b1dd59a7
                                • Opcode Fuzzy Hash: 20edb6311ff80fd52f273064eb78c9c2f4c40470f2fa2ad589d6478c135721a4
                                • Instruction Fuzzy Hash: 3F016532500209FBCF029F90DC01EEE7F62EF08351F10452AFE0925161CA3A8971AB99
                                Function 0044378C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free
                                • String ID: $G
                                • API String ID: 269201875-4251033865
                                • Opcode ID: 061f1d377262398e84625751e00800f7b3b9231d747b7f71bcbf8f837b64f860
                                • Instruction ID: ffc8389238c956ab6c1ca4f2b01b58cd1871601a5e35f3520dab429f03a8b914
                                • Opcode Fuzzy Hash: 061f1d377262398e84625751e00800f7b3b9231d747b7f71bcbf8f837b64f860
                                • Instruction Fuzzy Hash: 7DE0E592A0182014F6717A3F6C0575B0545CBC2B7FF11833BF538861C1CFAC4A46519E
                                Function 00448AE6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                Download Yara Rule
                                APIs
                                • IsValidLocale.KERNEL32(00000000,JD,00000000,00000001,?,?,00444AEA,?,?,004444CA,?,00000004), ref: 00448B32
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: LocaleValid
                                • String ID: IsValidLocaleName$JD
                                • API String ID: 1901932003-2234456777
                                • Opcode ID: 51bc9a782de688291f39784aabc01e809a53b6defb3ea5057969789d83f50679
                                • Instruction ID: c43517d2c5aad0833927174c53c021eab8a1ac695cd7bc198788f3b2bcf9e263
                                • Opcode Fuzzy Hash: 51bc9a782de688291f39784aabc01e809a53b6defb3ea5057969789d83f50679
                                • Instruction Fuzzy Hash: D6F05230A80308F7DB106B60DC06FAEBF58CB04B52F10017EFD046B291CE786E05929E
                                Function 0040C4C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                Download Yara Rule
                                APIs
                                • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C4F6
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExistsFilePath
                                • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                • API String ID: 1174141254-4188645398
                                • Opcode ID: d709a8515617d2ba673b64f2c8ca347ecdfd9c2513b907f156fef7f1ca1e605e
                                • Instruction ID: 529cceb54bdbac8586af3e6ebd5273a77adcdcd577382419881006e182ae29c8
                                • Opcode Fuzzy Hash: d709a8515617d2ba673b64f2c8ca347ecdfd9c2513b907f156fef7f1ca1e605e
                                • Instruction Fuzzy Hash: 96F05E31A00219A6C604BBF69C478BF7B3C9D50709B50017FBA01B61D3EE789945C6EE
                                Function 0040C526 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                Download Yara Rule
                                APIs
                                • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C559
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExistsFilePath
                                • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                • API String ID: 1174141254-2800177040
                                • Opcode ID: b1940e908fbd14d97542ecab4e0f5363c75517eb77e1add574f14eb0b46c354c
                                • Instruction ID: 330371ab8f71d6844e3501a7b0875f3b866c8fe31c1dcac5d822fe972055fe7f
                                • Opcode Fuzzy Hash: b1940e908fbd14d97542ecab4e0f5363c75517eb77e1add574f14eb0b46c354c
                                • Instruction Fuzzy Hash: ECF05E31A00219A6CA14B7B69C47CEF7B6C9D50705B10017FB602B61D2EE78994186EE
                                Function 0040C589 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                Download Yara Rule
                                APIs
                                • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 0040C5BC
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExistsFilePath
                                • String ID: AppData$\Opera Software\Opera Stable\
                                • API String ID: 1174141254-1629609700
                                • Opcode ID: d275befd3fa61f8c1a69313b9e352693d74fa3e6e400107db78181a14dff6bc9
                                • Instruction ID: 49b076bb86b4c8db4da1bdedad10e463925805c403c57d636a3174f469f12df7
                                • Opcode Fuzzy Hash: d275befd3fa61f8c1a69313b9e352693d74fa3e6e400107db78181a14dff6bc9
                                • Instruction Fuzzy Hash: 13F05E31A00319A6CA14B7B69C47CEF7B7C9D10709B40017BB601B61D2EE789D4586EA
                                Function 004437E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free
                                • String ID: $G
                                • API String ID: 269201875-4251033865
                                • Opcode ID: 0ad43b1214ad8572508d9786c92e0b088e9d3dbafa2474dd36ac496255489d68
                                • Instruction ID: d76a88c3c7e0b504eff74fb84b9f6db8507cba8af1ea4ea387731c34734dfbbf
                                • Opcode Fuzzy Hash: 0ad43b1214ad8572508d9786c92e0b088e9d3dbafa2474dd36ac496255489d68
                                • Instruction Fuzzy Hash: AAE0E562A0182040F675BA3F2D05B9B49C5DB8173BF11433BF538861C1DFAC4A4251AE
                                Function 0040B646 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                Download Yara Rule
                                APIs
                                • GetKeyState.USER32(00000011), ref: 0040B64B
                                  • Part of subcall function 0040A3E0: GetForegroundWindow.USER32 ref: 0040A416
                                  • Part of subcall function 0040A3E0: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
                                  • Part of subcall function 0040A3E0: GetKeyboardLayout.USER32(00000000), ref: 0040A429
                                  • Part of subcall function 0040A3E0: GetKeyState.USER32(00000010), ref: 0040A433
                                  • Part of subcall function 0040A3E0: GetKeyboardState.USER32(?), ref: 0040A43E
                                  • Part of subcall function 0040A3E0: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A461
                                  • Part of subcall function 0040A3E0: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4C1
                                  • Part of subcall function 0040A636: SetEvent.KERNEL32(00000000,?,00000000,0040B20A,00000000), ref: 0040A662
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                • String ID: [AltL]$[AltR]
                                • API String ID: 2738857842-2658077756
                                • Opcode ID: b517c3644f2a0ff5b445e5d425ade51854f5aabe0ba9e4ed4d9bf29b6b0d38c2
                                • Instruction ID: e48b288e44f9d4c6b211653e2fe3bcc76c2b66b59b43e84e4aaf588e4500f4a3
                                • Opcode Fuzzy Hash: b517c3644f2a0ff5b445e5d425ade51854f5aabe0ba9e4ed4d9bf29b6b0d38c2
                                • Instruction Fuzzy Hash: 3BE0652134021052C828323E592F6BE2D51C742754B86057FF9826B6C5DABF4D1542CF
                                Function 00448957 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30timeCOMMON
                                Download Yara Rule
                                APIs
                                • GetSystemTimeAsFileTime.KERNEL32(00000000,0043AAB7), ref: 00448996
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: Time$FileSystem
                                • String ID: GetSystemTimePreciseAsFileTime$PkGNG
                                • API String ID: 2086374402-949981407
                                • Opcode ID: e85234dd122f09b0c94e77719a40fbeea2143a0bc5736c6b14345478c49c6815
                                • Instruction ID: 0ece642104574987c61f359f6ab52f67772cb5eafdc88f944851b8b866d171c2
                                • Opcode Fuzzy Hash: e85234dd122f09b0c94e77719a40fbeea2143a0bc5736c6b14345478c49c6815
                                • Instruction Fuzzy Hash: 55E0E571A41718E7D710AB259C02E7EBB54DB44B02B10027EFC0957382DE285D0496DE
                                Function 0041618A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                Download Yara Rule
                                APIs
                                • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161A8
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExecuteShell
                                • String ID: !D@$open
                                • API String ID: 587946157-1586967515
                                • Opcode ID: bb18f393a94152f83cce48417cccfa788a776dd848670c049a324d78068a8282
                                • Instruction ID: 73504a7432a82bf20c2cd712858cac99996ed9f8eaf32da6c0f13d1c3fa6c831
                                • Opcode Fuzzy Hash: bb18f393a94152f83cce48417cccfa788a776dd848670c049a324d78068a8282
                                • Instruction Fuzzy Hash: 2FE0ED712483059AD614EA72DC91AFE7358AB54755F40083FF506514E2EE3C5849C65A
                                Function 0045554B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • ___initconout.LIBCMT ref: 0045555B
                                  • Part of subcall function 00456B1D: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00455560,00000000,PkGNG,0044B59D,?,FF8BC35D,00000000,?,00000000), ref: 00456B30
                                • WriteConsoleW.KERNEL32(FFFFFFFE,FF8BC369,00000001,00000000,00000000,00000000,PkGNG,0044B59D,?,FF8BC35D,00000000,?,00000000,PkGNG,0044BB19,?), ref: 0045557E
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: ConsoleCreateFileWrite___initconout
                                • String ID: PkGNG
                                • API String ID: 3087715906-263838557
                                • Opcode ID: 4fd586c33a7e536def3848490aff3c82696797501ee569242fdde9145b290049
                                • Instruction ID: e84ccb038854987deafcb7b601af55b429ad8f27f18c1f17be9b2782bd97289a
                                • Opcode Fuzzy Hash: 4fd586c33a7e536def3848490aff3c82696797501ee569242fdde9145b290049
                                • Instruction Fuzzy Hash: 10E02B70500508BBD610CB64DC25EB63319EB003B1F600315FE25C72D1EB34DD44C759
                                Function 0040B6A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                Download Yara Rule
                                APIs
                                • GetKeyState.USER32(00000012), ref: 0040B6A5
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: State
                                • String ID: [CtrlL]$[CtrlR]
                                • API String ID: 1649606143-2446555240
                                • Opcode ID: c765968ff3d10558f6a95e5840c5c1bc63f6cd989c8fe2dffd6df2c532e6808f
                                • Instruction ID: bec5627f59812d2efb235ad4bfa8f6d19d2d97b3e0140e65676d9d4505e8418d
                                • Opcode Fuzzy Hash: c765968ff3d10558f6a95e5840c5c1bc63f6cd989c8fe2dffd6df2c532e6808f
                                • Instruction Fuzzy Hash: 6FE04F2160021052C524363D5A1E67D2911CB52754B42096FF882A76CADEBF891543CF
                                Function 0040E79F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                • __Init_thread_footer.LIBCMT ref: 00410F29
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: Init_thread_footer__onexit
                                • String ID: ,kG$0kG
                                • API String ID: 1881088180-2015055088
                                • Opcode ID: 55ded91c2411799c93627b1e27181bc6755349442ad5772556d3e3dbb5a5a571
                                • Instruction ID: c595ded0a674a2b9ccc74dbc71d20adb946c68f5a758ea4f5ad5526f3cc50642
                                • Opcode Fuzzy Hash: 55ded91c2411799c93627b1e27181bc6755349442ad5772556d3e3dbb5a5a571
                                • Instruction Fuzzy Hash: 35E0D8312149208EC214A32995829C93791DB4E335B61412BF414D72D5CBAEB8C1CA1D
                                Function 00413A23 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040D4CE,00000000,?,00000000), ref: 00413A31
                                • RegDeleteValueW.ADVAPI32(?,?,?,00000000), ref: 00413A45
                                Strings
                                • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A2F
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: DeleteOpenValue
                                • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                • API String ID: 2654517830-1051519024
                                • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                • Instruction ID: 6fb421a43559def270d35797bbb86f7c8bc210cd52a17bc53693ea6618a40a87
                                • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                • Instruction Fuzzy Hash: 99E0C23124420CFBDF104F71DD06FFA376CDB01F42F1006A5BA0692091C626DF049668
                                Function 0040B869 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON
                                Download Yara Rule
                                APIs
                                • DeleteFileW.KERNEL32(00000000,?,?,0040ACB3,0000005C,?,?,?,00000000), ref: 0040B876
                                • RemoveDirectoryW.KERNEL32(00000000,?,?,0040ACB3,0000005C,?,?,?,00000000), ref: 0040B8A1
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: DeleteDirectoryFileRemove
                                • String ID: hdF
                                • API String ID: 3325800564-665520524
                                • Opcode ID: df808ba8ebf8d5c0a6d1b72abb8ee9cce7734050c17300acf0bbb65a0f0efe9c
                                • Instruction ID: 8281cfb8de641f04b50c20d0c8e921e0d4b8d2282f61a3be21f0805504db5409
                                • Opcode Fuzzy Hash: df808ba8ebf8d5c0a6d1b72abb8ee9cce7734050c17300acf0bbb65a0f0efe9c
                                • Instruction Fuzzy Hash: 45E046321007119BCB14AB258C48AD6339CAF0031AF00486FA492A32A1DF38AC09CAA8
                                Function 00411B5F Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                Download Yara Rule
                                APIs
                                • IsBadReadPtr.KERNEL32(?,00000014,00000000,00000000,00000001,?,?,?,00411EF0), ref: 00411B8C
                                • IsBadReadPtr.KERNEL32(?,00000014,00411EF0), ref: 00411C58
                                • SetLastError.KERNEL32(0000007F), ref: 00411C7A
                                • SetLastError.KERNEL32(0000007E,00411EF0), ref: 00411C91
                                Memory Dump Source
                                • Source File: 00000002.00000002.1803712179.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1803700956.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803741309.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803757811.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000002.00000002.1803782100.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_27 de Junio.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLastRead
                                • String ID:
                                • API String ID: 4100373531-0
                                • Opcode ID: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
                                • Instruction ID: 277f4bdee2933866d2d1c697a3b04f0a6a13197b354a533a519a822f1f8833ca
                                • Opcode Fuzzy Hash: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
                                • Instruction Fuzzy Hash: 37419C75244305DFE7248F18DC84BA7B3E8FB48711F00082EEA8A87661F739E845CB99