Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe

Overview

General Information

Sample name:17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe
Analysis ID:1546403
MD5:e059128970dd9b9bc923ad682dfc733d
SHA1:ba609e29ac0737b758652b3f8711f3e813e3057c
SHA256:82d05f7c1e3d16ba7e22348af4c14533cce64567b024e2149b511c62a85c81bc
Tags:base64-decodedexeuser-abuse_ch
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Machine Learning detection for sample
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

  • System is w10x64
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
{"Host:Port:Password": ["80.76.51.190:16465:1", "rem.aaahorneswll.com:16465:1"], "Assigned name": "RemoteHost-16465", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-XH0QAV", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
SourceRuleDescriptionAuthorStrings
17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeJoeSecurity_RemcosYara detected Remcos RATJoe Security
      17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeWindows_Trojan_Remcos_b296e965unknownunknown
        • 0x6aab8:$a1: Remcos restarted by watchdog!
        • 0x6b030:$a3: %02i:%02i:%02i:%03i
        17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeREMCOS_RAT_variantsunknownunknown
        • 0x64b0c:$str_a1: C:\Windows\System32\cmd.exe
        • 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
        • 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
        • 0x64b7c:$str_b2: Executing file:
        • 0x65bfc:$str_b3: GetDirectListeningPort
        • 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
        • 0x65728:$str_b7: \update.vbs
        • 0x64ba4:$str_b9: Downloaded file:
        • 0x64b90:$str_b10: Downloading file:
        • 0x64c34:$str_b12: Failed to upload file:
        • 0x65bc4:$str_b13: StartForward
        • 0x65be4:$str_b14: StopForward
        • 0x65680:$str_b15: fso.DeleteFile "
        • 0x65614:$str_b16: On Error Resume Next
        • 0x656b0:$str_b17: fso.DeleteFolder "
        • 0x64c24:$str_b18: Uploaded file:
        • 0x64be4:$str_b19: Unable to delete:
        • 0x65648:$str_b20: while fso.FileExists("
        • 0x650c1:$str_c0: [Firefox StoredLogins not found]
        Click to see the 1 entries
        SourceRuleDescriptionAuthorStrings
        00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
          00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
              • 0x134b8:$a1: Remcos restarted by watchdog!
              • 0x13a30:$a3: %02i:%02i:%02i:%03i
              00000004.00000000.1269092384.0000000000459000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                Click to see the 8 entries
                SourceRuleDescriptionAuthorStrings
                4.2.17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe.400000.0.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                  4.2.17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                    4.2.17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe.400000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                      4.2.17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe.400000.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                      • 0x6aab8:$a1: Remcos restarted by watchdog!
                      • 0x6b030:$a3: %02i:%02i:%02i:%03i
                      4.2.17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe.400000.0.unpackREMCOS_RAT_variantsunknownunknown
                      • 0x64b0c:$str_a1: C:\Windows\System32\cmd.exe
                      • 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                      • 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                      • 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                      • 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                      • 0x64b7c:$str_b2: Executing file:
                      • 0x65bfc:$str_b3: GetDirectListeningPort
                      • 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                      • 0x65728:$str_b7: \update.vbs
                      • 0x64ba4:$str_b9: Downloaded file:
                      • 0x64b90:$str_b10: Downloading file:
                      • 0x64c34:$str_b12: Failed to upload file:
                      • 0x65bc4:$str_b13: StartForward
                      • 0x65be4:$str_b14: StopForward
                      • 0x65680:$str_b15: fso.DeleteFile "
                      • 0x65614:$str_b16: On Error Resume Next
                      • 0x656b0:$str_b17: fso.DeleteFolder "
                      • 0x64c24:$str_b18: Uploaded file:
                      • 0x64be4:$str_b19: Unable to delete:
                      • 0x65648:$str_b20: while fso.FileExists("
                      • 0x650c1:$str_c0: [Firefox StoredLogins not found]
                      Click to see the 7 entries

                      Stealing of Sensitive Information

                      barindex
                      Source: Registry Key setAuthor: Joe Security: Data: Details: E7 19 27 86 12 24 89 37 AF 0E 63 14 1E 2C 97 FB AB 52 DF 73 CE 23 79 0B 48 54 EE 0D 34 45 4D 81 FD 5C 59 55 8E 2E A5 54 62 77 45 83 FB 0F 04 62 DC 02 DE 45 E2 EB 87 4E A5 2E D9 11 C5 5E 7A 99 53 42 EC FC 53 85 04 31 F8 5C 44 6E D2 4D 67 E2 90 97 7E 1C 2F 37 56 D6 71 FF 68 90 91 83 DE FC 36 5D EC B0 DA 2B 17 D2 CB 10 DC 7F 4C 35 DC 6F 20 F1 4B E7 3D BE AE 6A 4F 5E E4 22 BC 4E AC 6A 7F B0 B1 92 83 2D B7 ED 19 CE 3F E9 99 EF 10 5E 88 56 85 E8 83 73 9B 4F 12 B2 83 99 C7 11 04 EB 5E F5 C3 DC 29 EC 3B E8 63 F2 FE 16 77 24 50 9A D0 79 46 74 15 32 1F 0E 0A 4E 48 29 11 D8 29 74 DB 70 42 DA C1 7C 1F 5D 7D 11 83 AD C8 55 21 8B C5 20 AC 78 F3 5E DB 69 AD 66 E8 D9 C6 7E B7 AF 6A 28 2F 39 D4 1D A2 A0 31 D4 8C ED 4B 66 BF B8 AA C3 , EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe, ProcessId: 7416, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-XH0QAV\exepath
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-10-31T21:09:19.713882+010020229301A Network Trojan was detected172.202.163.200443192.168.2.749732TCP
                      2024-10-31T21:09:58.445866+010020229301A Network Trojan was detected172.202.163.200443192.168.2.749931TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-10-31T21:09:03.375552+010020365941Malware Command and Control Activity Detected192.168.2.74970080.76.51.19016465TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-10-31T21:09:06.746297+010028033043Unknown Traffic192.168.2.749701178.237.33.5080TCP

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Source: 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeAvira: detected
                      Source: 00000004.00000002.3712078934.00000000005DE000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["80.76.51.190:16465:1", "rem.aaahorneswll.com:16465:1"], "Assigned name": "RemoteHost-16465", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-XH0QAV", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
                      Source: 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeReversingLabs: Detection: 84%
                      Source: Yara matchFile source: 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe, type: SAMPLE
                      Source: Yara matchFile source: 4.2.17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.1269092384.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.3712078934.00000000005DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe PID: 7416, type: MEMORYSTR
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                      Source: 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,4_2_004338C8
                      Source: 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe, 00000004.00000000.1269092384.0000000000459000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_13d260b4-d

                      Exploits

                      barindex
                      Source: Yara matchFile source: 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe, type: SAMPLE
                      Source: Yara matchFile source: 4.2.17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.1269092384.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe PID: 7416, type: MEMORYSTR

                      Privilege Escalation

                      barindex
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_00407538 _wcslen,CoGetObject,4_2_00407538
                      Source: 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,4_2_0040928E
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,4_2_0041C322
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,4_2_0040C388
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,4_2_004096A0
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,4_2_00408847
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_00407877 FindFirstFileW,FindNextFileW,4_2_00407877
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_0044E8F9 FindFirstFileExA,4_2_0044E8F9
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,4_2_0040BB6B
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,4_2_00419B86
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,4_2_0040BD72
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,4_2_00407CD2

                      Networking

                      barindex
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49700 -> 80.76.51.190:16465
                      Source: Malware configuration extractorURLs: rem.aaahorneswll.com
                      Source: Malware configuration extractorIPs: 80.76.51.190
                      Source: global trafficTCP traffic: 192.168.2.7:49700 -> 80.76.51.190:16465
                      Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                      Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                      Source: Joe Sandbox ViewASN Name: CLOUDCOMPUTINGDE CLOUDCOMPUTINGDE
                      Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.7:49701 -> 178.237.33.50:80
                      Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.7:49732
                      Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.7:49931
                      Source: unknownTCP traffic detected without corresponding DNS query: 80.76.51.190
                      Source: unknownTCP traffic detected without corresponding DNS query: 80.76.51.190
                      Source: unknownTCP traffic detected without corresponding DNS query: 80.76.51.190
                      Source: unknownTCP traffic detected without corresponding DNS query: 80.76.51.190
                      Source: unknownTCP traffic detected without corresponding DNS query: 80.76.51.190
                      Source: unknownTCP traffic detected without corresponding DNS query: 80.76.51.190
                      Source: unknownTCP traffic detected without corresponding DNS query: 80.76.51.190
                      Source: unknownTCP traffic detected without corresponding DNS query: 80.76.51.190
                      Source: unknownTCP traffic detected without corresponding DNS query: 80.76.51.190
                      Source: unknownTCP traffic detected without corresponding DNS query: 80.76.51.190
                      Source: unknownTCP traffic detected without corresponding DNS query: 80.76.51.190
                      Source: unknownTCP traffic detected without corresponding DNS query: 80.76.51.190
                      Source: unknownTCP traffic detected without corresponding DNS query: 80.76.51.190
                      Source: unknownTCP traffic detected without corresponding DNS query: 80.76.51.190
                      Source: unknownTCP traffic detected without corresponding DNS query: 80.76.51.190
                      Source: unknownTCP traffic detected without corresponding DNS query: 80.76.51.190
                      Source: unknownTCP traffic detected without corresponding DNS query: 80.76.51.190
                      Source: unknownTCP traffic detected without corresponding DNS query: 80.76.51.190
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_0041B411 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,4_2_0041B411
                      Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                      Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                      Source: 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe, 00000004.00000003.1312447834.0000000000651000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/
                      Source: 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe, 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe, 00000004.00000002.3712078934.000000000062D000.00000004.00000020.00020000.00000000.sdmp, 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe, 00000004.00000002.3712078934.000000000061D000.00000004.00000020.00020000.00000000.sdmp, 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe, 00000004.00000003.1312581706.000000000065F000.00000004.00000020.00020000.00000000.sdmp, 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe, 00000004.00000003.1312447834.0000000000651000.00000004.00000020.00020000.00000000.sdmp, 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe, 00000004.00000003.1312447834.000000000061D000.00000004.00000020.00020000.00000000.sdmp, 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe, 00000004.00000002.3712078934.00000000005DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
                      Source: 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeString found in binary or memory: http://geoplugin.net/json.gp/C
                      Source: 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe, 00000004.00000003.1312581706.000000000065F000.00000004.00000020.00020000.00000000.sdmp, 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe, 00000004.00000003.1312447834.0000000000651000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp1
                      Source: 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe, 00000004.00000002.3712078934.000000000062D000.00000004.00000020.00020000.00000000.sdmp, 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe, 00000004.00000003.1312447834.000000000061D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp3U
                      Source: 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe, 00000004.00000002.3712078934.000000000062D000.00000004.00000020.00020000.00000000.sdmp, 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe, 00000004.00000003.1312447834.000000000061D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpCT
                      Source: 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe, 00000004.00000002.3712078934.00000000005DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpSystem32
                      Source: 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe, 00000004.00000002.3712078934.000000000062D000.00000004.00000020.00020000.00000000.sdmp, 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe, 00000004.00000003.1312447834.000000000061D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpl

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_0040A2F3 SetWindowsHookExA 0000000D,0040A2DF,000000004_2_0040A2F3
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,4_2_0040B749
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,4_2_004168FC
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,4_2_0040B749
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_0040A41B GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,4_2_0040A41B
                      Source: Yara matchFile source: 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe, type: SAMPLE
                      Source: Yara matchFile source: 4.2.17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.1269092384.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe PID: 7416, type: MEMORYSTR

                      E-Banking Fraud

                      barindex
                      Source: Yara matchFile source: 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe, type: SAMPLE
                      Source: Yara matchFile source: 4.2.17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.1269092384.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.3712078934.00000000005DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe PID: 7416, type: MEMORYSTR

                      Spam, unwanted Advertisements and Ransom Demands

                      barindex
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_0041CA73 SystemParametersInfoW,4_2_0041CA73

                      System Summary

                      barindex
                      Source: 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe, type: SAMPLEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 4.2.17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 4.2.17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 4.2.17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 4.0.17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 4.0.17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 4.0.17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 00000004.00000000.1269092384.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: Process Memory Space: 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe PID: 7416, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_0041330D OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,4_2_0041330D
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_0041BBC6 OpenProcess,NtResumeProcess,CloseHandle,4_2_0041BBC6
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_0041BB9A OpenProcess,NtSuspendProcess,CloseHandle,4_2_0041BB9A
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,4_2_004167EF
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_0043706A4_2_0043706A
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_004140054_2_00414005
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_0043E11C4_2_0043E11C
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_004541D94_2_004541D9
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_004381E84_2_004381E8
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_0041F18B4_2_0041F18B
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_004462704_2_00446270
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_0043E34B4_2_0043E34B
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_004533AB4_2_004533AB
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_0042742E4_2_0042742E
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_004375664_2_00437566
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_0043E5A84_2_0043E5A8
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_004387F04_2_004387F0
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_0043797E4_2_0043797E
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_004339D74_2_004339D7
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_0044DA494_2_0044DA49
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_00427AD74_2_00427AD7
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_0041DBF34_2_0041DBF3
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_00427C404_2_00427C40
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_00437DB34_2_00437DB3
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_00435EEB4_2_00435EEB
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_0043DEED4_2_0043DEED
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_00426E9F4_2_00426E9F
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: String function: 00402093 appears 50 times
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: String function: 00401E65 appears 35 times
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: String function: 00434E70 appears 54 times
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: String function: 00434801 appears 42 times
                      Source: 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 4.2.17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 4.2.17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 4.2.17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 4.0.17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 4.0.17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 4.0.17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 00000004.00000000.1269092384.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: Process Memory Space: 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe PID: 7416, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@1/1@1/2
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,4_2_0041798D
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_0040F4AF GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,4_2_0040F4AF
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_0041B539 FindResourceA,LoadResource,LockResource,SizeofResource,4_2_0041B539
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,4_2_0041AADB
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\json[1].jsonJump to behavior
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-XH0QAV
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCommand line argument: PG4_2_0040EA00
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCommand line argument: PG4_2_0040EA00
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCommand line argument: Software\4_2_0040EA00
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCommand line argument: Rmc-XH0QAV4_2_0040EA00
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCommand line argument: Exe4_2_0040EA00
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCommand line argument: Exe4_2_0040EA00
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCommand line argument: Rmc-XH0QAV4_2_0040EA00
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCommand line argument: ,aF4_2_0040EA00
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCommand line argument: Inj4_2_0040EA00
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCommand line argument: Inj4_2_0040EA00
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCommand line argument: PG4_2_0040EA00
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCommand line argument: PG4_2_0040EA00
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCommand line argument: PG4_2_0040EA00
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCommand line argument: 8SG4_2_0040EA00
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCommand line argument: exepath4_2_0040EA00
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCommand line argument: PG4_2_0040EA00
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCommand line argument: ,aF4_2_0040EA00
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCommand line argument: 8SG4_2_0040EA00
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCommand line argument: exepath4_2_0040EA00
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCommand line argument: PG4_2_0040EA00
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCommand line argument: licence4_2_0040EA00
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCommand line argument: PG4_2_0040EA00
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCommand line argument: PG4_2_0040EA00
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCommand line argument: PG4_2_0040EA00
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCommand line argument: PG4_2_0040EA00
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCommand line argument: PG4_2_0040EA00
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCommand line argument: PG4_2_0040EA00
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCommand line argument: dMG4_2_0040EA00
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCommand line argument: PG4_2_0040EA00
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCommand line argument: PG4_2_0040EA00
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCommand line argument: PSG4_2_0040EA00
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCommand line argument: Administrator4_2_0040EA00
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCommand line argument: User4_2_0040EA00
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCommand line argument: del4_2_0040EA00
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCommand line argument: del4_2_0040EA00
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCommand line argument: del4_2_0040EA00
                      Source: 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeReversingLabs: Detection: 84%
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeSection loaded: rstrtmgr.dllJump to behavior
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                      Source: 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                      Source: 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                      Source: 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                      Source: 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                      Source: 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                      Source: 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                      Source: 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                      Source: 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                      Source: 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                      Source: 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,4_2_0041CBE1
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_00457186 push ecx; ret 4_2_00457199
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_00457AA8 push eax; ret 4_2_00457AC6
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_00434EB6 push ecx; ret 4_2_00434EC9
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_00406EEB ShellExecuteW,URLDownloadToFileW,4_2_00406EEB
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,4_2_0041AADB
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,4_2_0041CBE1
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_0040F7E2 Sleep,ExitProcess,4_2_0040F7E2
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,4_2_0041A7D9
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeWindow / User API: threadDelayed 369Jump to behavior
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeWindow / User API: threadDelayed 9622Jump to behavior
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe TID: 7432Thread sleep count: 369 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe TID: 7432Thread sleep time: -1107000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe TID: 7432Thread sleep count: 9622 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe TID: 7432Thread sleep time: -28866000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,4_2_0040928E
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,4_2_0041C322
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,4_2_0040C388
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,4_2_004096A0
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,4_2_00408847
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_00407877 FindFirstFileW,FindNextFileW,4_2_00407877
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_0044E8F9 FindFirstFileExA,4_2_0044E8F9
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,4_2_0040BB6B
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,4_2_00419B86
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,4_2_0040BD72
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,4_2_00407CD2
                      Source: 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe, 00000004.00000002.3712078934.00000000005DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0sg%SystemRoot%\system32\mswsock.dll
                      Source: 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe, 00000004.00000003.1312581706.0000000000671000.00000004.00000020.00020000.00000000.sdmp, 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe, 00000004.00000002.3712078934.0000000000671000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeAPI call chain: ExitProcess graph end nodegraph_4-48781
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00434A8A
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,4_2_0041CBE1
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_00443355 mov eax, dword ptr fs:[00000030h]4_2_00443355
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_004120B2 GetProcessHeap,HeapFree,4_2_004120B2
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_0043503C
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00434A8A
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_0043BB71
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_00434BD8 SetUnhandledExceptionFilter,4_2_00434BD8
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe4_2_00412132
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_00419662 mouse_event,4_2_00419662
                      Source: 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe, 00000004.00000002.3712078934.0000000000661000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager%
                      Source: 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe, 00000004.00000002.3712078934.0000000000661000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                      Source: 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe, 00000004.00000002.3712078934.0000000000661000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager*
                      Source: 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe, 00000004.00000002.3712078934.0000000000661000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerr
                      Source: 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe, 00000004.00000002.3712078934.000000000062D000.00000004.00000020.00020000.00000000.sdmp, 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe, 00000004.00000002.3712078934.000000000061D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_00434CB6 cpuid 4_2_00434CB6
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: GetLocaleInfoA,4_2_0040F90C
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: EnumSystemLocalesW,4_2_0045201B
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: EnumSystemLocalesW,4_2_004520B6
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,4_2_00452143
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: GetLocaleInfoW,4_2_00452393
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: EnumSystemLocalesW,4_2_00448484
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,4_2_004524BC
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: GetLocaleInfoW,4_2_004525C3
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,4_2_00452690
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: GetLocaleInfoW,4_2_0044896D
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,4_2_00451D58
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: EnumSystemLocalesW,4_2_00451FD0
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_00404F51 GetLocalTime,CreateEventA,CreateThread,4_2_00404F51
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_0041B69E GetComputerNameExW,GetUserNameW,4_2_0041B69E
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: 4_2_00449210 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,4_2_00449210
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Source: Yara matchFile source: 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe, type: SAMPLE
                      Source: Yara matchFile source: 4.2.17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.1269092384.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.3712078934.00000000005DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe PID: 7416, type: MEMORYSTR
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data4_2_0040BA4D
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\4_2_0040BB6B
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: \key3.db4_2_0040BB6B

                      Remote Access Functionality

                      barindex
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-XH0QAVJump to behavior
                      Source: Yara matchFile source: 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe, type: SAMPLE
                      Source: Yara matchFile source: 4.2.17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.1269092384.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.3712078934.00000000005DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe PID: 7416, type: MEMORYSTR
                      Source: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeCode function: cmd.exe4_2_0040569A
                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                      Native API
                      1
                      DLL Side-Loading
                      1
                      DLL Side-Loading
                      1
                      Deobfuscate/Decode Files or Information
                      1
                      OS Credential Dumping
                      2
                      System Time Discovery
                      Remote Services11
                      Archive Collected Data
                      12
                      Ingress Tool Transfer
                      Exfiltration Over Other Network Medium1
                      System Shutdown/Reboot
                      CredentialsDomainsDefault Accounts12
                      Command and Scripting Interpreter
                      1
                      Windows Service
                      1
                      Bypass User Account Control
                      2
                      Obfuscated Files or Information
                      111
                      Input Capture
                      1
                      Account Discovery
                      Remote Desktop Protocol111
                      Input Capture
                      2
                      Encrypted Channel
                      Exfiltration Over Bluetooth1
                      Defacement
                      Email AddressesDNS ServerDomain Accounts2
                      Service Execution
                      Logon Script (Windows)1
                      Access Token Manipulation
                      1
                      DLL Side-Loading
                      2
                      Credentials In Files
                      1
                      System Service Discovery
                      SMB/Windows Admin Shares3
                      Clipboard Data
                      1
                      Non-Standard Port
                      Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                      Windows Service
                      1
                      Bypass User Account Control
                      NTDS2
                      File and Directory Discovery
                      Distributed Component Object ModelInput Capture1
                      Remote Access Software
                      Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script11
                      Process Injection
                      1
                      Masquerading
                      LSA Secrets23
                      System Information Discovery
                      SSHKeylogging2
                      Non-Application Layer Protocol
                      Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Virtualization/Sandbox Evasion
                      Cached Domain Credentials21
                      Security Software Discovery
                      VNCGUI Input Capture12
                      Application Layer Protocol
                      Data Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      Access Token Manipulation
                      DCSync1
                      Virtualization/Sandbox Evasion
                      Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                      Process Injection
                      Proc Filesystem2
                      Process Discovery
                      Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                      Application Window Discovery
                      Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                      System Owner/User Discovery
                      Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand
                      SourceDetectionScannerLabelLink
                      17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe84%ReversingLabsWin32.Backdoor.Remcos
                      17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe100%AviraBDS/Backdoor.Gen
                      17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe100%Joe Sandbox ML
                      No Antivirus matches
                      No Antivirus matches
                      No Antivirus matches
                      SourceDetectionScannerLabelLink
                      http://geoplugin.net/json.gp0%URL Reputationsafe
                      http://geoplugin.net/json.gp/C0%URL Reputationsafe
                      NameIPActiveMaliciousAntivirus DetectionReputation
                      geoplugin.net
                      178.237.33.50
                      truefalse
                        unknown
                        NameMaliciousAntivirus DetectionReputation
                        http://geoplugin.net/json.gpfalse
                        • URL Reputation: safe
                        unknown
                        rem.aaahorneswll.comtrue
                          unknown
                          NameSourceMaliciousAntivirus DetectionReputation
                          http://geoplugin.net/json.gp117304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe, 00000004.00000003.1312581706.000000000065F000.00000004.00000020.00020000.00000000.sdmp, 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe, 00000004.00000003.1312447834.0000000000651000.00000004.00000020.00020000.00000000.sdmpfalse
                            unknown
                            http://geoplugin.net/17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe, 00000004.00000003.1312447834.0000000000651000.00000004.00000020.00020000.00000000.sdmpfalse
                              unknown
                              http://geoplugin.net/json.gp/C17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exefalse
                              • URL Reputation: safe
                              unknown
                              http://geoplugin.net/json.gpl17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe, 00000004.00000002.3712078934.000000000062D000.00000004.00000020.00020000.00000000.sdmp, 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe, 00000004.00000003.1312447834.000000000061D000.00000004.00000020.00020000.00000000.sdmpfalse
                                unknown
                                http://geoplugin.net/json.gpSystem3217304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe, 00000004.00000002.3712078934.00000000005DE000.00000004.00000020.00020000.00000000.sdmpfalse
                                  unknown
                                  http://geoplugin.net/json.gp3U17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe, 00000004.00000002.3712078934.000000000062D000.00000004.00000020.00020000.00000000.sdmp, 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe, 00000004.00000003.1312447834.000000000061D000.00000004.00000020.00020000.00000000.sdmpfalse
                                    unknown
                                    http://geoplugin.net/json.gpCT17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe, 00000004.00000002.3712078934.000000000062D000.00000004.00000020.00020000.00000000.sdmp, 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe, 00000004.00000003.1312447834.000000000061D000.00000004.00000020.00020000.00000000.sdmpfalse
                                      unknown
                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs
                                      IPDomainCountryFlagASNASN NameMalicious
                                      80.76.51.190
                                      unknownBulgaria
                                      43659CLOUDCOMPUTINGDEtrue
                                      178.237.33.50
                                      geoplugin.netNetherlands
                                      8455ATOM86-ASATOM86NLfalse
                                      Joe Sandbox version:41.0.0 Charoite
                                      Analysis ID:1546403
                                      Start date and time:2024-10-31 21:08:06 +01:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 6m 31s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Number of analysed new started processes analysed:16
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe
                                      Detection:MAL
                                      Classification:mal100.rans.troj.spyw.expl.evad.winEXE@1/1@1/2
                                      EGA Information:
                                      • Successful, ratio: 100%
                                      HCA Information:
                                      • Successful, ratio: 100%
                                      • Number of executed functions: 30
                                      • Number of non-executed functions: 219
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe
                                      • Override analysis time to 240000 for current running targets taking high CPU consumption
                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                                      • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                      • VT rate limit hit for: 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe
                                      TimeTypeDescription
                                      17:31:21API Interceptor4020189x Sleep call for process: 17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe modified
                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      178.237.33.505Tqze.exeGet hashmaliciousRemcosBrowse
                                      • geoplugin.net/json.gp
                                      PO-33463334788.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                      • geoplugin.net/json.gp
                                      A & C Metrology OC 545714677889Materiale.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                      • geoplugin.net/json.gp
                                      QUOTE #46789_AL_JAMEELA24.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                      • geoplugin.net/json.gp
                                      0001.xlsGet hashmaliciousRemcosBrowse
                                      • geoplugin.net/json.gp
                                      1.rtfGet hashmaliciousRemcosBrowse
                                      • geoplugin.net/json.gp
                                      HSBC Payment Swift Copy.exeGet hashmaliciousRemcosBrowse
                                      • geoplugin.net/json.gp
                                      ingswhic.docGet hashmaliciousRemcosBrowse
                                      • geoplugin.net/json.gp
                                      swithnew.docGet hashmaliciousRemcosBrowse
                                      • geoplugin.net/json.gp
                                      1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                      • geoplugin.net/json.gp
                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      geoplugin.net5Tqze.exeGet hashmaliciousRemcosBrowse
                                      • 178.237.33.50
                                      PO-33463334788.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                      • 178.237.33.50
                                      A & C Metrology OC 545714677889Materiale.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                      • 178.237.33.50
                                      QUOTE #46789_AL_JAMEELA24.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                      • 178.237.33.50
                                      0001.xlsGet hashmaliciousRemcosBrowse
                                      • 178.237.33.50
                                      1.rtfGet hashmaliciousRemcosBrowse
                                      • 178.237.33.50
                                      HSBC Payment Swift Copy.exeGet hashmaliciousRemcosBrowse
                                      • 178.237.33.50
                                      ingswhic.docGet hashmaliciousRemcosBrowse
                                      • 178.237.33.50
                                      swithnew.docGet hashmaliciousRemcosBrowse
                                      • 178.237.33.50
                                      1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                      • 178.237.33.50
                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      CLOUDCOMPUTINGDEsample.exeGet hashmaliciousUnknownBrowse
                                      • 185.216.68.121
                                      sample.exeGet hashmaliciousUnknownBrowse
                                      • 185.216.68.121
                                      Spedizione.vbsGet hashmaliciousUnknownBrowse
                                      • 80.76.51.209
                                      NUEVO PRESUPUESTO_0014.exeGet hashmaliciousUnknownBrowse
                                      • 185.216.68.121
                                      NUEVO PRESUPUESTO_0014.exeGet hashmaliciousUnknownBrowse
                                      • 185.216.68.121
                                      Public Holiday_Notice 2024.exeGet hashmaliciousRemcosBrowse
                                      • 194.169.175.190
                                      DN TK 7239 (()DHL#3272524765pdf.exeGet hashmaliciousRemcosBrowse
                                      • 194.169.175.190
                                      scan_copy -account details.exeGet hashmaliciousRemcosBrowse
                                      • 194.169.175.190
                                      #Ud1b5#Uad00#Uc6a9_AG-C016-24_ATLANTIC GOLD_NORTH WESTpdf.exeGet hashmaliciousRemcosBrowse
                                      • 194.169.175.190
                                      Salary July 2024pdf.exeGet hashmaliciousRemcosBrowse
                                      • 194.169.175.190
                                      ATOM86-ASATOM86NL5Tqze.exeGet hashmaliciousRemcosBrowse
                                      • 178.237.33.50
                                      PO-33463334788.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                      • 178.237.33.50
                                      A & C Metrology OC 545714677889Materiale.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                      • 178.237.33.50
                                      QUOTE #46789_AL_JAMEELA24.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                      • 178.237.33.50
                                      0001.xlsGet hashmaliciousRemcosBrowse
                                      • 178.237.33.50
                                      1.rtfGet hashmaliciousRemcosBrowse
                                      • 178.237.33.50
                                      HSBC Payment Swift Copy.exeGet hashmaliciousRemcosBrowse
                                      • 178.237.33.50
                                      ingswhic.docGet hashmaliciousRemcosBrowse
                                      • 178.237.33.50
                                      swithnew.docGet hashmaliciousRemcosBrowse
                                      • 178.237.33.50
                                      1730208009cbbc5185357f6c127206378a947c7560ccc5f5234da3819452d576d86ecf0fd2268.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                      • 178.237.33.50
                                      No context
                                      No context
                                      Process:C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe
                                      File Type:JSON data
                                      Category:dropped
                                      Size (bytes):957
                                      Entropy (8bit):5.009232287567204
                                      Encrypted:false
                                      SSDEEP:24:q/dRNuKyGX85jHf3SvXhNlT3/7YvfbYro:OPN0GX85mvhjTkvfEro
                                      MD5:44D54A5AC06499396A8730BBD17F25A3
                                      SHA1:42C93B368F10296F4BABC81D6FA184A21442AB09
                                      SHA-256:37F0E9410318802654A94D9F483128737382FF6EF685EA0BBB643C8E98ED2ED9
                                      SHA-512:9CF51016B1E6ABF59C624ABF9619E2FBD1806D6BF51AA152E4E0CC92CA8649BFC73369E96C8EA96892D6178DE48A0B4D7B52328BEF6FE9249EE72ABE5386FA65
                                      Malicious:false
                                      Reputation:low
                                      Preview:{. "geoplugin_request":"173.254.250.77",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"Killeen",. "geoplugin_region":"Texas",. "geoplugin_regionCode":"TX",. "geoplugin_regionName":"Texas",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"625",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"31.0065",. "geoplugin_longitude":"-97.8406",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/Chicago",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}
                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Entropy (8bit):6.601398079282312
                                      TrID:
                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                      • DOS Executable Generic (2002/1) 0.02%
                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                      File name:17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe
                                      File size:494'592 bytes
                                      MD5:e059128970dd9b9bc923ad682dfc733d
                                      SHA1:ba609e29ac0737b758652b3f8711f3e813e3057c
                                      SHA256:82d05f7c1e3d16ba7e22348af4c14533cce64567b024e2149b511c62a85c81bc
                                      SHA512:338319d6cb33b013d6130eba351112e97a6882e2f8e0990b0e048cb2e77611a2452552eb021fe3f4cd66ee74ca20b03f0dee7fbf3d17e0ddfa47ac7646503302
                                      SSDEEP:6144:wTz+c6KHYBhDc1RGJdv//NkUn+N5Bkf/0TELRvIZPjbsAOZZXAXkcrGT4:wTlrYw1RUh3NFn+N5WfIQIjbs/ZXFT4
                                      TLSH:55B49E01BAD2C072D57514300D3AF776EAB8BD201835497B73EA1D5BFE31190A72AAB7
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{.-H..~H..~H..~..'~[..~..%~...~..$~V..~AbR~I..~...~J..~.D..R..~.D..r..~.D..j..~AbE~Q..~H..~v..~.D..,..~.D)~I..~.D..I..~RichH..
                                      Icon Hash:95694d05214c1b33
                                      Entrypoint:0x434a80
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                      DLL Characteristics:TERMINAL_SERVER_AWARE
                                      Time Stamp:0x66F18049 [Mon Sep 23 14:50:49 2024 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:5
                                      OS Version Minor:1
                                      File Version Major:5
                                      File Version Minor:1
                                      Subsystem Version Major:5
                                      Subsystem Version Minor:1
                                      Import Hash:1389569a3a39186f3eb453b501cfe688
                                      Instruction
                                      call 00007F13CCE0300Bh
                                      jmp 00007F13CCE02A53h
                                      push ebp
                                      mov ebp, esp
                                      sub esp, 00000324h
                                      push ebx
                                      push esi
                                      push 00000017h
                                      call 00007F13CCE252A3h
                                      test eax, eax
                                      je 00007F13CCE02BC7h
                                      mov ecx, dword ptr [ebp+08h]
                                      int 29h
                                      xor esi, esi
                                      lea eax, dword ptr [ebp-00000324h]
                                      push 000002CCh
                                      push esi
                                      push eax
                                      mov dword ptr [00471D14h], esi
                                      call 00007F13CCE05016h
                                      add esp, 0Ch
                                      mov dword ptr [ebp-00000274h], eax
                                      mov dword ptr [ebp-00000278h], ecx
                                      mov dword ptr [ebp-0000027Ch], edx
                                      mov dword ptr [ebp-00000280h], ebx
                                      mov dword ptr [ebp-00000284h], esi
                                      mov dword ptr [ebp-00000288h], edi
                                      mov word ptr [ebp-0000025Ch], ss
                                      mov word ptr [ebp-00000268h], cs
                                      mov word ptr [ebp-0000028Ch], ds
                                      mov word ptr [ebp-00000290h], es
                                      mov word ptr [ebp-00000294h], fs
                                      mov word ptr [ebp-00000298h], gs
                                      pushfd
                                      pop dword ptr [ebp-00000264h]
                                      mov eax, dword ptr [ebp+04h]
                                      mov dword ptr [ebp-0000026Ch], eax
                                      lea eax, dword ptr [ebp+04h]
                                      mov dword ptr [ebp-00000260h], eax
                                      mov dword ptr [ebp-00000324h], 00010001h
                                      mov eax, dword ptr [eax-04h]
                                      push 00000050h
                                      mov dword ptr [ebp-00000270h], eax
                                      lea eax, dword ptr [ebp-58h]
                                      push esi
                                      push eax
                                      call 00007F13CCE04F8Dh
                                      Programming Language:
                                      • [C++] VS2008 SP1 build 30729
                                      • [IMP] VS2008 SP1 build 30729
                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x6eeb80x104.rdata
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x790000x4acc.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x7e0000x3bc8.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x6d3500x38.rdata
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x6d3e40x18.rdata
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x6d3880x40.rdata
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x590000x500.rdata
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x10000x571f50x57200e504ab64b98631753dc227346d757c52False0.5716379348995696data6.6273936921798455IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .rdata0x590000x179dc0x17a0003563836e8ba6bd75dd82177f19b0089False0.5008370535714286data5.862029025853186IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .data0x710000x5d440xe000eaccffe1cb836994ce5d3ccfb22d4f9False0.22126116071428573data3.0035180736120775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .tls0x770000x90x2001f354d76203061bfdd5a53dae48d5435False0.033203125data0.020393135236084953IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .gfids0x780000x2300x4009ca325bce9f8c0342c0381814603584aFalse0.330078125data2.3999762503719224IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .rsrc0x790000x4acc0x4c00f32e4e4f3f9c51b17ff1d9e42cde0c8eFalse0.2769839638157895data3.980533372766203IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0x7e0000x3bc80x3c00047d13d1dd0f82094cdf10f08253441eFalse0.7640625data6.723768218094163IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                      RT_ICON0x7918c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.3421985815602837
                                      RT_ICON0x795f40x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.27704918032786885
                                      RT_ICON0x79f7c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.23686679174484052
                                      RT_ICON0x7b0240x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.22977178423236513
                                      RT_RCDATA0x7d5cc0x4bfdata1.0090534979423869
                                      RT_GROUP_ICON0x7da8c0x3edataEnglishUnited States0.8064516129032258
                                      DLLImport
                                      KERNEL32.dllFindNextFileA, ExpandEnvironmentStringsA, GetLongPathNameW, CopyFileW, GetLocaleInfoA, CreateToolhelp32Snapshot, Process32NextW, Process32FirstW, VirtualProtect, SetLastError, VirtualFree, VirtualAlloc, GetNativeSystemInfo, HeapAlloc, GetProcessHeap, FreeLibrary, IsBadReadPtr, GetTempPathW, OpenProcess, OpenMutexA, lstrcatW, GetCurrentProcessId, GetTempFileNameW, UnmapViewOfFile, DuplicateHandle, CreateFileMappingW, MapViewOfFile, GetSystemDirectoryA, GlobalAlloc, GlobalLock, GetTickCount, GlobalUnlock, WriteProcessMemory, ResumeThread, GetThreadContext, ReadProcessMemory, CreateProcessW, SetThreadContext, LocalAlloc, GlobalFree, MulDiv, SizeofResource, QueryDosDeviceW, FindFirstVolumeW, GetConsoleScreenBufferInfo, SetConsoleTextAttribute, lstrlenW, GetStdHandle, SetFilePointer, FindResourceA, LockResource, LoadResource, LocalFree, FindVolumeClose, GetVolumePathNamesForVolumeNameW, lstrcpyW, FindFirstFileA, FormatMessageA, FindNextVolumeW, AllocConsole, lstrcmpW, GetModuleFileNameA, lstrcpynA, QueryPerformanceFrequency, QueryPerformanceCounter, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, HeapSize, WriteConsoleW, SetStdHandle, SetEnvironmentVariableW, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindFirstFileExA, ReadConsoleW, GetConsoleMode, GetConsoleCP, FlushFileBuffers, GetFileType, GetTimeZoneInformation, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetTimeFormatW, GetDateFormatW, HeapReAlloc, GetACP, GetModuleHandleExW, MoveFileExW, RtlUnwind, RaiseException, LoadLibraryExW, GetCPInfo, GetStringTypeW, GetLocaleInfoW, LCMapStringW, CompareStringW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, GetFileSize, TerminateThread, GetLastError, CreateDirectoryW, GetModuleHandleA, RemoveDirectoryW, MoveFileW, SetFilePointerEx, GetLogicalDriveStringsA, DeleteFileW, DeleteFileA, SetFileAttributesW, GetFileAttributesW, FindClose, lstrlenA, GetDriveTypeA, FindNextFileW, GetFileSizeEx, FindFirstFileW, GetModuleHandleW, ExitProcess, CreateMutexA, GetCurrentProcess, GetProcAddress, LoadLibraryA, CreateProcessA, PeekNamedPipe, CreatePipe, TerminateProcess, ReadFile, HeapFree, HeapCreate, CreateEventA, GetLocalTime, CreateThread, SetEvent, CreateEventW, WaitForSingleObject, Sleep, GetModuleFileNameW, CloseHandle, ExitThread, CreateFileW, WriteFile, SetConsoleOutputCP, InitializeCriticalSectionAndSpinCount, MultiByteToWideChar, DecodePointer, EncodePointer, WideCharToMultiByte, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, IsProcessorFeaturePresent, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, WaitForSingleObjectEx, ResetEvent, SetEndOfFile
                                      USER32.dllGetMessageA, GetWindowTextW, wsprintfW, GetClipboardData, UnhookWindowsHookEx, GetForegroundWindow, ToUnicodeEx, GetKeyboardLayout, SetWindowsHookExA, CloseClipboard, OpenClipboard, GetKeyboardState, CallNextHookEx, GetKeyboardLayoutNameA, GetKeyState, GetWindowTextLengthW, DispatchMessageA, SetForegroundWindow, SetClipboardData, EnumWindows, ExitWindowsEx, EmptyClipboard, ShowWindow, SetWindowTextW, MessageBoxW, IsWindowVisible, CloseWindow, SendInput, EnumDisplaySettingsW, mouse_event, CreatePopupMenu, TranslateMessage, TrackPopupMenu, DefWindowProcA, CreateWindowExA, AppendMenuA, GetSystemMetrics, RegisterClassExA, GetCursorPos, SystemParametersInfoW, GetWindowThreadProcessId, MapVirtualKeyA, DrawIcon, GetIconInfo
                                      GDI32.dllBitBlt, CreateCompatibleBitmap, SelectObject, CreateCompatibleDC, StretchBlt, GetDIBits, DeleteObject, CreateDCA, GetObjectA, DeleteDC
                                      ADVAPI32.dllCryptAcquireContextA, CryptGenRandom, CryptReleaseContext, GetUserNameW, RegEnumKeyExA, QueryServiceStatus, CloseServiceHandle, OpenSCManagerW, OpenSCManagerA, ControlService, StartServiceW, QueryServiceConfigW, ChangeServiceConfigW, OpenServiceW, EnumServicesStatusW, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, RegCreateKeyA, RegCloseKey, RegQueryInfoKeyW, RegQueryValueExA, RegCreateKeyExW, RegEnumKeyExW, RegSetValueExW, RegSetValueExA, RegOpenKeyExA, RegOpenKeyExW, RegCreateKeyW, RegDeleteValueW, RegEnumValueW, RegQueryValueExW, RegDeleteKeyA
                                      SHELL32.dllShellExecuteExA, Shell_NotifyIconA, ExtractIconA, ShellExecuteW
                                      ole32.dllCoInitializeEx, CoUninitialize, CoGetObject
                                      SHLWAPI.dllPathFileExistsW, PathFileExistsA, StrToIntA
                                      WINMM.dllwaveInOpen, waveInStart, waveInAddBuffer, PlaySoundW, mciSendStringA, mciSendStringW, waveInClose, waveInStop, waveInPrepareHeader, waveInUnprepareHeader
                                      WS2_32.dllgethostbyname, send, WSAStartup, closesocket, inet_ntoa, htons, htonl, getservbyname, ntohs, getservbyport, gethostbyaddr, inet_addr, WSASetLastError, WSAGetLastError, recv, connect, socket
                                      urlmon.dllURLOpenBlockingStreamW, URLDownloadToFileW
                                      gdiplus.dllGdipSaveImageToStream, GdipGetImageEncodersSize, GdipFree, GdipDisposeImage, GdipAlloc, GdipCloneImage, GdipGetImageEncoders, GdiplusStartup, GdipLoadImageFromStream
                                      WININET.dllInternetOpenUrlW, InternetOpenW, InternetCloseHandle, InternetReadFile
                                      Language of compilation systemCountry where language is spokenMap
                                      EnglishUnited States
                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                      2024-10-31T21:09:03.375552+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.74970080.76.51.19016465TCP
                                      2024-10-31T21:09:06.746297+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.749701178.237.33.5080TCP
                                      2024-10-31T21:09:19.713882+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow1172.202.163.200443192.168.2.749732TCP
                                      2024-10-31T21:09:58.445866+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow1172.202.163.200443192.168.2.749931TCP
                                      TimestampSource PortDest PortSource IPDest IP
                                      Oct 31, 2024 21:09:02.467233896 CET4970016465192.168.2.780.76.51.190
                                      Oct 31, 2024 21:09:02.472311020 CET164654970080.76.51.190192.168.2.7
                                      Oct 31, 2024 21:09:02.472397089 CET4970016465192.168.2.780.76.51.190
                                      Oct 31, 2024 21:09:02.477380037 CET4970016465192.168.2.780.76.51.190
                                      Oct 31, 2024 21:09:02.482415915 CET164654970080.76.51.190192.168.2.7
                                      Oct 31, 2024 21:09:03.323833942 CET164654970080.76.51.190192.168.2.7
                                      Oct 31, 2024 21:09:03.375551939 CET4970016465192.168.2.780.76.51.190
                                      Oct 31, 2024 21:09:03.443748951 CET164654970080.76.51.190192.168.2.7
                                      Oct 31, 2024 21:09:03.447714090 CET4970016465192.168.2.780.76.51.190
                                      Oct 31, 2024 21:09:03.452897072 CET164654970080.76.51.190192.168.2.7
                                      Oct 31, 2024 21:09:03.452975988 CET4970016465192.168.2.780.76.51.190
                                      Oct 31, 2024 21:09:03.458115101 CET164654970080.76.51.190192.168.2.7
                                      Oct 31, 2024 21:09:03.904161930 CET164654970080.76.51.190192.168.2.7
                                      Oct 31, 2024 21:09:03.934556961 CET4970016465192.168.2.780.76.51.190
                                      Oct 31, 2024 21:09:03.939521074 CET164654970080.76.51.190192.168.2.7
                                      Oct 31, 2024 21:09:04.300569057 CET164654970080.76.51.190192.168.2.7
                                      Oct 31, 2024 21:09:04.344302893 CET4970016465192.168.2.780.76.51.190
                                      Oct 31, 2024 21:09:05.869151115 CET4970180192.168.2.7178.237.33.50
                                      Oct 31, 2024 21:09:05.873959064 CET8049701178.237.33.50192.168.2.7
                                      Oct 31, 2024 21:09:05.874028921 CET4970180192.168.2.7178.237.33.50
                                      Oct 31, 2024 21:09:05.874209881 CET4970180192.168.2.7178.237.33.50
                                      Oct 31, 2024 21:09:05.879829884 CET8049701178.237.33.50192.168.2.7
                                      Oct 31, 2024 21:09:06.744910955 CET8049701178.237.33.50192.168.2.7
                                      Oct 31, 2024 21:09:06.746296883 CET4970180192.168.2.7178.237.33.50
                                      Oct 31, 2024 21:09:06.782212973 CET4970016465192.168.2.780.76.51.190
                                      Oct 31, 2024 21:09:06.787143946 CET164654970080.76.51.190192.168.2.7
                                      Oct 31, 2024 21:09:07.867455959 CET8049701178.237.33.50192.168.2.7
                                      Oct 31, 2024 21:09:07.872210979 CET4970180192.168.2.7178.237.33.50
                                      Oct 31, 2024 21:09:08.707756996 CET164654970080.76.51.190192.168.2.7
                                      Oct 31, 2024 21:09:08.721785069 CET4970016465192.168.2.780.76.51.190
                                      Oct 31, 2024 21:09:08.726632118 CET164654970080.76.51.190192.168.2.7
                                      Oct 31, 2024 21:09:38.718488932 CET164654970080.76.51.190192.168.2.7
                                      Oct 31, 2024 21:09:38.720463037 CET4970016465192.168.2.780.76.51.190
                                      Oct 31, 2024 21:09:38.725481033 CET164654970080.76.51.190192.168.2.7
                                      Oct 31, 2024 21:10:08.753386974 CET164654970080.76.51.190192.168.2.7
                                      Oct 31, 2024 21:10:08.755163908 CET4970016465192.168.2.780.76.51.190
                                      Oct 31, 2024 21:10:08.760099888 CET164654970080.76.51.190192.168.2.7
                                      Oct 31, 2024 21:10:38.832916975 CET164654970080.76.51.190192.168.2.7
                                      Oct 31, 2024 21:10:38.852983952 CET4970016465192.168.2.780.76.51.190
                                      Oct 31, 2024 21:10:38.857805014 CET164654970080.76.51.190192.168.2.7
                                      Oct 31, 2024 21:10:55.829070091 CET4970180192.168.2.7178.237.33.50
                                      Oct 31, 2024 21:10:56.141423941 CET4970180192.168.2.7178.237.33.50
                                      Oct 31, 2024 21:10:56.750935078 CET4970180192.168.2.7178.237.33.50
                                      Oct 31, 2024 21:10:57.954065084 CET4970180192.168.2.7178.237.33.50
                                      Oct 31, 2024 21:11:00.401570082 CET4970180192.168.2.7178.237.33.50
                                      Oct 31, 2024 21:11:05.304362059 CET4970180192.168.2.7178.237.33.50
                                      Oct 31, 2024 21:11:08.967631102 CET164654970080.76.51.190192.168.2.7
                                      Oct 31, 2024 21:11:08.969014883 CET4970016465192.168.2.780.76.51.190
                                      Oct 31, 2024 21:11:09.211796999 CET164654970080.76.51.190192.168.2.7
                                      Oct 31, 2024 21:11:09.214541912 CET4970016465192.168.2.780.76.51.190
                                      Oct 31, 2024 21:11:09.214844942 CET164654970080.76.51.190192.168.2.7
                                      Oct 31, 2024 21:11:14.907119989 CET4970180192.168.2.7178.237.33.50
                                      Oct 31, 2024 21:11:39.092823982 CET164654970080.76.51.190192.168.2.7
                                      Oct 31, 2024 21:11:39.094804049 CET4970016465192.168.2.780.76.51.190
                                      Oct 31, 2024 21:11:39.099672079 CET164654970080.76.51.190192.168.2.7
                                      Oct 31, 2024 21:12:09.229054928 CET164654970080.76.51.190192.168.2.7
                                      Oct 31, 2024 21:12:09.230875015 CET4970016465192.168.2.780.76.51.190
                                      Oct 31, 2024 21:12:09.235958099 CET164654970080.76.51.190192.168.2.7
                                      Oct 31, 2024 21:12:39.539155006 CET164654970080.76.51.190192.168.2.7
                                      Oct 31, 2024 21:12:39.543486118 CET4970016465192.168.2.780.76.51.190
                                      Oct 31, 2024 21:12:39.548373938 CET164654970080.76.51.190192.168.2.7
                                      TimestampSource PortDest PortSource IPDest IP
                                      Oct 31, 2024 21:09:05.852703094 CET6435453192.168.2.71.1.1.1
                                      Oct 31, 2024 21:09:05.860860109 CET53643541.1.1.1192.168.2.7
                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                      Oct 31, 2024 21:09:05.852703094 CET192.168.2.71.1.1.10xeefaStandard query (0)geoplugin.netA (IP address)IN (0x0001)false
                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      Oct 31, 2024 21:09:05.860860109 CET1.1.1.1192.168.2.70xeefaNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false
                                      • geoplugin.net
                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.749701178.237.33.50807416C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe
                                      TimestampBytes transferredDirectionData
                                      Oct 31, 2024 21:09:05.874209881 CET71OUTGET /json.gp HTTP/1.1
                                      Host: geoplugin.net
                                      Cache-Control: no-cache
                                      Oct 31, 2024 21:09:06.744910955 CET1165INHTTP/1.1 200 OK
                                      date: Thu, 31 Oct 2024 20:09:06 GMT
                                      server: Apache
                                      content-length: 957
                                      content-type: application/json; charset=utf-8
                                      cache-control: public, max-age=300
                                      access-control-allow-origin: *
                                      Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4b 69 6c 6c 65 65 6e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 54 65 78 61 73 22 2c 0a 20 20 22 67 65 6f 70 [TRUNCATED]
                                      Data Ascii: { "geoplugin_request":"173.254.250.77", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"Killeen", "geoplugin_region":"Texas", "geoplugin_regionCode":"TX", "geoplugin_regionName":"Texas", "geoplugin_areaCode":"", "geoplugin_dmaCode":"625", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"31.0065", "geoplugin_longitude":"-97.8406", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/Chicago", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                      Click to jump to process

                                      Click to jump to process

                                      Click to dive into process behavior distribution

                                      Target ID:4
                                      Start time:16:09:01
                                      Start date:31/10/2024
                                      Path:C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe"
                                      Imagebase:0x400000
                                      File size:494'592 bytes
                                      MD5 hash:E059128970DD9B9BC923AD682DFC733D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000004.00000000.1269092384.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000000.1269092384.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000004.00000000.1269092384.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000004.00000000.1269092384.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.3712078934.00000000005DE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:false

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:3.9%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:22.8%
                                        Total number of Nodes:1272
                                        Total number of Limit Nodes:58
                                        execution_graph 47195 415d41 47210 41b411 47195->47210 47197 415d4a 47221 4020f6 47197->47221 47201 415d65 47202 4170c4 47201->47202 47228 401fd8 47201->47228 47231 401e8d 47202->47231 47206 401fd8 11 API calls 47207 4170d9 47206->47207 47208 401fd8 11 API calls 47207->47208 47209 4170e5 47208->47209 47237 4020df 47210->47237 47215 41b456 InternetReadFile 47219 41b479 47215->47219 47217 41b4a6 InternetCloseHandle InternetCloseHandle 47218 41b4b8 47217->47218 47218->47197 47219->47215 47219->47217 47220 401fd8 11 API calls 47219->47220 47248 4020b7 47219->47248 47220->47219 47222 40210c 47221->47222 47223 4023ce 11 API calls 47222->47223 47224 402126 47223->47224 47225 402569 28 API calls 47224->47225 47226 402134 47225->47226 47227 404aa1 61 API calls ctype 47226->47227 47227->47201 47229 4023ce 11 API calls 47228->47229 47230 401fe1 47229->47230 47230->47202 47232 402163 47231->47232 47236 40219f 47232->47236 47288 402730 11 API calls 47232->47288 47234 402184 47289 402712 11 API calls std::_Deallocate 47234->47289 47236->47206 47238 4020e7 47237->47238 47254 4023ce 47238->47254 47240 4020f2 47241 43bda0 47240->47241 47246 4461b8 __Getctype 47241->47246 47242 4461f6 47260 44062d 20 API calls _Atexit 47242->47260 47243 4461e1 RtlAllocateHeap 47245 41b42f InternetOpenW InternetOpenUrlW 47243->47245 47243->47246 47245->47215 47246->47242 47246->47243 47259 443001 7 API calls 2 library calls 47246->47259 47249 4020bf 47248->47249 47250 4023ce 11 API calls 47249->47250 47251 4020ca 47250->47251 47261 40250a 47251->47261 47253 4020d9 47253->47219 47255 4023d8 47254->47255 47256 402428 47254->47256 47255->47256 47258 4027a7 11 API calls std::_Deallocate 47255->47258 47256->47240 47258->47256 47259->47246 47260->47245 47262 40251a 47261->47262 47263 402520 47262->47263 47264 402535 47262->47264 47268 402569 47263->47268 47278 4028e8 28 API calls 47264->47278 47267 402533 47267->47253 47279 402888 47268->47279 47270 40257d 47271 402592 47270->47271 47272 4025a7 47270->47272 47284 402a34 22 API calls 47271->47284 47286 4028e8 28 API calls 47272->47286 47275 40259b 47285 4029da 22 API calls 47275->47285 47276 4025a5 47276->47267 47278->47267 47280 402890 47279->47280 47281 402898 47280->47281 47287 402ca3 22 API calls 47280->47287 47281->47270 47284->47275 47285->47276 47286->47276 47288->47234 47289->47236 47290 426a77 47291 426a8c 47290->47291 47297 426b1e 47290->47297 47292 426bd5 47291->47292 47293 426ad9 47291->47293 47294 426b4e 47291->47294 47295 426bae 47291->47295 47291->47297 47300 426b83 47291->47300 47304 426b0e 47291->47304 47318 424f6e 49 API calls ctype 47291->47318 47292->47297 47323 4261e6 28 API calls 47292->47323 47293->47297 47293->47304 47319 41fbfd 52 API calls 47293->47319 47294->47297 47294->47300 47321 41fbfd 52 API calls 47294->47321 47295->47292 47295->47297 47306 425b72 47295->47306 47300->47295 47322 425781 21 API calls 47300->47322 47304->47294 47304->47297 47320 424f6e 49 API calls ctype 47304->47320 47307 425b91 ___scrt_fastfail 47306->47307 47309 425ba0 47307->47309 47313 425bc5 47307->47313 47324 41ec4c 21 API calls 47307->47324 47309->47313 47317 425ba5 47309->47317 47325 420669 46 API calls 47309->47325 47312 425bae 47312->47313 47332 424d96 21 API calls 2 library calls 47312->47332 47313->47292 47315 425c48 47315->47313 47326 432f55 47315->47326 47317->47312 47317->47313 47331 41daf0 49 API calls 47317->47331 47318->47293 47319->47293 47320->47294 47321->47294 47322->47295 47323->47297 47324->47309 47325->47315 47327 432f63 47326->47327 47328 432f5f 47326->47328 47329 43bda0 new 21 API calls 47327->47329 47328->47317 47330 432f68 47329->47330 47330->47317 47331->47312 47332->47313 47333 43bea8 47335 43beb4 _swprintf ___scrt_is_nonwritable_in_current_image 47333->47335 47334 43bec2 47349 44062d 20 API calls _Atexit 47334->47349 47335->47334 47337 43beec 47335->47337 47344 445909 EnterCriticalSection 47337->47344 47339 43bec7 ___scrt_is_nonwritable_in_current_image __cftof 47340 43bef7 47345 43bf98 47340->47345 47344->47340 47346 43bfa6 47345->47346 47348 43bf02 47346->47348 47351 4497ec 37 API calls 2 library calls 47346->47351 47350 43bf1f LeaveCriticalSection std::_Lockit::~_Lockit 47348->47350 47349->47339 47350->47339 47351->47346 47352 434918 47353 434924 ___scrt_is_nonwritable_in_current_image 47352->47353 47379 434627 47353->47379 47355 43492b 47357 434954 47355->47357 47677 434a8a IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 47355->47677 47365 434993 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 47357->47365 47678 4442d2 5 API calls CatchGuardHandler 47357->47678 47359 43496d 47361 434973 ___scrt_is_nonwritable_in_current_image 47359->47361 47679 444276 5 API calls CatchGuardHandler 47359->47679 47362 4349f3 47390 434ba5 47362->47390 47365->47362 47680 443487 36 API calls 5 library calls 47365->47680 47372 434a15 47373 434a1f 47372->47373 47682 4434bf 28 API calls _Atexit 47372->47682 47375 434a28 47373->47375 47683 443462 28 API calls _Atexit 47373->47683 47684 43479e 13 API calls 2 library calls 47375->47684 47378 434a30 47378->47361 47380 434630 47379->47380 47685 434cb6 IsProcessorFeaturePresent 47380->47685 47382 43463c 47686 438fb1 10 API calls 4 library calls 47382->47686 47384 434641 47385 434645 47384->47385 47687 44415f IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 47384->47687 47385->47355 47387 43464e 47388 43465c 47387->47388 47688 438fda 8 API calls 3 library calls 47387->47688 47388->47355 47689 436f10 47390->47689 47393 4349f9 47394 444223 47393->47394 47691 44f0d9 47394->47691 47396 44422c 47397 434a02 47396->47397 47695 446895 36 API calls 47396->47695 47399 40ea00 47397->47399 47697 41cbe1 LoadLibraryA GetProcAddress 47399->47697 47401 40ea1c GetModuleFileNameW 47702 40f3fe 47401->47702 47403 40ea38 47404 4020f6 28 API calls 47403->47404 47405 40ea47 47404->47405 47406 4020f6 28 API calls 47405->47406 47407 40ea56 47406->47407 47717 41beac 47407->47717 47411 40ea68 47412 401e8d 11 API calls 47411->47412 47413 40ea71 47412->47413 47414 40ea84 47413->47414 47415 40eace 47413->47415 48008 40fbee 118 API calls 47414->48008 47743 401e65 47415->47743 47418 40eade 47422 401e65 22 API calls 47418->47422 47419 40ea96 47420 401e65 22 API calls 47419->47420 47421 40eaa2 47420->47421 48009 410f72 36 API calls __EH_prolog 47421->48009 47423 40eafd 47422->47423 47748 40531e 47423->47748 47426 40eab4 48010 40fb9f 78 API calls 47426->48010 47427 40eb0c 47753 406383 47427->47753 47431 40eabd 48011 40f3eb 71 API calls 47431->48011 47435 401fd8 11 API calls 47436 40eb2d 47435->47436 47438 401fd8 11 API calls 47436->47438 47437 401fd8 11 API calls 47439 40ef36 47437->47439 47440 40eb36 47438->47440 47681 443396 GetModuleHandleW 47439->47681 47441 401e65 22 API calls 47440->47441 47442 40eb3f 47441->47442 47767 401fc0 47442->47767 47444 40eb4a 47445 401e65 22 API calls 47444->47445 47446 40eb63 47445->47446 47447 401e65 22 API calls 47446->47447 47448 40eb7e 47447->47448 47449 40ebe9 47448->47449 48012 406c59 47448->48012 47450 401e65 22 API calls 47449->47450 47455 40ebf6 47450->47455 47452 40ebab 47453 401fe2 28 API calls 47452->47453 47454 40ebb7 47453->47454 47457 401fd8 11 API calls 47454->47457 47456 40ec3d 47455->47456 47462 413584 3 API calls 47455->47462 47771 40d0a4 47456->47771 47459 40ebc0 47457->47459 48017 413584 RegOpenKeyExA 47459->48017 47460 40ec43 47461 40eac6 47460->47461 47774 41b354 47460->47774 47461->47437 47468 40ec21 47462->47468 47466 40f38a 48095 4139e4 30 API calls 47466->48095 47467 40ec5e 47469 40ecb1 47467->47469 47791 407751 47467->47791 47468->47456 48020 4139e4 30 API calls 47468->48020 47472 401e65 22 API calls 47469->47472 47475 40ecba 47472->47475 47474 40f3a0 48096 4124b0 65 API calls ___scrt_fastfail 47474->48096 47483 40ecc6 47475->47483 47484 40eccb 47475->47484 47477 40ec87 47481 401e65 22 API calls 47477->47481 47478 40ec7d 48021 407773 30 API calls 47478->48021 47493 40ec90 47481->47493 47482 40f3aa 47486 41bcef 28 API calls 47482->47486 48024 407790 CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 47483->48024 47489 401e65 22 API calls 47484->47489 47485 40ec82 48022 40729b 98 API calls 47485->48022 47490 40f3ba 47486->47490 47491 40ecd4 47489->47491 47900 413a5e RegOpenKeyExW 47490->47900 47795 41bcef 47491->47795 47493->47469 47497 40ecac 47493->47497 47494 40ecdf 47799 401f13 47494->47799 48023 40729b 98 API calls 47497->48023 47501 401f09 11 API calls 47503 40f3d7 47501->47503 47505 401f09 11 API calls 47503->47505 47506 40f3e0 47505->47506 47903 40dd7d 47506->47903 47507 401e65 22 API calls 47509 40ecfc 47507->47509 47512 401e65 22 API calls 47509->47512 47514 40ed16 47512->47514 47513 40f3ea 47515 401e65 22 API calls 47514->47515 47516 40ed30 47515->47516 47517 401e65 22 API calls 47516->47517 47518 40ed49 47517->47518 47519 40edb6 47518->47519 47521 401e65 22 API calls 47518->47521 47520 40edc5 47519->47520 47527 40ef41 ___scrt_fastfail 47519->47527 47522 40edce 47520->47522 47550 40ee4a ___scrt_fastfail 47520->47550 47525 40ed5e _wcslen 47521->47525 47523 401e65 22 API calls 47522->47523 47524 40edd7 47523->47524 47526 401e65 22 API calls 47524->47526 47525->47519 47528 401e65 22 API calls 47525->47528 47529 40ede9 47526->47529 48085 413733 RegOpenKeyExA 47527->48085 47530 40ed79 47528->47530 47532 401e65 22 API calls 47529->47532 47533 401e65 22 API calls 47530->47533 47534 40edfb 47532->47534 47535 40ed8e 47533->47535 47537 401e65 22 API calls 47534->47537 48025 40da6f 47535->48025 47536 40ef8c 47538 401e65 22 API calls 47536->47538 47539 40ee24 47537->47539 47540 40efb1 47538->47540 47545 401e65 22 API calls 47539->47545 47821 402093 47540->47821 47543 401f13 28 API calls 47544 40edad 47543->47544 47547 401f09 11 API calls 47544->47547 47548 40ee35 47545->47548 47547->47519 48083 40ce34 46 API calls _wcslen 47548->48083 47549 40efc3 47827 4137aa RegCreateKeyA 47549->47827 47811 413982 47550->47811 47554 40eede ctype 47559 401e65 22 API calls 47554->47559 47555 40ee45 47555->47550 47557 401e65 22 API calls 47558 40efe5 47557->47558 47833 43bb2c 47558->47833 47560 40eef5 47559->47560 47560->47536 47564 40ef09 47560->47564 47563 40effc 48088 41ce2c 88 API calls ___scrt_fastfail 47563->48088 47566 401e65 22 API calls 47564->47566 47565 40f01f 47570 402093 28 API calls 47565->47570 47568 40ef12 47566->47568 47571 41bcef 28 API calls 47568->47571 47569 40f003 CreateThread 47569->47565 48782 41d4ee 10 API calls 47569->48782 47573 40f034 47570->47573 47572 40ef1e 47571->47572 48084 40f4af 107 API calls 47572->48084 47574 402093 28 API calls 47573->47574 47576 40f043 47574->47576 47837 41b580 47576->47837 47577 40ef23 47577->47536 47579 40ef2a 47577->47579 47579->47461 47581 401e65 22 API calls 47582 40f054 47581->47582 47583 401e65 22 API calls 47582->47583 47584 40f066 47583->47584 47585 401e65 22 API calls 47584->47585 47586 40f086 47585->47586 47587 43bb2c _strftime 40 API calls 47586->47587 47588 40f093 47587->47588 47589 401e65 22 API calls 47588->47589 47590 40f09e 47589->47590 47591 401e65 22 API calls 47590->47591 47592 40f0af 47591->47592 47593 401e65 22 API calls 47592->47593 47594 40f0c4 47593->47594 47595 401e65 22 API calls 47594->47595 47596 40f0d5 47595->47596 47597 40f0dc StrToIntA 47596->47597 47861 409e1f 47597->47861 47600 401e65 22 API calls 47601 40f0f7 47600->47601 47602 40f103 47601->47602 47603 40f13c 47601->47603 48089 43455e 22 API calls 2 library calls 47602->48089 47605 401e65 22 API calls 47603->47605 47607 40f14c 47605->47607 47606 40f10c 47608 401e65 22 API calls 47606->47608 47610 40f194 47607->47610 47611 40f158 47607->47611 47609 40f11f 47608->47609 47612 40f126 CreateThread 47609->47612 47614 401e65 22 API calls 47610->47614 48090 43455e 22 API calls 2 library calls 47611->48090 47612->47603 48786 41a045 110 API calls 2 library calls 47612->48786 47617 40f19d 47614->47617 47615 40f161 47616 401e65 22 API calls 47615->47616 47618 40f173 47616->47618 47619 40f207 47617->47619 47620 40f1a9 47617->47620 47623 40f17a CreateThread 47618->47623 47621 401e65 22 API calls 47619->47621 47622 401e65 22 API calls 47620->47622 47624 40f210 47621->47624 47625 40f1b9 47622->47625 47623->47610 48785 41a045 110 API calls 2 library calls 47623->48785 47626 40f255 47624->47626 47627 40f21c 47624->47627 47628 401e65 22 API calls 47625->47628 47886 41b69e GetComputerNameExW GetUserNameW 47626->47886 47630 401e65 22 API calls 47627->47630 47631 40f1ce 47628->47631 47633 40f225 47630->47633 48091 40da23 32 API calls 47631->48091 47638 401e65 22 API calls 47633->47638 47634 401f13 28 API calls 47635 40f269 47634->47635 47637 401f09 11 API calls 47635->47637 47640 40f272 47637->47640 47641 40f23a 47638->47641 47639 40f1e1 47642 401f13 28 API calls 47639->47642 47643 40f27b SetProcessDEPPolicy 47640->47643 47644 40f27e CreateThread 47640->47644 47651 43bb2c _strftime 40 API calls 47641->47651 47645 40f1ed 47642->47645 47643->47644 47646 40f293 CreateThread 47644->47646 47647 40f29f 47644->47647 48755 40f7e2 47644->48755 47648 401f09 11 API calls 47645->47648 47646->47647 48787 412132 139 API calls 47646->48787 47649 40f2b4 47647->47649 47650 40f2a8 CreateThread 47647->47650 47652 40f1f6 CreateThread 47648->47652 47655 40f307 47649->47655 47656 402093 28 API calls 47649->47656 47650->47649 48783 412716 38 API calls ___scrt_fastfail 47650->48783 47653 40f247 47651->47653 47652->47619 48784 401be9 50 API calls _strftime 47652->48784 48092 40c19d 7 API calls 47653->48092 47897 41353a RegOpenKeyExA 47655->47897 47657 40f2d7 47656->47657 48093 4052fd 28 API calls 47657->48093 47662 40f328 47664 41bcef 28 API calls 47662->47664 47666 40f338 47664->47666 48094 413656 31 API calls 47666->48094 47671 40f34e 47672 401f09 11 API calls 47671->47672 47675 40f359 47672->47675 47673 40f381 DeleteFileW 47674 40f388 47673->47674 47673->47675 47674->47482 47675->47482 47675->47673 47676 40f36f Sleep 47675->47676 47676->47675 47677->47355 47678->47359 47679->47365 47680->47362 47681->47372 47682->47373 47683->47375 47684->47378 47685->47382 47686->47384 47687->47387 47688->47385 47690 434bb8 GetStartupInfoW 47689->47690 47690->47393 47692 44f0eb 47691->47692 47693 44f0e2 47691->47693 47692->47396 47696 44efd8 49 API calls 4 library calls 47693->47696 47695->47396 47696->47692 47698 41cc20 LoadLibraryA GetProcAddress 47697->47698 47699 41cc10 GetModuleHandleA GetProcAddress 47697->47699 47700 41cc49 44 API calls 47698->47700 47701 41cc39 LoadLibraryA GetProcAddress 47698->47701 47699->47698 47700->47401 47701->47700 48097 41b539 FindResourceA 47702->48097 47705 43bda0 new 21 API calls 47706 40f428 ctype 47705->47706 47707 4020b7 28 API calls 47706->47707 47708 40f443 47707->47708 47709 401fe2 28 API calls 47708->47709 47710 40f44e 47709->47710 47711 401fd8 11 API calls 47710->47711 47712 40f457 47711->47712 47713 43bda0 new 21 API calls 47712->47713 47714 40f468 ctype 47713->47714 48100 406e13 47714->48100 47716 40f49b 47716->47403 47718 4020df 11 API calls 47717->47718 47738 41bebf 47718->47738 47719 41bf2f 47720 401fd8 11 API calls 47719->47720 47721 41bf61 47720->47721 47722 401fd8 11 API calls 47721->47722 47724 41bf69 47722->47724 47723 41bf31 47725 4041a2 28 API calls 47723->47725 47727 401fd8 11 API calls 47724->47727 47728 41bf3d 47725->47728 47729 40ea5f 47727->47729 47730 401fe2 28 API calls 47728->47730 47739 40fb52 47729->47739 47732 41bf46 47730->47732 47731 401fe2 28 API calls 47731->47738 47733 401fd8 11 API calls 47732->47733 47735 41bf4e 47733->47735 47734 401fd8 11 API calls 47734->47738 48107 41cec5 28 API calls 47735->48107 47738->47719 47738->47723 47738->47731 47738->47734 48103 4041a2 47738->48103 48106 41cec5 28 API calls 47738->48106 47740 40fb5e 47739->47740 47742 40fb65 47739->47742 48114 402163 11 API calls 47740->48114 47742->47411 47744 401e6d 47743->47744 47745 401e75 47744->47745 48115 402158 22 API calls 47744->48115 47745->47418 47749 4020df 11 API calls 47748->47749 47750 40532a 47749->47750 48116 4032a0 47750->48116 47752 405346 47752->47427 48121 4051ef 47753->48121 47755 406391 48125 402055 47755->48125 47758 401fe2 47759 401ff1 47758->47759 47766 402039 47758->47766 47760 4023ce 11 API calls 47759->47760 47761 401ffa 47760->47761 47762 40203c 47761->47762 47763 402015 47761->47763 47764 40267a 11 API calls 47762->47764 48159 403098 28 API calls 47763->48159 47764->47766 47766->47435 47768 401fd2 47767->47768 47769 401fc9 47767->47769 47768->47444 48160 4025e0 28 API calls 47769->48160 48161 401fab 47771->48161 47773 40d0ae CreateMutexA GetLastError 47773->47460 48162 41c048 47774->48162 47779 401fe2 28 API calls 47780 41b390 47779->47780 47781 401fd8 11 API calls 47780->47781 47782 41b398 47781->47782 47783 4135e1 31 API calls 47782->47783 47785 41b3ee 47782->47785 47784 41b3c1 47783->47784 47786 41b3cc StrToIntA 47784->47786 47785->47467 47787 41b3e3 47786->47787 47788 41b3da 47786->47788 47790 401fd8 11 API calls 47787->47790 48171 41cffa 22 API calls 47788->48171 47790->47785 47792 407765 47791->47792 47793 413584 3 API calls 47792->47793 47794 40776c 47793->47794 47794->47477 47794->47478 47796 41bd03 47795->47796 48172 40b93f 47796->48172 47798 41bd0b 47798->47494 47800 401f22 47799->47800 47807 401f6a 47799->47807 47801 402252 11 API calls 47800->47801 47802 401f2b 47801->47802 47803 401f6d 47802->47803 47805 401f46 47802->47805 48205 402336 47803->48205 48204 40305c 28 API calls 47805->48204 47808 401f09 47807->47808 47809 402252 11 API calls 47808->47809 47810 401f12 47809->47810 47810->47507 47812 4139a0 47811->47812 47813 406e13 28 API calls 47812->47813 47814 4139b5 47813->47814 47815 4020f6 28 API calls 47814->47815 47816 4139c5 47815->47816 47817 4137aa 14 API calls 47816->47817 47818 4139cf 47817->47818 47819 401fd8 11 API calls 47818->47819 47820 4139dc 47819->47820 47820->47554 47822 40209b 47821->47822 47823 4023ce 11 API calls 47822->47823 47824 4020a6 47823->47824 48209 4024ed 47824->48209 47828 4137c3 47827->47828 47829 4137fa 47827->47829 47832 4137d5 RegSetValueExA RegCloseKey 47828->47832 47830 401fd8 11 API calls 47829->47830 47831 40efd9 47830->47831 47831->47557 47832->47829 47834 43bb45 _strftime 47833->47834 48213 43ae83 47834->48213 47836 40eff2 47836->47563 47836->47565 47838 41b631 47837->47838 47839 41b596 GetLocalTime 47837->47839 47840 401fd8 11 API calls 47838->47840 47841 40531e 28 API calls 47839->47841 47842 41b639 47840->47842 47843 41b5d8 47841->47843 47844 401fd8 11 API calls 47842->47844 47845 406383 28 API calls 47843->47845 47847 40f048 47844->47847 47846 41b5e4 47845->47846 48241 402f10 47846->48241 47847->47581 47850 406383 28 API calls 47851 41b5fc 47850->47851 48246 40723b 77 API calls 47851->48246 47853 41b60a 47854 401fd8 11 API calls 47853->47854 47855 41b616 47854->47855 47856 401fd8 11 API calls 47855->47856 47857 41b61f 47856->47857 47858 401fd8 11 API calls 47857->47858 47859 41b628 47858->47859 47860 401fd8 11 API calls 47859->47860 47860->47838 47862 409e3d _wcslen 47861->47862 47863 409e48 47862->47863 47864 409e5f 47862->47864 47865 40da6f 32 API calls 47863->47865 47866 40da6f 32 API calls 47864->47866 47867 409e50 47865->47867 47868 409e67 47866->47868 47869 401f13 28 API calls 47867->47869 47870 401f13 28 API calls 47868->47870 47872 409e5a 47869->47872 47871 409e75 47870->47871 47873 401f09 11 API calls 47871->47873 47875 401f09 11 API calls 47872->47875 47874 409e7d 47873->47874 48265 409196 28 API calls 47874->48265 47877 409eb4 47875->47877 48250 40a144 47877->48250 47878 409e8f 48266 403014 47878->48266 47883 401f13 28 API calls 47884 409ea4 47883->47884 47885 401f09 11 API calls 47884->47885 47885->47872 48318 40417e 47886->48318 47891 403014 28 API calls 47892 41b703 47891->47892 47893 401f09 11 API calls 47892->47893 47894 41b70c 47893->47894 47895 401f09 11 API calls 47894->47895 47896 40f25e 47895->47896 47896->47634 47898 41355b RegQueryValueExA RegCloseKey 47897->47898 47899 40f31f 47897->47899 47898->47899 47899->47506 47899->47662 47901 40f3cd 47900->47901 47902 413a7a RegDeleteValueW 47900->47902 47901->47501 47902->47901 47904 40dd96 47903->47904 47905 41353a 3 API calls 47904->47905 47906 40dd9d 47905->47906 47907 40ddbc 47906->47907 48412 401707 47906->48412 47911 414f65 47907->47911 47909 40ddaa 48415 4138b2 RegCreateKeyA 47909->48415 47912 4020df 11 API calls 47911->47912 47913 414f79 47912->47913 48429 41b944 47913->48429 47916 4020df 11 API calls 47917 414f8f 47916->47917 47918 401e65 22 API calls 47917->47918 47919 414f9d 47918->47919 47920 43bb2c _strftime 40 API calls 47919->47920 47921 414faa 47920->47921 47922 414fbc 47921->47922 47923 414faf Sleep 47921->47923 47924 402093 28 API calls 47922->47924 47923->47922 47925 414fcb 47924->47925 47926 401e65 22 API calls 47925->47926 47927 414fd4 47926->47927 47928 4020f6 28 API calls 47927->47928 47929 414fdf 47928->47929 47930 41beac 28 API calls 47929->47930 47931 414fe7 47930->47931 48433 40489e WSAStartup 47931->48433 47933 414ff1 47934 401e65 22 API calls 47933->47934 47935 414ffa 47934->47935 47936 401e65 22 API calls 47935->47936 47986 415079 47935->47986 47937 415013 47936->47937 47939 401e65 22 API calls 47937->47939 47938 4020f6 28 API calls 47938->47986 47940 415024 47939->47940 47942 401e65 22 API calls 47940->47942 47941 41beac 28 API calls 47941->47986 47943 415035 47942->47943 47944 401e65 22 API calls 47943->47944 47946 415046 47944->47946 47945 406c59 28 API calls 47945->47986 47949 401e65 22 API calls 47946->47949 47947 402f10 28 API calls 47947->47986 47948 401fe2 28 API calls 47948->47986 47950 415057 47949->47950 47952 401e65 22 API calls 47950->47952 47951 401fd8 11 API calls 47951->47986 47953 415069 47952->47953 48579 40473d 89 API calls 47953->48579 47955 40531e 28 API calls 47955->47986 47956 406383 28 API calls 47956->47986 47958 4151c7 WSAGetLastError 48580 41cb72 30 API calls 47958->48580 47963 402093 28 API calls 47964 4151d7 47963->47964 47964->47963 47966 41b580 80 API calls 47964->47966 47969 401e65 22 API calls 47964->47969 47970 401e8d 11 API calls 47964->47970 47971 43bb2c _strftime 40 API calls 47964->47971 47964->47986 48005 415aac CreateThread 47964->48005 48006 401fd8 11 API calls 47964->48006 48007 401f09 11 API calls 47964->48007 48581 4052fd 28 API calls 47964->48581 48583 40b08c 85 API calls 47964->48583 48584 404e26 99 API calls 47964->48584 47966->47964 47967 401e65 22 API calls 47967->47986 47969->47964 47970->47964 47972 415b0a Sleep 47971->47972 47972->47964 47973 402093 28 API calls 47973->47986 47974 41b580 80 API calls 47974->47986 47977 409097 28 API calls 47977->47986 47979 413733 3 API calls 47979->47986 47980 4135e1 31 API calls 47980->47986 47981 40417e 28 API calls 47981->47986 47986->47938 47986->47941 47986->47945 47986->47947 47986->47948 47986->47951 47986->47955 47986->47956 47986->47958 47986->47964 47986->47967 47986->47973 47986->47974 47986->47977 47986->47979 47986->47980 47986->47981 47987 401e65 22 API calls 47986->47987 48434 414f24 47986->48434 48440 40482d 47986->48440 48447 404f51 47986->48447 48462 4048c8 connect 47986->48462 48522 41b871 47986->48522 48525 4145f8 47986->48525 48528 441ed1 47986->48528 48532 40ddc4 47986->48532 48538 41bcd3 47986->48538 48541 41bdaf 47986->48541 48545 41bc1f 47986->48545 47988 415474 GetTickCount 47987->47988 47989 41bc1f 28 API calls 47988->47989 47995 415491 47989->47995 47991 41bc1f 28 API calls 47991->47995 47993 41bdaf 28 API calls 47993->47995 47995->47991 47995->47993 47997 402ea1 28 API calls 47995->47997 47998 402f10 28 API calls 47995->47998 47999 406383 28 API calls 47995->47999 48001 401fd8 11 API calls 47995->48001 48002 401f09 11 API calls 47995->48002 48550 41bb77 GetLastInputInfo GetTickCount 47995->48550 48551 41bb27 47995->48551 48556 40f90c GetLocaleInfoA 47995->48556 48559 402f31 28 API calls 47995->48559 48560 404c10 47995->48560 48582 404aa1 61 API calls ctype 47995->48582 47997->47995 47998->47995 47999->47995 48001->47995 48002->47995 48005->47964 48744 41ada8 106 API calls 48005->48744 48006->47964 48007->47964 48008->47419 48009->47426 48010->47431 48013 4020df 11 API calls 48012->48013 48014 406c65 48013->48014 48015 4032a0 28 API calls 48014->48015 48016 406c82 48015->48016 48016->47452 48018 40ebdf 48017->48018 48019 4135ae RegQueryValueExA RegCloseKey 48017->48019 48018->47449 48018->47466 48019->48018 48020->47456 48021->47485 48022->47477 48023->47469 48024->47484 48745 401f86 48025->48745 48028 40dae0 48032 41c048 2 API calls 48028->48032 48029 40daab 48749 41b645 29 API calls 48029->48749 48030 40dbd4 GetLongPathNameW 48034 40417e 28 API calls 48030->48034 48031 40daa1 48031->48030 48035 40dae5 48032->48035 48037 40dbe9 48034->48037 48038 40dae9 48035->48038 48039 40db3b 48035->48039 48036 40dab4 48040 401f13 28 API calls 48036->48040 48041 40417e 28 API calls 48037->48041 48043 40417e 28 API calls 48038->48043 48042 40417e 28 API calls 48039->48042 48044 40dabe 48040->48044 48045 40dbf8 48041->48045 48046 40db49 48042->48046 48047 40daf7 48043->48047 48048 401f09 11 API calls 48044->48048 48752 40de0c 28 API calls 48045->48752 48052 40417e 28 API calls 48046->48052 48053 40417e 28 API calls 48047->48053 48048->48031 48050 40dc0b 48753 402fa5 28 API calls 48050->48753 48055 40db5f 48052->48055 48056 40db0d 48053->48056 48054 40dc16 48754 402fa5 28 API calls 48054->48754 48751 402fa5 28 API calls 48055->48751 48750 402fa5 28 API calls 48056->48750 48060 40db18 48064 401f13 28 API calls 48060->48064 48061 40dc20 48065 401f09 11 API calls 48061->48065 48062 40db6a 48063 401f13 28 API calls 48062->48063 48066 40db75 48063->48066 48067 40db23 48064->48067 48068 40dc2a 48065->48068 48070 401f09 11 API calls 48066->48070 48071 401f09 11 API calls 48067->48071 48069 401f09 11 API calls 48068->48069 48072 40dc33 48069->48072 48073 40db7e 48070->48073 48074 40db2c 48071->48074 48075 401f09 11 API calls 48072->48075 48076 401f09 11 API calls 48073->48076 48077 401f09 11 API calls 48074->48077 48078 40dc3c 48075->48078 48076->48044 48077->48044 48079 401f09 11 API calls 48078->48079 48080 40dc45 48079->48080 48081 401f09 11 API calls 48080->48081 48082 40dc4e 48081->48082 48082->47543 48083->47555 48084->47577 48086 413759 RegQueryValueExA RegCloseKey 48085->48086 48087 41377d 48085->48087 48086->48087 48087->47536 48088->47569 48089->47606 48090->47615 48091->47639 48092->47626 48094->47671 48095->47474 48098 41b556 LoadResource LockResource SizeofResource 48097->48098 48099 40f419 48097->48099 48098->48099 48099->47705 48101 4020b7 28 API calls 48100->48101 48102 406e27 48101->48102 48102->47716 48108 40423a 48103->48108 48106->47738 48107->47719 48109 404243 48108->48109 48110 4023ce 11 API calls 48109->48110 48111 40424e 48110->48111 48112 402569 28 API calls 48111->48112 48113 4041b5 48112->48113 48113->47738 48114->47742 48117 4032aa 48116->48117 48119 4032c9 48117->48119 48120 4028e8 28 API calls 48117->48120 48119->47752 48120->48119 48122 4051fb 48121->48122 48131 405274 48122->48131 48124 405208 48124->47755 48126 402061 48125->48126 48127 4023ce 11 API calls 48126->48127 48128 40207b 48127->48128 48155 40267a 48128->48155 48132 405282 48131->48132 48133 405288 48132->48133 48134 40529e 48132->48134 48142 4025f0 48133->48142 48136 4052f5 48134->48136 48137 4052b6 48134->48137 48152 4028a4 22 API calls 48136->48152 48141 40529c 48137->48141 48151 4028e8 28 API calls 48137->48151 48141->48124 48143 402888 22 API calls 48142->48143 48144 402602 48143->48144 48145 402672 48144->48145 48146 402629 48144->48146 48154 4028a4 22 API calls 48145->48154 48150 40263b 48146->48150 48153 4028e8 28 API calls 48146->48153 48150->48141 48151->48141 48153->48150 48156 40268b 48155->48156 48157 4023ce 11 API calls 48156->48157 48158 40208d 48157->48158 48158->47758 48159->47766 48160->47768 48163 41b362 48162->48163 48164 41c055 GetCurrentProcess IsWow64Process 48162->48164 48166 4135e1 RegOpenKeyExA 48163->48166 48164->48163 48165 41c06c 48164->48165 48165->48163 48167 41360f RegQueryValueExA RegCloseKey 48166->48167 48168 413639 48166->48168 48167->48168 48169 402093 28 API calls 48168->48169 48170 41364e 48169->48170 48170->47779 48171->47787 48173 40b947 48172->48173 48178 402252 48173->48178 48175 40b952 48182 40b967 48175->48182 48177 40b961 48177->47798 48179 4022ac 48178->48179 48180 40225c 48178->48180 48179->48175 48180->48179 48189 402779 11 API calls std::_Deallocate 48180->48189 48183 40b9a1 48182->48183 48184 40b973 48182->48184 48201 4028a4 22 API calls 48183->48201 48190 4027e6 48184->48190 48188 40b97d 48188->48177 48189->48179 48191 4027ef 48190->48191 48192 402851 48191->48192 48193 4027f9 48191->48193 48203 4028a4 22 API calls 48192->48203 48196 402802 48193->48196 48198 402815 48193->48198 48202 402aea 28 API calls __EH_prolog 48196->48202 48199 402813 48198->48199 48200 402252 11 API calls 48198->48200 48199->48188 48200->48199 48202->48199 48204->47807 48206 402347 48205->48206 48207 402252 11 API calls 48206->48207 48208 4023c7 48207->48208 48208->47807 48210 4024f9 48209->48210 48211 40250a 28 API calls 48210->48211 48212 4020b1 48211->48212 48212->47549 48229 43ba8a 48213->48229 48215 43aed0 48235 43a837 36 API calls 3 library calls 48215->48235 48217 43ae95 48217->48215 48218 43aeaa 48217->48218 48220 43aeaf __cftof 48217->48220 48234 44062d 20 API calls _Atexit 48218->48234 48220->47836 48222 43aedc 48224 43af0b 48222->48224 48236 43bacf 40 API calls __Tolower 48222->48236 48226 43af77 48224->48226 48237 43ba36 20 API calls 2 library calls 48224->48237 48238 43ba36 20 API calls 2 library calls 48226->48238 48227 43b03e _strftime 48227->48220 48239 44062d 20 API calls _Atexit 48227->48239 48230 43baa2 48229->48230 48231 43ba8f 48229->48231 48230->48217 48240 44062d 20 API calls _Atexit 48231->48240 48233 43ba94 __cftof 48233->48217 48234->48220 48235->48222 48236->48222 48237->48226 48238->48227 48239->48220 48240->48233 48247 401fb0 48241->48247 48243 402f1e 48244 402055 11 API calls 48243->48244 48245 402f2d 48244->48245 48245->47850 48246->47853 48248 4025f0 28 API calls 48247->48248 48249 401fbd 48248->48249 48249->48243 48251 40a162 48250->48251 48252 413584 3 API calls 48251->48252 48253 40a169 48252->48253 48254 40a197 48253->48254 48255 40a17d 48253->48255 48256 409097 28 API calls 48254->48256 48257 40a182 48255->48257 48258 409ed6 48255->48258 48259 40a1a5 48256->48259 48271 409097 48257->48271 48258->47600 48278 40a1b4 86 API calls 48259->48278 48264 40a195 48264->48258 48265->47878 48295 403222 48266->48295 48268 403022 48299 403262 48268->48299 48272 4090ad 48271->48272 48273 402252 11 API calls 48272->48273 48274 4090c7 48273->48274 48279 404267 48274->48279 48276 4090d5 48277 40a268 29 API calls 48276->48277 48277->48264 48291 40a2ae 164 API calls 48277->48291 48278->48258 48292 40a2a2 86 API calls 48278->48292 48293 40a2c4 49 API calls 48278->48293 48294 40a2b8 129 API calls 48278->48294 48280 402888 22 API calls 48279->48280 48281 40427b 48280->48281 48282 404290 48281->48282 48283 4042a5 48281->48283 48289 4042df 22 API calls 48282->48289 48285 4027e6 28 API calls 48283->48285 48288 4042a3 48285->48288 48286 404299 48290 402c48 22 API calls 48286->48290 48288->48276 48289->48286 48290->48288 48296 40322e 48295->48296 48305 403618 48296->48305 48298 40323b 48298->48268 48300 40326e 48299->48300 48301 402252 11 API calls 48300->48301 48302 403288 48301->48302 48303 402336 11 API calls 48302->48303 48304 403031 48303->48304 48304->47883 48306 403626 48305->48306 48307 403644 48306->48307 48308 40362c 48306->48308 48310 40365c 48307->48310 48311 40369e 48307->48311 48316 4036a6 28 API calls 48308->48316 48312 403642 48310->48312 48315 4027e6 28 API calls 48310->48315 48317 4028a4 22 API calls 48311->48317 48312->48298 48315->48312 48316->48312 48319 404186 48318->48319 48320 402252 11 API calls 48319->48320 48321 404191 48320->48321 48329 4041bc 48321->48329 48324 4042fc 48340 404353 48324->48340 48326 40430a 48327 403262 11 API calls 48326->48327 48328 404319 48327->48328 48328->47891 48330 4041c8 48329->48330 48333 4041d9 48330->48333 48332 40419c 48332->48324 48334 4041e9 48333->48334 48335 404206 48334->48335 48336 4041ef 48334->48336 48337 4027e6 28 API calls 48335->48337 48338 404267 28 API calls 48336->48338 48339 404204 48337->48339 48338->48339 48339->48332 48341 40435f 48340->48341 48344 404371 48341->48344 48343 40436d 48343->48326 48345 40437f 48344->48345 48346 404385 48345->48346 48347 40439e 48345->48347 48410 4034e6 28 API calls 48346->48410 48348 402888 22 API calls 48347->48348 48349 4043a6 48348->48349 48351 404419 48349->48351 48352 4043bf 48349->48352 48411 4028a4 22 API calls 48351->48411 48354 4027e6 28 API calls 48352->48354 48363 40439c 48352->48363 48354->48363 48363->48343 48410->48363 48418 43ab1a 48412->48418 48416 4138ca RegSetValueExA RegCloseKey 48415->48416 48417 4138f4 48415->48417 48416->48417 48417->47907 48421 43aa9b 48418->48421 48420 40170d 48420->47909 48422 43aaaa 48421->48422 48423 43aabe 48421->48423 48427 44062d 20 API calls _Atexit 48422->48427 48426 43aaaf __alldvrm __cftof 48423->48426 48428 4489d7 11 API calls 2 library calls 48423->48428 48426->48420 48427->48426 48428->48426 48432 41b98a ctype ___scrt_fastfail 48429->48432 48430 402093 28 API calls 48431 414f84 48430->48431 48431->47916 48432->48430 48433->47933 48435 414f33 48434->48435 48436 414f3d WSASetLastError 48434->48436 48585 414dc1 29 API calls ___std_exception_copy 48435->48585 48436->47986 48438 414f38 48438->48436 48441 404846 socket 48440->48441 48442 404839 48440->48442 48444 404860 CreateEventW 48441->48444 48445 404842 48441->48445 48586 40489e WSAStartup 48442->48586 48444->47986 48445->47986 48446 40483e 48446->48441 48446->48445 48448 404f65 48447->48448 48449 404fea 48447->48449 48450 404f6e 48448->48450 48451 404fc0 CreateEventA CreateThread 48448->48451 48452 404f7d GetLocalTime 48448->48452 48449->47986 48450->48451 48451->48449 48588 405150 48451->48588 48453 41bc1f 28 API calls 48452->48453 48454 404f91 48453->48454 48587 4052fd 28 API calls 48454->48587 48463 404a1b 48462->48463 48464 4048ee 48462->48464 48465 404a21 WSAGetLastError 48463->48465 48466 40497e 48463->48466 48464->48466 48468 40531e 28 API calls 48464->48468 48486 404923 48464->48486 48465->48466 48467 404a31 48465->48467 48466->47986 48469 404a36 48467->48469 48474 404932 48467->48474 48471 40490f 48468->48471 48597 41cb72 30 API calls 48469->48597 48475 402093 28 API calls 48471->48475 48473 40492b 48473->48474 48477 404941 48473->48477 48478 402093 28 API calls 48474->48478 48480 40491e 48475->48480 48476 404a40 48598 4052fd 28 API calls 48476->48598 48488 404950 48477->48488 48489 404987 48477->48489 48479 404a80 48478->48479 48482 402093 28 API calls 48479->48482 48483 41b580 80 API calls 48480->48483 48485 404a8f 48482->48485 48483->48486 48490 41b580 80 API calls 48485->48490 48592 420cf1 27 API calls 48486->48592 48493 402093 28 API calls 48488->48493 48594 421ad1 54 API calls 48489->48594 48490->48466 48496 40495f 48493->48496 48495 40498f 48499 4049c4 48495->48499 48500 404994 48495->48500 48497 402093 28 API calls 48496->48497 48501 40496e 48497->48501 48596 420e97 28 API calls 48499->48596 48504 402093 28 API calls 48500->48504 48505 41b580 80 API calls 48501->48505 48507 4049a3 48504->48507 48508 404973 48505->48508 48506 4049cc 48509 4049f9 CreateEventW CreateEventW 48506->48509 48511 402093 28 API calls 48506->48511 48510 402093 28 API calls 48507->48510 48593 41e7a2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 48508->48593 48509->48466 48512 4049b2 48510->48512 48514 4049e2 48511->48514 48515 41b580 80 API calls 48512->48515 48517 402093 28 API calls 48514->48517 48516 4049b7 48515->48516 48595 421143 52 API calls 48516->48595 48519 4049f1 48517->48519 48520 41b580 80 API calls 48519->48520 48521 4049f6 48520->48521 48521->48509 48599 41b847 GlobalMemoryStatusEx 48522->48599 48524 41b886 48524->47986 48600 4145bb 48525->48600 48529 441edd 48528->48529 48638 441ccd 48529->48638 48531 441efe 48531->47986 48533 40dde0 48532->48533 48534 41353a 3 API calls 48533->48534 48535 40dde7 48534->48535 48536 413584 3 API calls 48535->48536 48537 40ddff 48535->48537 48536->48537 48537->47986 48539 4020b7 28 API calls 48538->48539 48540 41bce8 48539->48540 48540->47986 48542 41bdbc 48541->48542 48543 4020b7 28 API calls 48542->48543 48544 41bdce 48543->48544 48544->47986 48546 441ed1 20 API calls 48545->48546 48547 41bc43 48546->48547 48548 402093 28 API calls 48547->48548 48549 41bc51 48548->48549 48549->47986 48550->47995 48552 436f10 ___scrt_fastfail 48551->48552 48553 41bb46 GetForegroundWindow GetWindowTextW 48552->48553 48554 40417e 28 API calls 48553->48554 48555 41bb70 48554->48555 48555->47995 48557 402093 28 API calls 48556->48557 48558 40f931 48557->48558 48558->47995 48559->47995 48561 4020df 11 API calls 48560->48561 48562 404c27 48561->48562 48563 4020df 11 API calls 48562->48563 48577 404c30 48563->48577 48564 43bda0 new 21 API calls 48564->48577 48566 404c96 48568 404ca1 48566->48568 48566->48577 48567 4020b7 28 API calls 48567->48577 48656 404e26 99 API calls 48568->48656 48569 401fe2 28 API calls 48569->48577 48571 404ca8 48573 401fd8 11 API calls 48571->48573 48572 401fd8 11 API calls 48572->48577 48574 404cb1 48573->48574 48575 401fd8 11 API calls 48574->48575 48576 404cba 48575->48576 48576->47964 48577->48564 48577->48566 48577->48567 48577->48569 48577->48572 48643 404cc3 48577->48643 48655 404b96 57 API calls 48577->48655 48579->47986 48580->47964 48582->47995 48583->47964 48584->47964 48585->48438 48586->48446 48591 40515c 102 API calls 48588->48591 48590 405159 48591->48590 48592->48473 48593->48466 48594->48495 48595->48508 48596->48506 48597->48476 48599->48524 48603 41458e 48600->48603 48604 4145a3 ___scrt_initialize_default_local_stdio_options 48603->48604 48607 43f7ed 48604->48607 48610 43c540 48607->48610 48611 43c580 48610->48611 48612 43c568 48610->48612 48611->48612 48614 43c588 48611->48614 48632 44062d 20 API calls _Atexit 48612->48632 48633 43a837 36 API calls 3 library calls 48614->48633 48616 43c598 48634 43ccc6 20 API calls 2 library calls 48616->48634 48617 43c56d __cftof 48625 43502b 48617->48625 48620 4145b1 48620->47986 48621 43c610 48635 43d334 51 API calls 3 library calls 48621->48635 48624 43c61b 48636 43cd30 20 API calls _free 48624->48636 48626 435036 IsProcessorFeaturePresent 48625->48626 48627 435034 48625->48627 48629 435078 48626->48629 48627->48620 48637 43503c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 48629->48637 48631 43515b 48631->48620 48632->48617 48633->48616 48634->48621 48635->48624 48636->48617 48637->48631 48639 441ce4 48638->48639 48641 441d1b __cftof 48639->48641 48642 44062d 20 API calls _Atexit 48639->48642 48641->48531 48642->48641 48644 4020df 11 API calls 48643->48644 48653 404cde 48644->48653 48645 404e13 48646 401fd8 11 API calls 48645->48646 48647 404e1c 48646->48647 48647->48566 48648 4041a2 28 API calls 48648->48653 48649 401fe2 28 API calls 48649->48653 48650 401fc0 28 API calls 48652 404dad CreateEventA CreateThread WaitForSingleObject CloseHandle 48650->48652 48651 4020f6 28 API calls 48651->48653 48652->48653 48657 415b25 48652->48657 48653->48645 48653->48648 48653->48649 48653->48650 48653->48651 48654 401fd8 11 API calls 48653->48654 48654->48653 48655->48577 48656->48571 48658 4020f6 28 API calls 48657->48658 48659 415b47 SetEvent 48658->48659 48660 415b5c 48659->48660 48661 4041a2 28 API calls 48660->48661 48662 415b76 48661->48662 48663 4020f6 28 API calls 48662->48663 48664 415b86 48663->48664 48665 4020f6 28 API calls 48664->48665 48666 415b98 48665->48666 48667 41beac 28 API calls 48666->48667 48668 415ba1 48667->48668 48669 4170c4 48668->48669 48671 415bc1 GetTickCount 48668->48671 48672 415d6a 48668->48672 48670 401e8d 11 API calls 48669->48670 48674 4170cd 48670->48674 48675 41bc1f 28 API calls 48671->48675 48672->48669 48673 415d20 48672->48673 48673->48669 48743 4050e4 84 API calls 48673->48743 48677 401fd8 11 API calls 48674->48677 48678 415bd2 48675->48678 48680 4170d9 48677->48680 48736 41bb77 GetLastInputInfo GetTickCount 48678->48736 48682 401fd8 11 API calls 48680->48682 48681 415bde 48683 41bc1f 28 API calls 48681->48683 48684 4170e5 48682->48684 48685 415be9 48683->48685 48686 41bb27 30 API calls 48685->48686 48687 415bf7 48686->48687 48688 41bdaf 28 API calls 48687->48688 48689 415c05 48688->48689 48690 401e65 22 API calls 48689->48690 48691 415c13 48690->48691 48737 402f31 28 API calls 48691->48737 48693 415c21 48738 402ea1 28 API calls 48693->48738 48695 415c30 48696 402f10 28 API calls 48695->48696 48697 415c3f 48696->48697 48739 402ea1 28 API calls 48697->48739 48699 415c4e 48700 402f10 28 API calls 48699->48700 48701 415c5a 48700->48701 48740 402ea1 28 API calls 48701->48740 48703 415c64 48741 404aa1 61 API calls ctype 48703->48741 48705 415c73 48706 401fd8 11 API calls 48705->48706 48707 415c7c 48706->48707 48708 401fd8 11 API calls 48707->48708 48709 415c88 48708->48709 48710 401fd8 11 API calls 48709->48710 48711 415c94 48710->48711 48712 401fd8 11 API calls 48711->48712 48713 415ca0 48712->48713 48714 401fd8 11 API calls 48713->48714 48715 415cac 48714->48715 48716 401fd8 11 API calls 48715->48716 48717 415cb8 48716->48717 48718 401f09 11 API calls 48717->48718 48719 415cc1 48718->48719 48720 401fd8 11 API calls 48719->48720 48721 415cca 48720->48721 48722 401fd8 11 API calls 48721->48722 48723 415cd3 48722->48723 48724 401e65 22 API calls 48723->48724 48725 415cde 48724->48725 48726 43bb2c _strftime 40 API calls 48725->48726 48727 415ceb 48726->48727 48728 415cf0 48727->48728 48729 415d16 48727->48729 48731 415d09 48728->48731 48732 415cfe 48728->48732 48730 401e65 22 API calls 48729->48730 48730->48673 48734 404f51 105 API calls 48731->48734 48742 404ff4 82 API calls 48732->48742 48735 415d04 48734->48735 48735->48669 48736->48681 48737->48693 48738->48695 48739->48699 48740->48703 48741->48705 48742->48735 48743->48735 48746 401f8e 48745->48746 48747 402252 11 API calls 48746->48747 48748 401f99 48747->48748 48748->48028 48748->48029 48748->48031 48749->48036 48750->48060 48751->48062 48752->48050 48753->48054 48754->48061 48757 40f7fd 48755->48757 48756 413584 3 API calls 48756->48757 48757->48756 48758 40f82f 48757->48758 48759 40f8a1 48757->48759 48761 40f891 Sleep 48757->48761 48760 409097 28 API calls 48758->48760 48758->48761 48764 41bcef 28 API calls 48758->48764 48770 401f09 11 API calls 48758->48770 48774 402093 28 API calls 48758->48774 48777 4137aa 14 API calls 48758->48777 48788 40d0d1 112 API calls ___scrt_fastfail 48758->48788 48789 41384f 14 API calls 48758->48789 48762 409097 28 API calls 48759->48762 48760->48758 48761->48757 48765 40f8ac 48762->48765 48764->48758 48766 41bcef 28 API calls 48765->48766 48767 40f8b8 48766->48767 48790 41384f 14 API calls 48767->48790 48770->48758 48771 40f8cb 48772 401f09 11 API calls 48771->48772 48773 40f8d7 48772->48773 48775 402093 28 API calls 48773->48775 48774->48758 48776 40f8e8 48775->48776 48778 4137aa 14 API calls 48776->48778 48777->48758 48779 40f8fb 48778->48779 48791 41288b TerminateProcess WaitForSingleObject 48779->48791 48781 40f903 ExitProcess 48792 412829 62 API calls 48787->48792 48789->48758 48790->48771 48791->48781 48793 42f97e 48794 42f989 48793->48794 48795 42f99d 48794->48795 48797 432f7f 48794->48797 48798 432f8a 48797->48798 48799 432f8e 48797->48799 48798->48795 48801 440f5d 48799->48801 48802 446206 48801->48802 48803 446213 48802->48803 48804 44621e 48802->48804 48814 4461b8 48803->48814 48806 446226 48804->48806 48812 44622f __Getctype 48804->48812 48821 446802 48806->48821 48807 446234 48827 44062d 20 API calls _Atexit 48807->48827 48808 446259 RtlReAllocateHeap 48811 44621b 48808->48811 48808->48812 48811->48798 48812->48807 48812->48808 48828 443001 7 API calls 2 library calls 48812->48828 48815 4461f6 48814->48815 48816 4461c6 __Getctype 48814->48816 48830 44062d 20 API calls _Atexit 48815->48830 48816->48815 48817 4461e1 RtlAllocateHeap 48816->48817 48829 443001 7 API calls 2 library calls 48816->48829 48817->48816 48819 4461f4 48817->48819 48819->48811 48822 44680d RtlFreeHeap 48821->48822 48823 446836 _free 48821->48823 48822->48823 48824 446822 48822->48824 48823->48811 48831 44062d 20 API calls _Atexit 48824->48831 48826 446828 GetLastError 48826->48823 48827->48811 48828->48812 48829->48816 48830->48819 48831->48826 48832 426cdc 48837 426d59 send 48832->48837 48838 41e04e 48839 41e063 ctype ___scrt_fastfail 48838->48839 48841 432f55 21 API calls 48839->48841 48851 41e266 48839->48851 48845 41e213 ___scrt_fastfail 48841->48845 48842 41e277 48843 41e21a 48842->48843 48844 432f55 21 API calls 48842->48844 48847 41e2b0 ___scrt_fastfail 48844->48847 48845->48843 48846 432f55 21 API calls 48845->48846 48849 41e240 ___scrt_fastfail 48846->48849 48847->48843 48853 4335db 48847->48853 48849->48843 48850 432f55 21 API calls 48849->48850 48850->48851 48851->48843 48852 41dbf3 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_fastfail 48851->48852 48852->48842 48856 4334fa 48853->48856 48855 4335e3 48855->48843 48857 433513 48856->48857 48861 433509 48856->48861 48858 432f55 21 API calls 48857->48858 48857->48861 48859 433534 48858->48859 48859->48861 48862 4338c8 CryptAcquireContextA 48859->48862 48861->48855 48863 4338e4 48862->48863 48864 4338e9 CryptGenRandom 48862->48864 48863->48861 48864->48863 48865 4338fe CryptReleaseContext 48864->48865 48865->48863 48866 426c6d 48872 426d42 recv 48866->48872

                                        Control-flow Graph

                                        APIs
                                        • LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CBF6
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CBFF
                                        • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CC19
                                        • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC2B
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CC2E
                                        • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC3F
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CC42
                                        • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040EA1C), ref: 0041CC54
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CC57
                                        • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040EA1C), ref: 0041CC63
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CC66
                                        • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CC7A
                                        • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CC8E
                                        • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040EA1C), ref: 0041CC9F
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CCA2
                                        • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CCB6
                                        • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CCCA
                                        • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CCDE
                                        • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CCF2
                                        • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CD06
                                        • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040EA1C), ref: 0041CD14
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CD17
                                        • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040EA1C), ref: 0041CD28
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CD2B
                                        • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040EA1C), ref: 0041CD38
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CD3B
                                        • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040EA1C), ref: 0041CD48
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CD4B
                                        • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040EA1C), ref: 0041CD5D
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CD60
                                        • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040EA1C), ref: 0041CD6D
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CD70
                                        • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040EA1C), ref: 0041CD81
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CD84
                                        • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040EA1C), ref: 0041CD95
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CD98
                                        • LoadLibraryA.KERNEL32(Rstrtmgr,RmStartSession,?,?,?,?,0040EA1C), ref: 0041CDAA
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CDAD
                                        • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,0040EA1C), ref: 0041CDBA
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CDBD
                                        • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,0040EA1C), ref: 0041CDCA
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CDCD
                                        • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,0040EA1C), ref: 0041CDDA
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CDDD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressProc$LibraryLoad$HandleModule
                                        • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                        • API String ID: 4236061018-3687161714
                                        • Opcode ID: 6b21e851a0d3a51eeec0044f2aae63c374cf6436741b915ef551e22e35f3a136
                                        • Instruction ID: 87b5fa294a9840a4da0a94e675c49188b16ea4214af7843bc20054d8537ab592
                                        • Opcode Fuzzy Hash: 6b21e851a0d3a51eeec0044f2aae63c374cf6436741b915ef551e22e35f3a136
                                        • Instruction Fuzzy Hash: 06419AA0E8035879DA107BB65D8DE3B3E5CD9857953614837B05C93550FBBCDC408EAE

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 5 40ea00-40ea82 call 41cbe1 GetModuleFileNameW call 40f3fe call 4020f6 * 2 call 41beac call 40fb52 call 401e8d call 43fd50 22 40ea84-40eac9 call 40fbee call 401e65 call 401fab call 410f72 call 40fb9f call 40f3eb 5->22 23 40eace-40eb96 call 401e65 call 401fab call 401e65 call 40531e call 406383 call 401fe2 call 401fd8 * 2 call 401e65 call 401fc0 call 405aa6 call 401e65 call 4051e3 call 401e65 call 4051e3 5->23 49 40ef2d-40ef3e call 401fd8 22->49 69 40eb98-40ebe3 call 406c59 call 401fe2 call 401fd8 call 401fab call 413584 23->69 70 40ebe9-40ec04 call 401e65 call 40b9f8 23->70 69->70 100 40f38a-40f3a5 call 401fab call 4139e4 call 4124b0 69->100 79 40ec06-40ec25 call 401fab call 413584 70->79 80 40ec3e-40ec45 call 40d0a4 70->80 79->80 98 40ec27-40ec3d call 401fab call 4139e4 79->98 88 40ec47-40ec49 80->88 89 40ec4e-40ec55 80->89 92 40ef2c 88->92 93 40ec57 89->93 94 40ec59-40ec65 call 41b354 89->94 92->49 93->94 104 40ec67-40ec69 94->104 105 40ec6e-40ec72 94->105 98->80 126 40f3aa-40f3db call 41bcef call 401f04 call 413a5e call 401f09 * 2 100->126 104->105 108 40ecb1-40ecc4 call 401e65 call 401fab 105->108 109 40ec74 call 407751 105->109 127 40ecc6 call 407790 108->127 128 40eccb-40ed53 call 401e65 call 41bcef call 401f13 call 401f09 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab 108->128 118 40ec79-40ec7b 109->118 120 40ec87-40ec9a call 401e65 call 401fab 118->120 121 40ec7d-40ec82 call 407773 call 40729b 118->121 120->108 141 40ec9c-40eca2 120->141 121->120 156 40f3e0-40f3ea call 40dd7d call 414f65 126->156 127->128 177 40ed55-40ed6e call 401e65 call 401fab call 43bb56 128->177 178 40edbb-40edbf 128->178 141->108 144 40eca4-40ecaa 141->144 144->108 147 40ecac call 40729b 144->147 147->108 177->178 203 40ed70-40edb6 call 401e65 call 401fab call 401e65 call 401fab call 40da6f call 401f13 call 401f09 177->203 179 40ef41-40efa1 call 436f10 call 40247c call 401fab * 2 call 413733 call 409092 178->179 180 40edc5-40edcc 178->180 234 40efa6-40effa call 401e65 call 401fab call 402093 call 401fab call 4137aa call 401e65 call 401fab call 43bb2c 179->234 182 40ee4a-40ee54 call 409092 180->182 183 40edce-40ee48 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 40ce34 180->183 193 40ee59-40ee7d call 40247c call 434829 182->193 183->193 211 40ee8c 193->211 212 40ee7f-40ee8a call 436f10 193->212 203->178 217 40ee8e-40eed9 call 401f04 call 43f859 call 40247c call 401fab call 40247c call 401fab call 413982 211->217 212->217 271 40eede-40ef03 call 434832 call 401e65 call 40b9f8 217->271 286 40f017-40f019 234->286 287 40effc 234->287 271->234 288 40ef09-40ef28 call 401e65 call 41bcef call 40f4af 271->288 290 40f01b-40f01d 286->290 291 40f01f 286->291 289 40effe-40f015 call 41ce2c CreateThread 287->289 288->234 306 40ef2a 288->306 294 40f025-40f101 call 402093 * 2 call 41b580 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab StrToIntA call 409e1f call 401e65 call 401fab 289->294 290->289 291->294 344 40f103-40f13a call 43455e call 401e65 call 401fab CreateThread 294->344 345 40f13c 294->345 306->92 346 40f13e-40f156 call 401e65 call 401fab 344->346 345->346 356 40f194-40f1a7 call 401e65 call 401fab 346->356 357 40f158-40f18f call 43455e call 401e65 call 401fab CreateThread 346->357 367 40f207-40f21a call 401e65 call 401fab 356->367 368 40f1a9-40f202 call 401e65 call 401fab call 401e65 call 401fab call 40da23 call 401f13 call 401f09 CreateThread 356->368 357->356 379 40f255-40f279 call 41b69e call 401f13 call 401f09 367->379 380 40f21c-40f250 call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 40c19d 367->380 368->367 400 40f27b-40f27c SetProcessDEPPolicy 379->400 401 40f27e-40f291 CreateThread 379->401 380->379 400->401 404 40f293-40f29d CreateThread 401->404 405 40f29f-40f2a6 401->405 404->405 408 40f2b4-40f2bb 405->408 409 40f2a8-40f2b2 CreateThread 405->409 412 40f2c9 408->412 413 40f2bd-40f2c0 408->413 409->408 416 40f2ce-40f302 call 402093 call 4052fd call 402093 call 41b580 call 401fd8 412->416 417 40f2c2-40f2c7 413->417 418 40f307-40f31a call 401fab call 41353a 413->418 416->418 417->416 426 40f31f-40f322 418->426 426->156 427 40f328-40f368 call 41bcef call 401f04 call 413656 call 401f09 call 401f04 426->427 443 40f381-40f386 DeleteFileW 427->443 444 40f388 443->444 445 40f36a-40f36d 443->445 444->126 445->126 446 40f36f-40f37c Sleep call 401f04 445->446 446->443
                                        APIs
                                          • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CBF6
                                          • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CBFF
                                          • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                          • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC19
                                          • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC2B
                                          • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC2E
                                          • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC3F
                                          • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC42
                                          • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040EA1C), ref: 0041CC54
                                          • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC57
                                          • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040EA1C), ref: 0041CC63
                                          • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC66
                                          • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                          • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC7A
                                          • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                          • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC8E
                                          • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040EA1C), ref: 0041CC9F
                                          • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCA2
                                          • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                          • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCB6
                                          • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                          • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCCA
                                          • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                          • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCDE
                                          • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                          • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCF2
                                          • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                          • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CD06
                                          • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040EA1C), ref: 0041CD14
                                        • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe,00000104), ref: 0040EA29
                                          • Part of subcall function 00410F72: __EH_prolog.LIBCMT ref: 00410F77
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                        • String ID: ,aF$,aF$8SG$8SG$Access Level: $Administrator$C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe$Exe$Exe$Inj$PSG$Remcos Agent initialized$Rmc-XH0QAV$Software\$User$dMG$del$del$exepath$licence$license_code.txt$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG
                                        • API String ID: 2830904901-1671480119
                                        • Opcode ID: 812be0f1e7c38ba9f07a1fe3ee97efc8b1479d3c614fe8d7e3374410533dbbc8
                                        • Instruction ID: f870588dacc207cf398a21a9077505b2b75b96970711a81e27f166ce8512e3fa
                                        • Opcode Fuzzy Hash: 812be0f1e7c38ba9f07a1fe3ee97efc8b1479d3c614fe8d7e3374410533dbbc8
                                        • Instruction Fuzzy Hash: 9B32F960B043412BDA24B7729C57B7E26994F80748F50483FB9467B2E3EEBC8D45839E

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1082 41b411-41b454 call 4020df call 43bda0 InternetOpenW InternetOpenUrlW 1087 41b456-41b477 InternetReadFile 1082->1087 1088 41b479-41b499 call 4020b7 call 403376 call 401fd8 1087->1088 1089 41b49d-41b4a0 1087->1089 1088->1089 1091 41b4a2-41b4a4 1089->1091 1092 41b4a6-41b4b3 InternetCloseHandle * 2 call 43bd9b 1089->1092 1091->1087 1091->1092 1096 41b4b8-41b4c2 1092->1096
                                        APIs
                                        • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B438
                                        • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B44E
                                        • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B467
                                        • InternetCloseHandle.WININET(00000000), ref: 0041B4AD
                                        • InternetCloseHandle.WININET(00000000), ref: 0041B4B0
                                        Strings
                                        • http://geoplugin.net/json.gp, xrefs: 0041B448
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Internet$CloseHandleOpen$FileRead
                                        • String ID: http://geoplugin.net/json.gp
                                        • API String ID: 3121278467-91888290
                                        • Opcode ID: f8b7b88f44e13cfdc63bd17292d54b3b7b9fb09318b10958e004bbca1d27f117
                                        • Instruction ID: e320c318363c88f1c040182635621d8729538b68a2f0080144892bf513bd3cc2
                                        • Opcode Fuzzy Hash: f8b7b88f44e13cfdc63bd17292d54b3b7b9fb09318b10958e004bbca1d27f117
                                        • Instruction Fuzzy Hash: 011198311053126BD224AB269C49EBF7F9CEF86765F10043EF945A2282DB689C44C6FA

                                        Control-flow Graph

                                        APIs
                                          • Part of subcall function 00413584: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004135A4
                                          • Part of subcall function 00413584: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004752F0), ref: 004135C2
                                          • Part of subcall function 00413584: RegCloseKey.KERNEL32(?), ref: 004135CD
                                        • Sleep.KERNEL32(00000BB8), ref: 0040F896
                                        • ExitProcess.KERNEL32 ref: 0040F905
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseExitOpenProcessQuerySleepValue
                                        • String ID: 5.1.3 Pro$override$pth_unenc
                                        • API String ID: 2281282204-1392497409
                                        • Opcode ID: 3c8724a3c29de2eacdbba9d0f0ba12620d0f78ae8ad98ca36cdec3b882b37e8a
                                        • Instruction ID: d275b5d15c9ff05a0ec0da3c9587874d7690dc7fa5d0ec02d6e8a4ede61593ab
                                        • Opcode Fuzzy Hash: 3c8724a3c29de2eacdbba9d0f0ba12620d0f78ae8ad98ca36cdec3b882b37e8a
                                        • Instruction Fuzzy Hash: 5921E171B0420127D6087676885B6AE399A9B80708F50453FF409672D7FF7C8E0483AF

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1265 404f51-404f5f 1266 404f65-404f6c 1265->1266 1267 404fea 1265->1267 1269 404f74-404f7b 1266->1269 1270 404f6e-404f72 1266->1270 1268 404fec-404ff1 1267->1268 1271 404fc0-404fe8 CreateEventA CreateThread 1269->1271 1272 404f7d-404fbb GetLocalTime call 41bc1f call 4052fd call 402093 call 41b580 call 401fd8 1269->1272 1270->1271 1271->1268 1272->1271
                                        APIs
                                        • GetLocalTime.KERNEL32(00000001,00474EE0,00475598,?,?,?,?,00415D11,?,00000001), ref: 00404F81
                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EE0,00475598,?,?,?,?,00415D11,?,00000001), ref: 00404FCD
                                        • CreateThread.KERNEL32(00000000,00000000,Function_00005150,?,00000000,00000000), ref: 00404FE0
                                        Strings
                                        • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Create$EventLocalThreadTime
                                        • String ID: KeepAlive | Enabled | Timeout:
                                        • API String ID: 2532271599-1507639952
                                        • Opcode ID: e7cf8e4b77719752666b977cdaec8ebc3f6be030fe93d2bf9ddd18710d4519e8
                                        • Instruction ID: 41fa32a9fb91b1633a7afb8999ae97baef60c60c8d6252053b050d354fdafbcf
                                        • Opcode Fuzzy Hash: e7cf8e4b77719752666b977cdaec8ebc3f6be030fe93d2bf9ddd18710d4519e8
                                        • Instruction Fuzzy Hash: 82110A71800385BAC720A7779C0DEAB7FACDBD2714F04046FF54162291D6B89445CBBA
                                        APIs
                                        • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,00433550,00000034,?,?,006074D0), ref: 004338DA
                                        • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,004335E3,00000000,?,00000000), ref: 004338F0
                                        • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,004335E3,00000000,?,00000000,0041E2E2), ref: 00433902
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Crypt$Context$AcquireRandomRelease
                                        • String ID:
                                        • API String ID: 1815803762-0
                                        • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                        • Instruction ID: d68cd6f5f98cbfa2ab0450769c499d20ea76a36e668e3df749659bd42d9a4b78
                                        • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                        • Instruction Fuzzy Hash: 40E09A31208310FBEB301F21AC08F573AA5EF89B66F200A3AF256E40E4D6A68801965C
                                        APIs
                                        • GetComputerNameExW.KERNEL32(00000001,?,0000002B,004750E4), ref: 0041B6BB
                                        • GetUserNameW.ADVAPI32(?,0040F25E), ref: 0041B6D3
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Name$ComputerUser
                                        • String ID:
                                        • API String ID: 4229901323-0
                                        • Opcode ID: 2a75debd1ac83804218ef8ff91a3dd31c7e5d47f43b5da7d436b4f8c80832694
                                        • Instruction ID: 8360233331794fbd8bccde093e114755ab2a7c2896376219b9d5f45c8fb32f7b
                                        • Opcode Fuzzy Hash: 2a75debd1ac83804218ef8ff91a3dd31c7e5d47f43b5da7d436b4f8c80832694
                                        • Instruction Fuzzy Hash: 90014F7190011CABCB01EBD1DC45EEDB7BCAF44309F10016AB505B21A1EFB46E88CBA8
                                        APIs
                                        • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00415537,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,5.1.3 Pro), ref: 0040F920
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: InfoLocale
                                        • String ID:
                                        • API String ID: 2299586839-0
                                        • Opcode ID: 2888965568e38a2ba7a5abe7093904758464576a93ba76aee1c710f175ee0f35
                                        • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
                                        • Opcode Fuzzy Hash: 2888965568e38a2ba7a5abe7093904758464576a93ba76aee1c710f175ee0f35
                                        • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 448 414f65-414fad call 4020df call 41b944 call 4020df call 401e65 call 401fab call 43bb2c 461 414fbc-415008 call 402093 call 401e65 call 4020f6 call 41beac call 40489e call 401e65 call 40b9f8 448->461 462 414faf-414fb6 Sleep 448->462 477 41500a-415079 call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 40473d 461->477 478 41507c-415117 call 402093 call 401e65 call 4020f6 call 41beac call 401e65 * 2 call 406c59 call 402f10 call 401fe2 call 401fd8 * 2 call 401e65 call 405b05 461->478 462->461 477->478 531 415127-41512e 478->531 532 415119-415125 478->532 533 415133-4151c5 call 405aa6 call 40531e call 406383 call 402f10 call 402093 call 41b580 call 401fd8 * 2 call 401e65 call 401fab call 401e65 call 401fab call 414f24 531->533 532->533 560 415210-41521e call 40482d 533->560 561 4151c7-41520b WSAGetLastError call 41cb72 call 4052fd call 402093 call 41b580 call 401fd8 533->561 566 415220-415246 call 402093 * 2 call 41b580 560->566 567 41524b-415260 call 404f51 call 4048c8 560->567 583 415ade-415af0 call 404e26 call 4021fa 561->583 566->583 582 415266-4153b9 call 401e65 * 2 call 40531e call 406383 call 402f10 call 406383 call 402f10 call 402093 call 41b580 call 401fd8 * 4 call 41b871 call 4145f8 call 409097 call 441ed1 call 401e65 call 4020f6 call 40247c call 401fab * 2 call 413733 567->582 567->583 648 4153bb-4153c8 call 405aa6 582->648 649 4153cd-4153f4 call 401fab call 4135e1 582->649 597 415af2-415b12 call 401e65 call 401fab call 43bb2c Sleep 583->597 598 415b18-415b20 call 401e8d 583->598 597->598 598->478 648->649 655 4153f6-4153f8 649->655 656 4153fb-4157ba call 40417e call 40ddc4 call 41bcd3 call 41bdaf call 41bc1f call 401e65 GetTickCount call 41bc1f call 41bb77 call 41bc1f * 2 call 41bb27 call 41bdaf * 5 call 40f90c call 41bdaf call 402f31 call 402ea1 call 402f10 call 402ea1 call 402f10 * 3 call 402ea1 call 402f10 call 406383 call 402f10 call 406383 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 406383 call 402f10 * 5 call 402ea1 call 402f10 call 402ea1 call 402f10 * 7 call 402ea1 649->656 655->656 782 4157bc call 404aa1 656->782 783 4157c1-415a45 call 401fd8 * 50 call 401f09 call 401fd8 * 6 call 401f09 call 404c10 782->783 901 415a4a-415a51 783->901 902 415a53-415a5a 901->902 903 415a65-415a6c 901->903 902->903 904 415a5c-415a5e 902->904 905 415a78-415aaa call 405a6b call 402093 * 2 call 41b580 903->905 906 415a6e-415a73 call 40b08c 903->906 904->903 917 415aac-415ab8 CreateThread 905->917 918 415abe-415ad9 call 401fd8 * 2 call 401f09 905->918 906->905 917->918 918->583
                                        APIs
                                        • Sleep.KERNEL32(00000000,00000029,004752F0,004750E4,00000000), ref: 00414FB6
                                        • WSAGetLastError.WS2_32(00000000,00000001), ref: 004151C7
                                        • Sleep.KERNEL32(00000000,00000002), ref: 00415B12
                                          • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Sleep$ErrorLastLocalTime
                                        • String ID: | $%I64u$,aF$5.1.3 Pro$8SG$C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$Exe$PSG$Rmc-XH0QAV$TLS Off$TLS On $dMG$hlight$name$NG$NG$PG$PG$PG
                                        • API String ID: 524882891-2310623501
                                        • Opcode ID: 192ed37bd85ad3e3087d2172765be92cd777a2c21a8385d3306a35722ee8ab1d
                                        • Instruction ID: 9dea7478a43989413a8a7de35667e348ffff56bc780dedce428272fd6db975fd
                                        • Opcode Fuzzy Hash: 192ed37bd85ad3e3087d2172765be92cd777a2c21a8385d3306a35722ee8ab1d
                                        • Instruction Fuzzy Hash: B8526C31A001155ACB18F732DD96AFEB3769F90348F5044BFE40A761E2EF781E858A9D

                                        Control-flow Graph

                                        APIs
                                        • connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                                        • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                                        • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                                        • WSAGetLastError.WS2_32 ref: 00404A21
                                          • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                        • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                        • API String ID: 994465650-2151626615
                                        • Opcode ID: 7adcd97a12df77eb00c978c8fa497ed471b838c2edee9eb12bf68db0be483499
                                        • Instruction ID: 8b7d3ad86a52f8452b0ebae4faff6649d271d562dba2871a89d137605d3bb54b
                                        • Opcode Fuzzy Hash: 7adcd97a12df77eb00c978c8fa497ed471b838c2edee9eb12bf68db0be483499
                                        • Instruction Fuzzy Hash: CE41E8B57506017BC61877BB890B52E7A56AB81308B50017FEA0256AD3FA7D9C108BEF

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1000 40da6f-40da94 call 401f86 1003 40da9a 1000->1003 1004 40dbbe-40dbe4 call 401f04 GetLongPathNameW call 40417e 1000->1004 1006 40dae0-40dae7 call 41c048 1003->1006 1007 40daa1-40daa6 1003->1007 1008 40db93-40db98 1003->1008 1009 40dad6-40dadb 1003->1009 1010 40dba9 1003->1010 1011 40db9a-40db9f call 43c11f 1003->1011 1012 40daab-40dab9 call 41b645 call 401f13 1003->1012 1013 40dacc-40dad1 1003->1013 1014 40db8c-40db91 1003->1014 1025 40dbe9-40dc56 call 40417e call 40de0c call 402fa5 * 2 call 401f09 * 5 1004->1025 1026 40dae9-40db39 call 40417e call 43c11f call 40417e call 402fa5 call 401f13 call 401f09 * 2 1006->1026 1027 40db3b-40db87 call 40417e call 43c11f call 40417e call 402fa5 call 401f13 call 401f09 * 2 1006->1027 1016 40dbae-40dbb3 call 43c11f 1007->1016 1008->1016 1009->1016 1010->1016 1022 40dba4-40dba7 1011->1022 1035 40dabe 1012->1035 1013->1016 1014->1016 1028 40dbb4-40dbb9 call 409092 1016->1028 1022->1010 1022->1028 1036 40dac2-40dac7 call 401f09 1026->1036 1027->1035 1028->1004 1035->1036 1036->1004
                                        APIs
                                        • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040DBD5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: LongNamePath
                                        • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                        • API String ID: 82841172-425784914
                                        • Opcode ID: 27b408779815cc004e99ecfd0e182e1062e96e4c42aa95a1860903710c88a7ad
                                        • Instruction ID: db29472287e64cad03ac4489520097095d7cef5d056ecb8d0020da3553efca3c
                                        • Opcode Fuzzy Hash: 27b408779815cc004e99ecfd0e182e1062e96e4c42aa95a1860903710c88a7ad
                                        • Instruction Fuzzy Hash: 0A4151715082019AC205F765DC96CAAB7B8AE90758F10053FB146B20E2FFBCAE4DC65B

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1100 41b354-41b3ab call 41c048 call 4135e1 call 401fe2 call 401fd8 call 406b1c 1111 41b3ad-41b3bc call 4135e1 1100->1111 1112 41b3ee-41b3f7 1100->1112 1117 41b3c1-41b3d8 call 401fab StrToIntA 1111->1117 1113 41b400 1112->1113 1114 41b3f9-41b3fe 1112->1114 1116 41b405-41b410 call 40537d 1113->1116 1114->1116 1122 41b3e6-41b3e9 call 401fd8 1117->1122 1123 41b3da-41b3e3 call 41cffa 1117->1123 1122->1112 1123->1122
                                        APIs
                                          • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                          • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                                          • Part of subcall function 004135E1: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                          • Part of subcall function 004135E1: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00413622
                                          • Part of subcall function 004135E1: RegCloseKey.KERNEL32(?), ref: 0041362D
                                        • StrToIntA.SHLWAPI(00000000,0046CA08,00000000,00000000,00000000,004750E4,00000003,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0041B3CD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$CloseCurrentOpenQueryValueWow64
                                        • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                        • API String ID: 782494840-2070987746
                                        • Opcode ID: 8c19a994082f4321bdc384a8b48a1832129d6d8eaa349cc43c026258e8294c9e
                                        • Instruction ID: f33cb4008a08c387480eb48f471200dcc92f04aa72c22424ac0a9b44a4c1d04d
                                        • Opcode Fuzzy Hash: 8c19a994082f4321bdc384a8b48a1832129d6d8eaa349cc43c026258e8294c9e
                                        • Instruction Fuzzy Hash: 8811C47064014926C704B7658C97EFE76198790344F94413BF806A61D3FB6C598683EE

                                        Control-flow Graph

                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CountEventTick
                                        • String ID: !D@$,aF$NG
                                        • API String ID: 180926312-2771706352
                                        • Opcode ID: 10180eaadca4b74a8945fed6b05ca62153e52f016e8badc3fcc3544b5d14d10d
                                        • Instruction ID: 3ac9408315e1e6036cedb879f74fb80cbd33a95067926c5a5f9e9f7d680cff10
                                        • Opcode Fuzzy Hash: 10180eaadca4b74a8945fed6b05ca62153e52f016e8badc3fcc3544b5d14d10d
                                        • Instruction Fuzzy Hash: 3E51A5315082019AC724FB32D852AFF73A5AF94304F50483FF54A671E2EF3C5945C68A

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1282 4137aa-4137c1 RegCreateKeyA 1283 4137c3-4137f8 call 40247c call 401fab RegSetValueExA RegCloseKey 1282->1283 1284 4137fa 1282->1284 1286 4137fc-41380a call 401fd8 1283->1286 1284->1286
                                        APIs
                                        • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004137B9
                                        • RegSetValueExA.KERNEL32(?,004674C8,00000000,?,00000000,00000000,004752F0,?,?,0040F88E,004674C8,5.1.3 Pro), ref: 004137E1
                                        • RegCloseKey.KERNEL32(?,?,?,0040F88E,004674C8,5.1.3 Pro), ref: 004137EC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseCreateValue
                                        • String ID: pth_unenc
                                        • API String ID: 1818849710-4028850238
                                        • Opcode ID: 04dffd27395d5cb7a301fd27aaace46d1b2beb75a59ed872a5e7c8f8e25a915c
                                        • Instruction ID: b09b06e14e5a963f4ed757ac8f346f2723baee7be417271cc0de3610a50c6458
                                        • Opcode Fuzzy Hash: 04dffd27395d5cb7a301fd27aaace46d1b2beb75a59ed872a5e7c8f8e25a915c
                                        • Instruction Fuzzy Hash: A4F06272500218FBDF00AFA1DC45DEA376CEF04751F108566FD1AA61A1DB359E14DB54

                                        Control-flow Graph

                                        APIs
                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
                                        • CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 00404DD2
                                        • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00404DDB
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                        • String ID:
                                        • API String ID: 3360349984-0
                                        • Opcode ID: 9e0a8eaf4219b775e830663fcb54a959b6233ae16d1ef5de7dcca6256e783451
                                        • Instruction ID: 30d48123e17294c38ae6f490953f1b42a5ca81467cb0df1087f173bd09261e59
                                        • Opcode Fuzzy Hash: 9e0a8eaf4219b775e830663fcb54a959b6233ae16d1ef5de7dcca6256e783451
                                        • Instruction Fuzzy Hash: 684182B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1340 40d0a4-40d0d0 call 401fab CreateMutexA GetLastError
                                        APIs
                                        • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040EC43,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0040D0B3
                                        • GetLastError.KERNEL32 ref: 0040D0BE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CreateErrorLastMutex
                                        • String ID: Rmc-XH0QAV
                                        • API String ID: 1925916568-2099775557
                                        • Opcode ID: eabddf02165d7cb7ab60b975d5c9d75332e346c4e6257b5baf50d4a4f7034b19
                                        • Instruction ID: 57749e379dff282fb0cfe370275dd79dddcb706c5168e3a31171962593876721
                                        • Opcode Fuzzy Hash: eabddf02165d7cb7ab60b975d5c9d75332e346c4e6257b5baf50d4a4f7034b19
                                        • Instruction Fuzzy Hash: 0DD012B0605700EBDB186770ED5975839559744702F40487AB50FD99F1CBBC88908519

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1343 4135e1-41360d RegOpenKeyExA 1344 413642 1343->1344 1345 41360f-413637 RegQueryValueExA RegCloseKey 1343->1345 1346 413644 1344->1346 1345->1346 1347 413639-413640 1345->1347 1348 413649-413655 call 402093 1346->1348 1347->1348
                                        APIs
                                        • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                        • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00413622
                                        • RegCloseKey.KERNEL32(?), ref: 0041362D
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseOpenQueryValue
                                        • String ID:
                                        • API String ID: 3677997916-0
                                        • Opcode ID: e5c88bf4778b1a12960ae4c3b265923e79f6a7b3b3cce25859afcc872f091df0
                                        • Instruction ID: 0661f39b514c0023b6096d8878825bbc81d19e8e8981dfb5b132c5fecbfe39b6
                                        • Opcode Fuzzy Hash: e5c88bf4778b1a12960ae4c3b265923e79f6a7b3b3cce25859afcc872f091df0
                                        • Instruction Fuzzy Hash: 4A01D676900228FBCB209B91DC08DEF7F7DDB44B51F004066BB05A2240DA748E45DBA4

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1351 413733-413757 RegOpenKeyExA 1352 4137a3 1351->1352 1353 413759-41377b RegQueryValueExA RegCloseKey 1351->1353 1355 4137a5-4137a9 1352->1355 1353->1352 1354 41377d-4137a1 call 406cf2 call 406d77 1353->1354 1354->1355
                                        APIs
                                        • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004752F0), ref: 0041374F
                                        • RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00413768
                                        • RegCloseKey.KERNEL32(00000000), ref: 00413773
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseOpenQueryValue
                                        • String ID:
                                        • API String ID: 3677997916-0
                                        • Opcode ID: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                                        • Instruction ID: cdc8bb2f12cdea1da97e3e4d454c68039a4c25ad8704162e95ac064a0ac82555
                                        • Opcode Fuzzy Hash: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                                        • Instruction Fuzzy Hash: C301AD7540022DFBDF215F91DC04DEB3F38EF05761F008065BE09620A1E7358AA5EB94
                                        APIs
                                        • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004135A4
                                        • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004752F0), ref: 004135C2
                                        • RegCloseKey.KERNEL32(?), ref: 004135CD
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseOpenQueryValue
                                        • String ID:
                                        • API String ID: 3677997916-0
                                        • Opcode ID: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                        • Instruction ID: 3ea041f737baa467864e73cd7e114674dd940ed34319bd14b5ec79364d8ab256
                                        • Opcode Fuzzy Hash: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                        • Instruction Fuzzy Hash: 39F01D76900218FFDF109FA09C45FEE7BBDEB04B11F1044A5BA04E6191D6359F549B94
                                        APIs
                                        • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?,00000000,?,?,0040C1D7,00466C58), ref: 00413551
                                        • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0040C1D7,00466C58), ref: 00413565
                                        • RegCloseKey.KERNEL32(?,?,?,0040C1D7,00466C58), ref: 00413570
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseOpenQueryValue
                                        • String ID:
                                        • API String ID: 3677997916-0
                                        • Opcode ID: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                        • Instruction ID: 960a54a16a1ccd4152458ec6927d20d37e2092670a33f2d7c306b576a706ad25
                                        • Opcode Fuzzy Hash: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                        • Instruction Fuzzy Hash: 23E06532801238FBDF204FA29C0DDEB7F6CDF06BA1B000155BD0CA1111D2258E50E6E4
                                        APIs
                                        • RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                        • RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                        • RegCloseKey.KERNEL32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseCreateValue
                                        • String ID:
                                        • API String ID: 1818849710-0
                                        • Opcode ID: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                        • Instruction ID: 04d77b696783773a8a307df6842786532c8303179302b097fa31242bc3118ae5
                                        • Opcode Fuzzy Hash: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                        • Instruction Fuzzy Hash: 1EE06D72500318FBDF109FA0DC06FEA7BACEF04B62F104565BF09A6191D6358E14E7A8
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _wcslen
                                        • String ID: pQG
                                        • API String ID: 176396367-3769108836
                                        • Opcode ID: 2909f1be4624e20aefd95f70af1697863fb55ab0ff45cf84c0a49d4b96723009
                                        • Instruction ID: e26466b944e621eef81fbe5db30e3e3b172770e45cde188e8c087a2518f8d89f
                                        • Opcode Fuzzy Hash: 2909f1be4624e20aefd95f70af1697863fb55ab0ff45cf84c0a49d4b96723009
                                        • Instruction Fuzzy Hash: 631181319002059BCB15EF66E852AEF7BB4AF54314B10413FF446A62E2EF78AD15CB98
                                        APIs
                                        • GlobalMemoryStatusEx.KERNEL32(?), ref: 0041B85B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: GlobalMemoryStatus
                                        • String ID: @
                                        • API String ID: 1890195054-2766056989
                                        • Opcode ID: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
                                        • Instruction ID: 2d2b64c70bc766df394076410504e3f9c8f669937c614d63c6700d8895b1c70c
                                        • Opcode Fuzzy Hash: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
                                        • Instruction Fuzzy Hash: E6D017B58023189FC720DFA8E804A8DBBFCFB08210F00456AEC49E3700E770E8008B94
                                        APIs
                                        • _free.LIBCMT ref: 00446227
                                          • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                        • RtlReAllocateHeap.NTDLL(00000000,00000000,?,?,0000000F,00000000,00432F93,00000000,0000000F,0042F99D,?,?,00431A44,?,?,00000000), ref: 00446263
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AllocateHeap$_free
                                        • String ID:
                                        • API String ID: 1482568997-0
                                        • Opcode ID: b157f1fc507fc560bd00b565224a750c722b28025775eaa04a87fd2772ac9c2e
                                        • Instruction ID: 528349031ecf72c594af6ac828cc426c74ce8c7b4bfa82022820746e0f177899
                                        • Opcode Fuzzy Hash: b157f1fc507fc560bd00b565224a750c722b28025775eaa04a87fd2772ac9c2e
                                        • Instruction Fuzzy Hash: 4CF0283110121176BB213B266C01B6B3759AF83B70B1700ABFC1466281CFBCCC41406F
                                        APIs
                                        • socket.WS2_32(?,00000001,00000006), ref: 00404852
                                        • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,0040530B,?,?,00000000,00000000,?,?,00000000,00405208,?,00000000), ref: 0040488E
                                          • Part of subcall function 0040489E: WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CreateEventStartupsocket
                                        • String ID:
                                        • API String ID: 1953588214-0
                                        • Opcode ID: 1e452a305f2f2717745e8e1604374189d9659e6cad2ea1bb393ee33250cb33e3
                                        • Instruction ID: ed99eca956a2b7a9b5891d615cc725ddac26720bb1770143763ad27df005c20f
                                        • Opcode Fuzzy Hash: 1e452a305f2f2717745e8e1604374189d9659e6cad2ea1bb393ee33250cb33e3
                                        • Instruction Fuzzy Hash: 760171B1408B809ED7359F38A8456877FE0AB55304F048D6EF1DA97B91D3B5A881CB18
                                        APIs
                                        • GetForegroundWindow.USER32 ref: 0041BB49
                                        • GetWindowTextW.USER32(00000000,?,00000100), ref: 0041BB5C
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Window$ForegroundText
                                        • String ID:
                                        • API String ID: 29597999-0
                                        • Opcode ID: 2784d0b2db336add8319ad638143428ee57387129fbd6e48793ce9af45086994
                                        • Instruction ID: 8c7c0eb369f00208a7459315ff6bb8442305c4ed6b2016914032ba092e23deac
                                        • Opcode Fuzzy Hash: 2784d0b2db336add8319ad638143428ee57387129fbd6e48793ce9af45086994
                                        • Instruction Fuzzy Hash: 21E04875A00328A7E720A7A5AC4EFD5776C9708755F0001AEBA1CD61C2EDB4AD448BE5
                                        APIs
                                        • RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AllocateHeap
                                        • String ID:
                                        • API String ID: 1279760036-0
                                        • Opcode ID: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                                        • Instruction ID: 139fbca062bb8bf671a891d82c3cf8fc988f9ce198a1a8b78c24da0334343556
                                        • Opcode Fuzzy Hash: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                                        • Instruction Fuzzy Hash: CEE0E531A0021267F6312A269C01B5B76599B437A0F170137AD15922D2CE6CCD0181EF
                                        APIs
                                        • WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Startup
                                        • String ID:
                                        • API String ID: 724789610-0
                                        • Opcode ID: e47b679f8b5f7a60eca2a032b66c8256c268ab46ab34190103e4171c6a1e128b
                                        • Instruction ID: 97c3e6bab4f4407137ad71e204409d8be70fba83985c90e8682379c152a4c00d
                                        • Opcode Fuzzy Hash: e47b679f8b5f7a60eca2a032b66c8256c268ab46ab34190103e4171c6a1e128b
                                        • Instruction Fuzzy Hash: 92D0123255C70C8EE620ABB4AD0F8A4775CC317616F0007BA6CB5836D3E6405B1DC2AB
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: recv
                                        • String ID:
                                        • API String ID: 1507349165-0
                                        • Opcode ID: f4db5bd4806bc66e377c48788e3214861744c877e7cd4eb35e6567da0e63c1ec
                                        • Instruction ID: c63eaffdb417a6470c671315a396a42075a312041b5b8b5670d44767818a4bbd
                                        • Opcode Fuzzy Hash: f4db5bd4806bc66e377c48788e3214861744c877e7cd4eb35e6567da0e63c1ec
                                        • Instruction Fuzzy Hash: 26B09279108202FFCA150B60CC0886ABEA6ABC8382B00882DB586411B0C736C851AB26
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: send
                                        • String ID:
                                        • API String ID: 2809346765-0
                                        • Opcode ID: b9ca0b0eaa02557cb4d56b342a6254bf92ad90fc72112118e0a601f448bbd0ca
                                        • Instruction ID: 21703143275c54c82102de5c78eddca0fb0a16d203a0de67c7bd570fb3111ac2
                                        • Opcode Fuzzy Hash: b9ca0b0eaa02557cb4d56b342a6254bf92ad90fc72112118e0a601f448bbd0ca
                                        • Instruction Fuzzy Hash: 87B09B75108301FFD6150760CC0486A7D6597C8341F00491C718741170C635C8515725
                                        APIs
                                        • SetEvent.KERNEL32(?,?), ref: 00407CF4
                                        • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407DC2
                                        • DeleteFileW.KERNEL32(00000000), ref: 00407DE4
                                          • Part of subcall function 0041C322: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C37D
                                          • Part of subcall function 0041C322: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3AD
                                          • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C402
                                          • Part of subcall function 0041C322: FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C463
                                          • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C46A
                                          • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                          • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                          • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                          • Part of subcall function 00404AA1: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004081D2
                                        • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004082B3
                                        • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084FF
                                        • DeleteFileA.KERNEL32(?), ref: 0040868D
                                          • Part of subcall function 00408847: __EH_prolog.LIBCMT ref: 0040884C
                                          • Part of subcall function 00408847: FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                          • Part of subcall function 00408847: __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                          • Part of subcall function 00408847: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                        • Sleep.KERNEL32(000007D0), ref: 00408733
                                        • StrToIntA.SHLWAPI(00000000,00000000), ref: 00408775
                                          • Part of subcall function 0041CA73: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                                        • String ID: (PG$(aF$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XPG$XPG$XPG$XPG$open$NG
                                        • API String ID: 1067849700-414524693
                                        • Opcode ID: 085f496563eb3368f1495d8a85dc81db8c626588090c1be3a7cd01995f697149
                                        • Instruction ID: f533dcafa702064eae222fc9ff54aa9327b172b3479e3db69e1c842a3252ef64
                                        • Opcode Fuzzy Hash: 085f496563eb3368f1495d8a85dc81db8c626588090c1be3a7cd01995f697149
                                        • Instruction Fuzzy Hash: F04293716043016BC604FB76C9579AE77A9AF91348F80483FF542671E2EF7C9908879B
                                        APIs
                                        • __Init_thread_footer.LIBCMT ref: 004056E6
                                          • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                        • __Init_thread_footer.LIBCMT ref: 00405723
                                        • CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660CC,00000000), ref: 004057B6
                                        • CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
                                        • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
                                        • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                                        • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
                                        • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                                          • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                        • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90,004660D0,00000062,004660B4), ref: 004059E4
                                        • Sleep.KERNEL32(00000064,00000062,004660B4), ref: 004059FE
                                        • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                                        • CloseHandle.KERNEL32 ref: 00405A23
                                        • CloseHandle.KERNEL32 ref: 00405A2B
                                        • CloseHandle.KERNEL32 ref: 00405A3D
                                        • CloseHandle.KERNEL32 ref: 00405A45
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                        • String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
                                        • API String ID: 2994406822-18413064
                                        • Opcode ID: 279c72e3d0ed72e4f27a1cdfe87fc227cbf08f5468d87b1abd4027fe278b0ccf
                                        • Instruction ID: feb7c3e087fbbfe745e3798ef664df189eb35a760580a6c3fca7c2e5343dee52
                                        • Opcode Fuzzy Hash: 279c72e3d0ed72e4f27a1cdfe87fc227cbf08f5468d87b1abd4027fe278b0ccf
                                        • Instruction Fuzzy Hash: 1A91C271604604AFD711FB36ED42A6B369AEB84308F01443FF589A62E2DB7D9C448F6D
                                        APIs
                                        • GetCurrentProcessId.KERNEL32 ref: 00412141
                                          • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                          • Part of subcall function 004138B2: RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                          • Part of subcall function 004138B2: RegCloseKey.KERNEL32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                        • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00412181
                                        • CloseHandle.KERNEL32(00000000), ref: 00412190
                                        • CreateThread.KERNEL32(00000000,00000000,00412829,00000000,00000000,00000000), ref: 004121E6
                                        • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00412455
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                        • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                                        • API String ID: 3018269243-13974260
                                        • Opcode ID: 0bc6abb93a007a62e155aad46a945be6e257eeb2644a433d62495adb5594a49a
                                        • Instruction ID: f1b014459f2de55ad39b9ce4e2eab06dd530905b6b6ad57ecd0cf2e75cce6712
                                        • Opcode Fuzzy Hash: 0bc6abb93a007a62e155aad46a945be6e257eeb2644a433d62495adb5594a49a
                                        • Instruction Fuzzy Hash: B971A23160430167C614FB72CD579AE77A4AE94308F40097FF586A21E2FFBC9A49C69E
                                        APIs
                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBEA
                                        • FindClose.KERNEL32(00000000), ref: 0040BC04
                                        • FindNextFileA.KERNEL32(00000000,?), ref: 0040BD27
                                        • FindClose.KERNEL32(00000000), ref: 0040BD4D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$CloseFile$FirstNext
                                        • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                        • API String ID: 1164774033-3681987949
                                        • Opcode ID: 6c639a8cbac5ca484f8773e9da93299d118512ec2cf8b834913427766c983489
                                        • Instruction ID: 8b0b2ff803da1d4b435a108118727fe7c74031c8ac088da8990f7d135a86af9b
                                        • Opcode Fuzzy Hash: 6c639a8cbac5ca484f8773e9da93299d118512ec2cf8b834913427766c983489
                                        • Instruction Fuzzy Hash: C7514F3190021A9ADB14FBB2DC56AEEB739AF10304F50057FF506721E2FF785A49CA99
                                        APIs
                                        • OpenClipboard.USER32 ref: 004168FD
                                        • EmptyClipboard.USER32 ref: 0041690B
                                        • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 0041692B
                                        • GlobalLock.KERNEL32(00000000), ref: 00416934
                                        • GlobalUnlock.KERNEL32(00000000), ref: 0041696A
                                        • SetClipboardData.USER32(0000000D,00000000), ref: 00416973
                                        • CloseClipboard.USER32 ref: 00416990
                                        • OpenClipboard.USER32 ref: 00416997
                                        • GetClipboardData.USER32(0000000D), ref: 004169A7
                                        • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                        • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                        • CloseClipboard.USER32 ref: 004169BF
                                          • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                        • String ID: !D@$xdF
                                        • API String ID: 3520204547-3540039394
                                        • Opcode ID: 42f4f6424a784916a7480506ad13e9ef758327aee133477e61e13fa0399f6aab
                                        • Instruction ID: 548dc4d81477911aad8e8b192ef25fd2d65b79b2884d290c2f7190e4363fe536
                                        • Opcode Fuzzy Hash: 42f4f6424a784916a7480506ad13e9ef758327aee133477e61e13fa0399f6aab
                                        • Instruction Fuzzy Hash: 23215171204301EBD714BB71DC5DAAE7AA9AF88746F00043EF946961E2EF3C8C45866A
                                        APIs
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750E4,?,00475338), ref: 0040F4C9
                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00475338), ref: 0040F4F4
                                        • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F510
                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F58F
                                        • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00475338), ref: 0040F59E
                                          • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                          • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                        • CloseHandle.KERNEL32(00000000,?,00475338), ref: 0040F6A9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                                        • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$xdF$xdF
                                        • API String ID: 3756808967-2341171916
                                        • Opcode ID: c575ac8939463ca684cedb7c6906afd83d502d5e5bbe83c4c666d8f6a0325efa
                                        • Instruction ID: 73d50abc618c2a3d6a57d9d5b79267519347fdb4c989691d2635b3abfd1995a7
                                        • Opcode Fuzzy Hash: c575ac8939463ca684cedb7c6906afd83d502d5e5bbe83c4c666d8f6a0325efa
                                        • Instruction Fuzzy Hash: B5712E705083419AC724FB21D8959AEB7E4AF90348F40483FF586631E3EF79994DCB9A
                                        APIs
                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDEA
                                        • FindClose.KERNEL32(00000000), ref: 0040BE04
                                        • FindNextFileA.KERNEL32(00000000,?), ref: 0040BEC4
                                        • FindClose.KERNEL32(00000000), ref: 0040BEEA
                                        • FindClose.KERNEL32(00000000), ref: 0040BF0B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$Close$File$FirstNext
                                        • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                        • API String ID: 3527384056-432212279
                                        • Opcode ID: ac2c58898ed4881048f14169fe64a4f28670cbea93e3b81032ca527b9b506f8a
                                        • Instruction ID: 490896facf616f27299b965c2ba25c256be2621490ca3b25f990f1d956524bcc
                                        • Opcode Fuzzy Hash: ac2c58898ed4881048f14169fe64a4f28670cbea93e3b81032ca527b9b506f8a
                                        • Instruction Fuzzy Hash: E0417F3190021AAACB04F7B2DC5A9EE7769AF11704F50057FF506B21E2EF385A458A9D
                                        APIs
                                        • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413452
                                        • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413460
                                        • GetFileSize.KERNEL32(?,00000000), ref: 0041346D
                                        • UnmapViewOfFile.KERNEL32(00000000), ref: 0041348D
                                        • CloseHandle.KERNEL32(00000000), ref: 0041349A
                                        • CloseHandle.KERNEL32(?), ref: 004134A0
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                                        • String ID:
                                        • API String ID: 297527592-0
                                        • Opcode ID: 2efb778ffe6d135ef703f497a1bb6b2d91529e447e146419960ac3c90d68091b
                                        • Instruction ID: 84c8eec30da1abd4ec43dfc3561b6153623c17c5959ee0fa3a13cc5c00e14cc2
                                        • Opcode Fuzzy Hash: 2efb778ffe6d135ef703f497a1bb6b2d91529e447e146419960ac3c90d68091b
                                        • Instruction Fuzzy Hash: F041F331104301BBD7119F25EC49F6B3BACEFC9769F10052EF655D21A2DB38DA40866E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: 0$1$2$3$4$5$6$7$VG
                                        • API String ID: 0-1861860590
                                        • Opcode ID: fa5d28c5653a06ee74d606b0804547a39682ca64517b0fde9ecd30e9690a319d
                                        • Instruction ID: 7133b754bba813e7b371628f59950815dc208a5c28e1558ec9b3f3725e93ffbd
                                        • Opcode Fuzzy Hash: fa5d28c5653a06ee74d606b0804547a39682ca64517b0fde9ecd30e9690a319d
                                        • Instruction Fuzzy Hash: 9171E2709183019FD704EF21D862BAB7B94DF85710F00492FF5A26B2D1DE78AB49CB96
                                        APIs
                                          • Part of subcall function 0041798D: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                          • Part of subcall function 0041798D: OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                          • Part of subcall function 0041798D: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                          • Part of subcall function 0041798D: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                          • Part of subcall function 0041798D: GetLastError.KERNEL32 ref: 004179D8
                                        • ExitWindowsEx.USER32(00000000,00000001), ref: 00416891
                                        • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 004168A6
                                        • GetProcAddress.KERNEL32(00000000), ref: 004168AD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                        • String ID: !D@$$aF$(aF$,aF$PowrProf.dll$SetSuspendState
                                        • API String ID: 1589313981-3345310279
                                        • Opcode ID: f211d8f8c74b43f6a7a1cfd36ff4f80e992d88f1a6359d5e6e54e6d8489d3d1a
                                        • Instruction ID: 272f3f60014ab8f8f2fa2781f50e1ac7d9ab3f628c5d0f86ef79d7992e461550
                                        • Opcode Fuzzy Hash: f211d8f8c74b43f6a7a1cfd36ff4f80e992d88f1a6359d5e6e54e6d8489d3d1a
                                        • Instruction Fuzzy Hash: D821B17060430166CA14FBB28856ABF36599F41388F41087FB501671D2EF3DD845C76E
                                        APIs
                                        • _wcslen.LIBCMT ref: 0040755C
                                        • CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Object_wcslen
                                        • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                        • API String ID: 240030777-3166923314
                                        • Opcode ID: 117ce5ffae064854f49a167cf2fa86c02e7857af1ac0d1358aae668e1cde24ce
                                        • Instruction ID: 28daeeabb8f9d0779e909056d36d27ae9c6096be3406941992b1a3e854751cf1
                                        • Opcode Fuzzy Hash: 117ce5ffae064854f49a167cf2fa86c02e7857af1ac0d1358aae668e1cde24ce
                                        • Instruction Fuzzy Hash: 88113771D04214B6D710EA959845BDEB77C9B08714F15006FF904B2281EB7CAE448A6F
                                        APIs
                                        • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A7EF
                                        • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A83E
                                        • GetLastError.KERNEL32 ref: 0041A84C
                                        • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A884
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                        • String ID:
                                        • API String ID: 3587775597-0
                                        • Opcode ID: 6d200c93f34079ae71c82b73248bc1d4a0017c0a1dadb16676f11039057c5814
                                        • Instruction ID: 52116c85fb856a5ac6c14b0259405ec20ae2fa8d9cc538ef9907a440d1633313
                                        • Opcode Fuzzy Hash: 6d200c93f34079ae71c82b73248bc1d4a0017c0a1dadb16676f11039057c5814
                                        • Instruction Fuzzy Hash: 17817071104301ABC304EF61D885DAFB7A8FF94749F50082EF185521A2EF78EE49CB9A
                                        APIs
                                        • FindFirstFileW.KERNEL32(00000000,?), ref: 00419DDC
                                        • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419EA8
                                          • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$Find$CreateFirstNext
                                        • String ID: 8SG$8eF$PXG$PXG$NG$PG
                                        • API String ID: 341183262-432830541
                                        • Opcode ID: 8c3aed3000d7320fdc4dd7ad3aab95109fbf953b62b004a5a2cf60f030c844a3
                                        • Instruction ID: 0eaaaed992bec346a468a6d62c1d6888972f0568f5be94e2eef244f320132bd5
                                        • Opcode Fuzzy Hash: 8c3aed3000d7320fdc4dd7ad3aab95109fbf953b62b004a5a2cf60f030c844a3
                                        • Instruction Fuzzy Hash: 998151315083415BC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                                        APIs
                                          • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                          • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                          • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                          • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                          • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                          • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                        • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0045279C
                                        • IsValidCodePage.KERNEL32(00000000), ref: 004527F7
                                        • IsValidLocale.KERNEL32(?,00000001), ref: 00452806
                                        • GetLocaleInfoW.KERNEL32(?,00001001,JD,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 0045284E
                                        • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 0045286D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                        • String ID: JD$JD$JD
                                        • API String ID: 745075371-3517165026
                                        • Opcode ID: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                        • Instruction ID: 3c84011e7dbdf7a6f9673bc5a23f9f2f22d5020eb6794df094384b3d0215d6fb
                                        • Opcode Fuzzy Hash: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                        • Instruction Fuzzy Hash: 9B518571900205ABDB10DFA5CD45ABF77B8EF0A702F04046BED14E7292E7B89948CB69
                                        APIs
                                        • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C3D6
                                        • FindNextFileW.KERNEL32(00000000,?), ref: 0040C4A9
                                        • FindClose.KERNEL32(00000000), ref: 0040C4B8
                                        • FindClose.KERNEL32(00000000), ref: 0040C4E3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$CloseFile$FirstNext
                                        • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                        • API String ID: 1164774033-405221262
                                        • Opcode ID: 07425786a733f007aeb9a950477bd56cbd674cdc9204bf77bad9fc47ca870fce
                                        • Instruction ID: 33618048715e6b2d4a7b39963b1e19558724686ef99070a322097c87c0ca4c0c
                                        • Opcode Fuzzy Hash: 07425786a733f007aeb9a950477bd56cbd674cdc9204bf77bad9fc47ca870fce
                                        • Instruction Fuzzy Hash: 59313E31500219AACB14E761DC9A9EE7778AF50719F10057FF106B21E2EF7C9946CA4D
                                        APIs
                                        • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C37D
                                        • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3AD
                                        • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C41F
                                        • DeleteFileW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C42C
                                          • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C402
                                        • GetLastError.KERNEL32(?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C44D
                                        • FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C463
                                        • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C46A
                                        • FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C473
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                        • String ID:
                                        • API String ID: 2341273852-0
                                        • Opcode ID: 74fc921fbbcb6c35e60b9a8f4f047a03f237c0767a03969ab094381de9c75e57
                                        • Instruction ID: 53b23dfad01ba0d5beec27b7c27070a1caf437d6ccbc5233b8522822963bc02e
                                        • Opcode Fuzzy Hash: 74fc921fbbcb6c35e60b9a8f4f047a03f237c0767a03969ab094381de9c75e57
                                        • Instruction Fuzzy Hash: 4A31807284431CAADB24E761DC89EEB736CAF09305F0405FBF559D2051EB3DDAC98A58
                                        APIs
                                        • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A30E
                                        • SetWindowsHookExA.USER32(0000000D,0040A2DF,00000000), ref: 0040A31C
                                        • GetLastError.KERNEL32 ref: 0040A328
                                          • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                        • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040A376
                                        • TranslateMessage.USER32(?), ref: 0040A385
                                        • DispatchMessageA.USER32(?), ref: 0040A390
                                        Strings
                                        • Keylogger initialization failure: error , xrefs: 0040A33C
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                        • String ID: Keylogger initialization failure: error
                                        • API String ID: 3219506041-952744263
                                        • Opcode ID: a77984c91bbe3eb1ff3a05bb511e534cb27265d75ac9b65a7bf9d2bb6548dda1
                                        • Instruction ID: 8743f2250fb8cae6a99ae5fb3d4b34fe2baf279f6720e4878f05ffc9670b3ffc
                                        • Opcode Fuzzy Hash: a77984c91bbe3eb1ff3a05bb511e534cb27265d75ac9b65a7bf9d2bb6548dda1
                                        • Instruction Fuzzy Hash: 6011BF31510301EBC710BB769D0986B77ACEA95715B20097EFC82E22D1EB34C910CBAA
                                        APIs
                                        • GetForegroundWindow.USER32 ref: 0040A451
                                        • GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                                        • GetKeyboardLayout.USER32(00000000), ref: 0040A464
                                        • GetKeyState.USER32(00000010), ref: 0040A46E
                                        • GetKeyboardState.USER32(?), ref: 0040A479
                                        • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A49C
                                        • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4FC
                                        • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A535
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                        • String ID:
                                        • API String ID: 1888522110-0
                                        • Opcode ID: 1fbef96bbf5188aadc2f193688702ae07512c2e2bc484e71aa5862d9cec23228
                                        • Instruction ID: fd17a64e9e4f7f825196359ceba3421c6f582a70c0a4c9d277f8a97da3dc7bda
                                        • Opcode Fuzzy Hash: 1fbef96bbf5188aadc2f193688702ae07512c2e2bc484e71aa5862d9cec23228
                                        • Instruction Fuzzy Hash: 1E316D72504308BFD700DF90DC45F9B7BECBB88744F00083AB645D61A0D7B5E9498BA6
                                        APIs
                                        • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140D8
                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140E4
                                          • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                        • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004142A5
                                        • GetProcAddress.KERNEL32(00000000), ref: 004142AC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressCloseCreateLibraryLoadProcsend
                                        • String ID: SHDeleteKeyW$Shlwapi.dll
                                        • API String ID: 2127411465-314212984
                                        • Opcode ID: 906faeb5203d37c74ddcedaba27fd20c986479be3f450a41c0319093749beec0
                                        • Instruction ID: 51cedef5a77654bf04fe1bae55708f30d4330cefe0c145b830acf249c6506b6e
                                        • Opcode Fuzzy Hash: 906faeb5203d37c74ddcedaba27fd20c986479be3f450a41c0319093749beec0
                                        • Instruction Fuzzy Hash: 16B1F671A0430066CA14FB76DC579AF36A85F91788F40053FB906771E2EE7D8A48C6DA
                                        APIs
                                        • _free.LIBCMT ref: 00449292
                                        • _free.LIBCMT ref: 004492B6
                                        • _free.LIBCMT ref: 0044943D
                                        • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F244), ref: 0044944F
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 004494C7
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 004494F4
                                        • _free.LIBCMT ref: 00449609
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                        • String ID:
                                        • API String ID: 314583886-0
                                        • Opcode ID: 9d737620ee5c630f8ac732b373c324f56d4d8bd2db6b9a1ad30cafd364e2800f
                                        • Instruction ID: 020e1479f4dc59d8c1013f8997fe2690be381d41ecad25fd3e4808fcef6bdafa
                                        • Opcode Fuzzy Hash: 9d737620ee5c630f8ac732b373c324f56d4d8bd2db6b9a1ad30cafd364e2800f
                                        • Instruction Fuzzy Hash: E0C13A71900205ABFB24DF79CD41AAF7BA8EF46314F2405AFE884D7291E7788D42D758
                                        APIs
                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FF7
                                        • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070DB
                                        Strings
                                        • open, xrefs: 00406FF1
                                        • C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe, xrefs: 00407042, 0040716A
                                        • 0aF, xrefs: 0040701B
                                        • 0aF, xrefs: 0040712C
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: DownloadExecuteFileShell
                                        • String ID: 0aF$0aF$C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe$open
                                        • API String ID: 2825088817-99528179
                                        • Opcode ID: e2ffd63addb94ba147d74eaf4cb76dc7edd8d28aacd664d9fcd8ebc301bfbf31
                                        • Instruction ID: 89f65c5a2840bfed21b3c91f130df949caec66636536da5e2ea9f2eef63816fc
                                        • Opcode Fuzzy Hash: e2ffd63addb94ba147d74eaf4cb76dc7edd8d28aacd664d9fcd8ebc301bfbf31
                                        • Instruction Fuzzy Hash: 5261B371A0830166CA14FB76C8569BE37A59F81758F40093FB9427B2D3EE3C9905C69B
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 0040884C
                                        • FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                        • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                        • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A50
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                        • String ID: xdF
                                        • API String ID: 1771804793-999140092
                                        • Opcode ID: f4b51b2c778cc903a76b83995408fe472956efc0dc2707ff349452219b6188ab
                                        • Instruction ID: 0d5560aa06bbfb8d15084ed76e809f646cede1ce68103026aeaac9ba950e1e68
                                        • Opcode Fuzzy Hash: f4b51b2c778cc903a76b83995408fe472956efc0dc2707ff349452219b6188ab
                                        • Instruction Fuzzy Hash: 9D517F72900209AACB04FB65DD569ED7778AF10308F50417FB906B71E2EF389B49CB89
                                        APIs
                                        • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA89
                                        • GetLastError.KERNEL32 ref: 0040BA93
                                        Strings
                                        • UserProfile, xrefs: 0040BA59
                                        • [Chrome StoredLogins found, cleared!], xrefs: 0040BAB9
                                        • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA54
                                        • [Chrome StoredLogins not found], xrefs: 0040BAAD
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: DeleteErrorFileLast
                                        • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                        • API String ID: 2018770650-1062637481
                                        • Opcode ID: 8d1b9c386d9f6ca777f4705084fddfe26be0f649cbc95c9792bf321ed182c299
                                        • Instruction ID: 0532e36a1aab116e50a9f1d1704ee325f44086adb43c50cfffb7bf5285f9a594
                                        • Opcode Fuzzy Hash: 8d1b9c386d9f6ca777f4705084fddfe26be0f649cbc95c9792bf321ed182c299
                                        • Instruction Fuzzy Hash: 76018F61A402056ACB04B7B6DC5B9BE7724A921704B50057FF806722D2FE7D49098BDE
                                        APIs
                                        • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                        • OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                        • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                        • GetLastError.KERNEL32 ref: 004179D8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                        • String ID: SeShutdownPrivilege
                                        • API String ID: 3534403312-3733053543
                                        • Opcode ID: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                        • Instruction ID: 35ac2027e355ce869dd6e937a138cd84cb59798e299a7bc9dfe05b1c572390d3
                                        • Opcode Fuzzy Hash: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                        • Instruction Fuzzy Hash: 38F03A71802229FBDB10ABA1EC4DAEF7FBCEF05612F100465B909A1152D7348E04CBB5
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: __floor_pentium4
                                        • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                        • API String ID: 4168288129-2761157908
                                        • Opcode ID: e29b251e1eee29052bf5b6da388e4b2e308b35626dbf2dd5d7aa75add96dd8b0
                                        • Instruction ID: 22fd31c6184e07a9d3e8c26eafc68e38345e899adb4ac4f90a3aea4af7cb717d
                                        • Opcode Fuzzy Hash: e29b251e1eee29052bf5b6da388e4b2e308b35626dbf2dd5d7aa75add96dd8b0
                                        • Instruction Fuzzy Hash: BBC27E71D046288FDB25CE28DD407EAB3B5EB8530AF1541EBD80DE7241E778AE898F45
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 00409293
                                          • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                                          • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0040932F
                                        • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 0040938D
                                        • FindNextFileW.KERNEL32(00000000,?), ref: 004093E5
                                        • FindClose.KERNEL32(00000000), ref: 004093FC
                                          • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                          • Part of subcall function 00404E26: SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                          • Part of subcall function 00404E26: CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E4C
                                        • FindClose.KERNEL32(00000000), ref: 004095F4
                                          • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                          • Part of subcall function 00404AA1: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                        • String ID:
                                        • API String ID: 1824512719-0
                                        • Opcode ID: 59e39cceb89accd49a364b67fce820dfbb3b5ce655084222bcfd4fd7aa577296
                                        • Instruction ID: 89df7f8b75d3b77417eb58d09b4f39b7dfb13bde992cfd9524fc7595df83f5be
                                        • Opcode Fuzzy Hash: 59e39cceb89accd49a364b67fce820dfbb3b5ce655084222bcfd4fd7aa577296
                                        • Instruction Fuzzy Hash: 34B19D32900109AACB14EBA1DD92AEDB379AF44314F50417FF506B60E2EF785F49CB59
                                        APIs
                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A731,00000000), ref: 0041AAE4
                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A731,00000000), ref: 0041AAF9
                                        • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB06
                                        • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A731,00000000), ref: 0041AB11
                                        • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB23
                                        • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB26
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Service$CloseHandle$Open$ManagerStart
                                        • String ID:
                                        • API String ID: 276877138-0
                                        • Opcode ID: d2aae47141dcf0d9b89d10f0773cee60e0a3b0657566105474702d9dbd979937
                                        • Instruction ID: 14dbf03deabb1432b93a26d2ddf90514dbbc411f15d31c7908333a88c2a5d316
                                        • Opcode Fuzzy Hash: d2aae47141dcf0d9b89d10f0773cee60e0a3b0657566105474702d9dbd979937
                                        • Instruction Fuzzy Hash: FEF0E971141225AFD2115B209C88DFF276CDF85B66B00082AF901921919B68CC45E579
                                        APIs
                                        • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,004527DB,?,00000000), ref: 00452555
                                        • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,004527DB,?,00000000), ref: 0045257E
                                        • GetACP.KERNEL32(?,?,004527DB,?,00000000), ref: 00452593
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: InfoLocale
                                        • String ID: ACP$OCP
                                        • API String ID: 2299586839-711371036
                                        • Opcode ID: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                        • Instruction ID: 097c3b5166b2d36aca1cb621bb06e922528e2ea4561953c90108b9915aa2a338
                                        • Opcode Fuzzy Hash: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                        • Instruction Fuzzy Hash: 7E21F932600108B6D734CF14CA10A9B73A6EB16B53B564467ED09D7312F7B6DD44C398
                                        APIs
                                        • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407892
                                        • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040795A
                                          • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: FileFind$FirstNextsend
                                        • String ID: 8eF$XPG$XPG
                                        • API String ID: 4113138495-4157548504
                                        • Opcode ID: 7a5c3d9e14cb1f5e3befbd9a80a8d16349b8335561f890dc7847aff180d4e2e3
                                        • Instruction ID: fedc3c23448d2be437c2d68ef58725aa3c97e5c0e74d328490a6b39f64eed896
                                        • Opcode Fuzzy Hash: 7a5c3d9e14cb1f5e3befbd9a80a8d16349b8335561f890dc7847aff180d4e2e3
                                        • Instruction Fuzzy Hash: 2D21A4315083015BC714FB61D895CEFB3ACAF90358F40493EF696620E1FF78AA098A5B
                                        APIs
                                        • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                          • Part of subcall function 004137AA: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004137B9
                                          • Part of subcall function 004137AA: RegSetValueExA.KERNEL32(?,004674C8,00000000,?,00000000,00000000,004752F0,?,?,0040F88E,004674C8,5.1.3 Pro), ref: 004137E1
                                          • Part of subcall function 004137AA: RegCloseKey.KERNEL32(?,?,?,0040F88E,004674C8,5.1.3 Pro), ref: 004137EC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseCreateInfoParametersSystemValue
                                        • String ID: ,aF$Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                        • API String ID: 4127273184-3126330168
                                        • Opcode ID: 66999e3142bd33a62fa1d08061f300942aa72122ed75466f2ef34f9b656b6348
                                        • Instruction ID: 8ac436d711b2fc3476497f69dc57c3b9a547a247a31514f467319d0910454585
                                        • Opcode Fuzzy Hash: 66999e3142bd33a62fa1d08061f300942aa72122ed75466f2ef34f9b656b6348
                                        • Instruction Fuzzy Hash: D7118472BC425022E81831396D9BFBE28068343F61F54456BF6022A6CAE4CF6A9143CF
                                        APIs
                                        • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041B54A
                                        • LoadResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B55E
                                        • LockResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B565
                                        • SizeofResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B574
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Resource$FindLoadLockSizeof
                                        • String ID: SETTINGS
                                        • API String ID: 3473537107-594951305
                                        • Opcode ID: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                                        • Instruction ID: d04f7a3eece584ab18b37ce022e38df3785cd6d6757b7dd0dc659012c7d5cbc3
                                        • Opcode Fuzzy Hash: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                                        • Instruction Fuzzy Hash: 8EE01A76600B22EBEB211BB1AC4CD863E29F7C97637140075F90586231CB798840DA98
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 004096A5
                                        • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0040971D
                                        • FindNextFileW.KERNEL32(00000000,?), ref: 00409746
                                        • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040975D
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$File$CloseFirstH_prologNext
                                        • String ID:
                                        • API String ID: 1157919129-0
                                        • Opcode ID: 96c6d110fa695d661907fb43dfa402e2085f3c3512803720d38caf79e6a8c285
                                        • Instruction ID: 8e52766585a78a9bd0f7e398a9017c7fe376444e683812dd136b20495b515571
                                        • Opcode Fuzzy Hash: 96c6d110fa695d661907fb43dfa402e2085f3c3512803720d38caf79e6a8c285
                                        • Instruction Fuzzy Hash: 7F814C328001099BCB15EBA2DC969EDB378AF14318F10417FE506B71E2EF789E49CB58
                                        APIs
                                          • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                          • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                          • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                          • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                        • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00444AF4,?,?,?,?,?,?,00000004), ref: 00451E3A
                                        • _wcschr.LIBVCRUNTIME ref: 00451ECA
                                        • _wcschr.LIBVCRUNTIME ref: 00451ED8
                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00444AF4,00000000,00444C14), ref: 00451F7B
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                        • String ID:
                                        • API String ID: 4212172061-0
                                        • Opcode ID: 542ab58a55aa9f08c463a9389d0e41dfe4354c1e35855495671bf6e32f2bde7c
                                        • Instruction ID: 2c98265d6c7a89d72caae9d33925a6d6107158c78f730362dcab12f0c71d6669
                                        • Opcode Fuzzy Hash: 542ab58a55aa9f08c463a9389d0e41dfe4354c1e35855495671bf6e32f2bde7c
                                        • Instruction Fuzzy Hash: 7F611976600606AAD714AB75CC42FBB73A8EF04306F14056FFD05DB292EB78E948C769
                                        APIs
                                          • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                          • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                          • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                          • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                        • EnumSystemLocalesW.KERNEL32(00452143,00000001,00000000,?,JD,?,00452770,00000000,?,?,?), ref: 0045208D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                        • String ID: p'E$JD
                                        • API String ID: 1084509184-908320845
                                        • Opcode ID: 475d6d5c58d7186cd22417851423cdf86cfe6bc0717def2965f4a7021c27fb53
                                        • Instruction ID: b0e9e6415e7ea3a3ed95e939ef0edb9d062384d4a1a0bde9f31cc9ceae225fa6
                                        • Opcode Fuzzy Hash: 475d6d5c58d7186cd22417851423cdf86cfe6bc0717def2965f4a7021c27fb53
                                        • Instruction Fuzzy Hash: 0211553A2007019FDB189F39C9916BBBB92FF8075AB14482EEE4687B41D7B5A946C740
                                        APIs
                                          • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                          • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                          • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                          • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                          • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                          • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452197
                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004521E8
                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004522A8
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorInfoLastLocale$_free$_abort
                                        • String ID:
                                        • API String ID: 2829624132-0
                                        • Opcode ID: 1ce7e7c7dfcd5f502045176aa51a1e3ace1f8c45826c3dbb4c0c9878229dab74
                                        • Instruction ID: 283aa9570716a6929da4b93cb0bca45b8c77d553a5ebfd19e37a994bad1de6ac
                                        • Opcode Fuzzy Hash: 1ce7e7c7dfcd5f502045176aa51a1e3ace1f8c45826c3dbb4c0c9878229dab74
                                        • Instruction Fuzzy Hash: F361A235500207ABDF289F24CE82B7A77A8EF05306F1441BBED05C6656E7BC9D89CB58
                                        APIs
                                        • IsDebuggerPresent.KERNEL32 ref: 0043BC69
                                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0043BC73
                                        • UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC80
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                        • String ID:
                                        • API String ID: 3906539128-0
                                        • Opcode ID: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                        • Instruction ID: 25e88f5a56b9fbea854716c485460a06fbe33a825339a9765be54c88dd7cea35
                                        • Opcode Fuzzy Hash: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                        • Instruction Fuzzy Hash: 0431D374901218ABCB21DF65D9887CDBBB8EF0C311F5051EAE81CA7251EB749F818F48
                                        APIs
                                        • GetCurrentProcess.KERNEL32(?,?,0044332B,?), ref: 00443376
                                        • TerminateProcess.KERNEL32(00000000,?,0044332B,?), ref: 0044337D
                                        • ExitProcess.KERNEL32 ref: 0044338F
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$CurrentExitTerminate
                                        • String ID:
                                        • API String ID: 1703294689-0
                                        • Opcode ID: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                        • Instruction ID: 4b22f3a5ffe79ca7dfb81d814e561f82a31e4bef9a776fe0bb9daccb8e878f4b
                                        • Opcode Fuzzy Hash: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                        • Instruction Fuzzy Hash: 9FE0B635401608FBDF11AF55DE09A5D3BAAEB40B56F005469FC498A272CF79EE42CB88
                                        APIs
                                        • OpenClipboard.USER32(00000000), ref: 0040B74C
                                        • GetClipboardData.USER32(0000000D), ref: 0040B758
                                        • CloseClipboard.USER32 ref: 0040B760
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Clipboard$CloseDataOpen
                                        • String ID:
                                        • API String ID: 2058664381-0
                                        • Opcode ID: ee7560bd864c47a473b03ccd03fab4bf0c670c3a92a751b3696d255e79ff2f15
                                        • Instruction ID: 1c65eecdd0087a0ffd0b0a04a5b63b9ff0c479b34dfa65f2e767e94bdce73387
                                        • Opcode Fuzzy Hash: ee7560bd864c47a473b03ccd03fab4bf0c670c3a92a751b3696d255e79ff2f15
                                        • Instruction Fuzzy Hash: 45E0EC31745320EFC3206B609C49F9B6AA4DF85B52F05443AB905BB2E5DB78CC4086AD
                                        APIs
                                        • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,0041605F,00000000), ref: 0041BBD1
                                        • NtResumeProcess.NTDLL(00000000), ref: 0041BBDE
                                        • CloseHandle.KERNEL32(00000000,?,?,0041605F,00000000), ref: 0041BBE7
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$CloseHandleOpenResume
                                        • String ID:
                                        • API String ID: 3614150671-0
                                        • Opcode ID: dda695613aab68fa1ce07225af6d1ac6bad924da5be1ebe3a2a6355b7b364d52
                                        • Instruction ID: 00af7d86c2812e48088786baf9e1e683bef33431c8858657b58e82835f0f92e7
                                        • Opcode Fuzzy Hash: dda695613aab68fa1ce07225af6d1ac6bad924da5be1ebe3a2a6355b7b364d52
                                        • Instruction Fuzzy Hash: 7AD05E36204121E3C220176A7C0CD97AD68DBC5AA2705412AF804C22609A60CC0186E4
                                        APIs
                                        • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,0041603A,00000000), ref: 0041BBA5
                                        • NtSuspendProcess.NTDLL(00000000), ref: 0041BBB2
                                        • CloseHandle.KERNEL32(00000000,?,?,0041603A,00000000), ref: 0041BBBB
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$CloseHandleOpenSuspend
                                        • String ID:
                                        • API String ID: 1999457699-0
                                        • Opcode ID: dd0b989ddcc61b84e262834eab0f6eafaf8d61dce4d0b86b08aa1b4c832549dd
                                        • Instruction ID: 611eda4fe747f1c58df557fb912083c2b4b70512fbfbfb6239720577e9304ccf
                                        • Opcode Fuzzy Hash: dd0b989ddcc61b84e262834eab0f6eafaf8d61dce4d0b86b08aa1b4c832549dd
                                        • Instruction Fuzzy Hash: 98D05E36204121E3C7211B6A7C0CD97AD68DFC5AA2705412AF804D26549A20CC0186E4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: .
                                        • API String ID: 0-248832578
                                        • Opcode ID: e4ba95ef050ff9873834a062f40f8bfe8ca2f849e5d953d5b04f24550caf4fd0
                                        • Instruction ID: 7baa6cf80f4bdea99dbc4d330b45aada8194c6230f36d830dc1b60d3871032d3
                                        • Opcode Fuzzy Hash: e4ba95ef050ff9873834a062f40f8bfe8ca2f849e5d953d5b04f24550caf4fd0
                                        • Instruction Fuzzy Hash: DF3107B1900259AFEB24DE7ACC84EFB7BBDEB46318F0401AEF41897291E6349D418B54
                                        APIs
                                          • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                          • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                          • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                          • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                        • EnumSystemLocalesW.KERNEL32(00452393,00000001,?,?,JD,?,00452734,JD,?,?,?,?,?,00444AED,?,?), ref: 00452102
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                        • String ID: JD
                                        • API String ID: 1084509184-2669065882
                                        • Opcode ID: 43afbb6a7401c46fb6bd1099fc40b6d5da7848bdbd3577d5ff827f5c50c4ae4e
                                        • Instruction ID: 883a99871793c155097d9da94a803295819168bd30f8f35cc04eca091e96b9f4
                                        • Opcode Fuzzy Hash: 43afbb6a7401c46fb6bd1099fc40b6d5da7848bdbd3577d5ff827f5c50c4ae4e
                                        • Instruction Fuzzy Hash: E8F0FF363007056FDB245F399881A6B7B96FB82769B04482EFE458B682DAB99C42D604
                                        APIs
                                        • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004489C0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: InfoLocale
                                        • String ID: GetLocaleInfoEx
                                        • API String ID: 2299586839-2904428671
                                        • Opcode ID: 53574c2ecf56bfb558b2c309ca3eb91f9c7a0a18e0f2245662e0b0bedf18becb
                                        • Instruction ID: 58f0578312c774904006f9ed4749830948a62bec6dc8fde4d932476f73229d15
                                        • Opcode Fuzzy Hash: 53574c2ecf56bfb558b2c309ca3eb91f9c7a0a18e0f2245662e0b0bedf18becb
                                        • Instruction Fuzzy Hash: C0F0F631640608FBDB016F61DC06F6E7B25EB04751F00056EFC0966251DE368D2096DE
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 321144b451aceacc10be44255a5eb5313de52b8189587c3c0fdae4375c3dd106
                                        • Instruction ID: f88ef0336175cd1615890b4a552d96ffb4623b3c947145a2eaf1ae153763923c
                                        • Opcode Fuzzy Hash: 321144b451aceacc10be44255a5eb5313de52b8189587c3c0fdae4375c3dd106
                                        • Instruction Fuzzy Hash: AA025D71E002199BEF14CFA9D8806AEFBF1FF49314F26816AD819E7384D734AD418B85
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F72,?,?,?,?,?), ref: 00412122
                                        • HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 00412129
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$FreeProcess
                                        • String ID:
                                        • API String ID: 3859560861-0
                                        • Opcode ID: dd2f45b1bfdeb7a1a5420288e71913fa42d02de7f124d91d2f4ae112c61c3ef1
                                        • Instruction ID: dd486cb6b879bf1be37f4e59d5b3b18419fca2aff5c7e471244091183f2ba527
                                        • Opcode Fuzzy Hash: dd2f45b1bfdeb7a1a5420288e71913fa42d02de7f124d91d2f4ae112c61c3ef1
                                        • Instruction Fuzzy Hash: 0D113632000B11AFC7309F54DE85957BBEAFF08715305892EF29682922CB75FCA0CB48
                                        APIs
                                        • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,004533A6,?,?,00000008,?,?,0045625D,00000000), ref: 004535D8
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExceptionRaise
                                        • String ID:
                                        • API String ID: 3997070919-0
                                        • Opcode ID: 7607852d8e830f82297ee51b6d0742b1a7d4b3e0fd86a5f67b8f7d07b9d25eec
                                        • Instruction ID: 7263c04077df6a1dd25da4ac29b5b982fa38ace811980f45f75c7c5cedc24273
                                        • Opcode Fuzzy Hash: 7607852d8e830f82297ee51b6d0742b1a7d4b3e0fd86a5f67b8f7d07b9d25eec
                                        • Instruction Fuzzy Hash: 0FB13B315106089FD715CF28C48AB657BE0FF053A6F25865DE899CF3A2C339EA96CB44
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: 0
                                        • API String ID: 0-4108050209
                                        • Opcode ID: ac460f81c2ed1c183269c9f6522614bdccbebbe18bfaf8fef360a7d89dd83e89
                                        • Instruction ID: b5ae8e6f7fa87a7dee9e60626e0a37a25df5f2dd99b83f8da903d7583ecded6c
                                        • Opcode Fuzzy Hash: ac460f81c2ed1c183269c9f6522614bdccbebbe18bfaf8fef360a7d89dd83e89
                                        • Instruction Fuzzy Hash: 0C129E727083048BD304DF65D882A1EB7E2BFCC758F15892EF495AB381DA74E915CB86
                                        APIs
                                        • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 00434CCF
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: FeaturePresentProcessor
                                        • String ID:
                                        • API String ID: 2325560087-0
                                        • Opcode ID: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                        • Instruction ID: 5e37b39ef68b784d6588b9ddffa6793edf4c3ade0924e8be62ba08be237937aa
                                        • Opcode Fuzzy Hash: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                        • Instruction Fuzzy Hash: E4515B71D002488FEB24CF69D98579EBBF4FB88314F24956BD419EB264D378A940CF98
                                        APIs
                                          • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                          • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                          • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                          • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                          • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                          • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004523E7
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLast$_free$InfoLocale_abort
                                        • String ID:
                                        • API String ID: 1663032902-0
                                        • Opcode ID: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                        • Instruction ID: 2d4dd0c1c30cd12b50dfb53a4a1f7f5f9091958bb121381f53cce851c87d7921
                                        • Opcode Fuzzy Hash: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                        • Instruction Fuzzy Hash: F921D632600606ABDB249F25DD41FBB73A8EB06316F10407FED01D6152EBBC9D48CB59
                                        APIs
                                          • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                          • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                          • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                          • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                        • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00452361,00000000,00000000,?), ref: 004525EF
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLast$InfoLocale_abort_free
                                        • String ID:
                                        • API String ID: 2692324296-0
                                        • Opcode ID: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                        • Instruction ID: 8c29d710edde3bbc403447a64c1727e90569dbd09ff88c71ffccea9529c81983
                                        • Opcode Fuzzy Hash: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                        • Instruction Fuzzy Hash: C4F04936A00116BBDB245A24D905BBF7B58EB01315F04446BEC05A3241FAF8FD058694
                                        APIs
                                          • Part of subcall function 00445909: EnterCriticalSection.KERNEL32(-0006D41D,?,0044305C,00000000,0046E938,0000000C,00443017,?,?,?,00445BA7,?,?,0044834A,00000001,00000364), ref: 00445918
                                        • EnumSystemLocalesW.KERNEL32(0044843E,00000001,0046EAE0,0000000C), ref: 004484BC
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CriticalEnterEnumLocalesSectionSystem
                                        • String ID:
                                        • API String ID: 1272433827-0
                                        • Opcode ID: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                        • Instruction ID: 901ea181f65c0ebd25502bb0be635eecd519ab6688482fb1bf3a60b9f01fb263
                                        • Opcode Fuzzy Hash: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                        • Instruction Fuzzy Hash: 37F04F76A50200EFEB00EF69D946B4D37E0FB04725F10446EF514DB2A2DB7899809B49
                                        APIs
                                          • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                          • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                          • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                          • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                        • EnumSystemLocalesW.KERNEL32(00451F27,00000001,?,?,?,00452792,JD,?,?,?,?,?,00444AED,?,?,?), ref: 00452007
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                        • String ID:
                                        • API String ID: 1084509184-0
                                        • Opcode ID: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                        • Instruction ID: 16a122e2f6617649f53ffd93528404cf76eb0d70ff9257d35f530b0535ef024d
                                        • Opcode Fuzzy Hash: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                        • Instruction Fuzzy Hash: 84F0203630020597CB04AF75D845B6A7F90EB82729B06009AFE058B6A2C7799842C754
                                        APIs
                                        • SetUnhandledExceptionFilter.KERNEL32(Function_00034BE4,0043490B), ref: 00434BDD
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExceptionFilterUnhandled
                                        • String ID:
                                        • API String ID: 3192549508-0
                                        • Opcode ID: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                        • Instruction ID: 702e07acd891e046c8aea5fc6397425f5e3bd38ef0af78e1c7fed93ac6412050
                                        • Opcode Fuzzy Hash: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                        • Instruction Fuzzy Hash:
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: @
                                        • API String ID: 0-2766056989
                                        • Opcode ID: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
                                        • Instruction ID: bbd91956ea41f9089fdf4ea26de33e0e8d132f349ea16d9e77f48d305cf446da
                                        • Opcode Fuzzy Hash: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
                                        • Instruction Fuzzy Hash: F1412975A183558FC340CF29D58020AFBE1FFC8318F645A1EF889A3350D379E9428B86
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c092c4f6b84b18e3b6cbbf7fe4413e1147b07dd6558fe569cc2693f6d3c9d2d8
                                        • Instruction ID: 4200599dcb49c21c1ca78238ad82984ca11e49a574bdd01b256a4bdf4e559873
                                        • Opcode Fuzzy Hash: c092c4f6b84b18e3b6cbbf7fe4413e1147b07dd6558fe569cc2693f6d3c9d2d8
                                        • Instruction Fuzzy Hash: D2322521D69F414DE7239A35CC22336A24CBFB73C5F15D737E81AB5AAAEB29C4834105
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 11fe0a22ef666ee2c1bed35089f8503541a39c5702d52e9a7652229b453a748b
                                        • Instruction ID: 06c66d0f35fb266b7f69fbfce4f1f639eb17408d85dd7e5468211ecdc8378744
                                        • Opcode Fuzzy Hash: 11fe0a22ef666ee2c1bed35089f8503541a39c5702d52e9a7652229b453a748b
                                        • Instruction Fuzzy Hash: 7932C2716087459BC715DF28C4807ABB7E5BF84318F040A3EF89587392D779D98ACB8A
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 069969c8f4566116342464d842351c7afe0a72e1e3c3dbe851ab1ff53bf1dd64
                                        • Instruction ID: b033fe34555866f616fd3cc64b543b740d9cc82fbf2d17309ab2a27531c6336b
                                        • Opcode Fuzzy Hash: 069969c8f4566116342464d842351c7afe0a72e1e3c3dbe851ab1ff53bf1dd64
                                        • Instruction Fuzzy Hash: 6C02CEB17046528BC358CF2EEC5053AB7E1AB8D311744863EE495C7781EB35FA22CB94
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 82c6eebf497a8783bea5e127f8a47c76021f3e74a05456d4a9fdc662aa60ff2a
                                        • Instruction ID: 06b531cc06dcd57701b547059d2c567c45bbe225ee7d26ac7aed84b394be02a5
                                        • Opcode Fuzzy Hash: 82c6eebf497a8783bea5e127f8a47c76021f3e74a05456d4a9fdc662aa60ff2a
                                        • Instruction Fuzzy Hash: 2DF19D716142558FC348CF1DE8A187BB3E1FB89311B450A2EF582C3391DB79EA16CB56
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                        • Instruction ID: 2ce137016e68017aebaac4bbf916a57dff7c64f07ba89619fc9d118b501662d8
                                        • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                        • Instruction Fuzzy Hash: F9C1D5B22091930AEF3D4639853063FFAA05E957B171A635FE4F2CB2D4FE18C924D514
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                        • Instruction ID: bc2d6065b6eca92eb436045fb502f22698d18e4b36ed1375ff5d5b4a3f5914d0
                                        • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                        • Instruction Fuzzy Hash: 75C1D7722091930AEF2D4739853463FFAA15EA57B171A236FE4F2CB2D4FE28C924D514
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                        • Instruction ID: 708e8454946620f186a1700387687a053fc407bd339bf74556c1f47a113f5a1a
                                        • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                        • Instruction Fuzzy Hash: 95C1C3B220D0930AEF3D4639853063FFAA15EA67B171A675ED4F2CB2D4FE18C924D614
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                        • Instruction ID: 79ee4f31eba35b7567f7a499d226924a3a6c1d38d98321864059dc3c63d33f3d
                                        • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                        • Instruction Fuzzy Hash: 76C1E6B220D0930AEF3D4639853463FBAA15EA57B171A236FD4F2CB2D4FE18C924C614
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2e85d6dc501202f3c2e801dccf0940871ddf0a86c450432c97aa3465398b7722
                                        • Instruction ID: 096ff1c695f9ab27d4b2dbab46670c8098de74970727e2ec16deab2a6828ec1d
                                        • Opcode Fuzzy Hash: 2e85d6dc501202f3c2e801dccf0940871ddf0a86c450432c97aa3465398b7722
                                        • Instruction Fuzzy Hash: EAB1A37951429A8ACB05EF68C4913F63BA1EF6A301F0850B9EC9CCF757D2398506EB24
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 30caec0efc745099040319085d406cd9bdcff08e218f1b0552064e12ef4373be
                                        • Instruction ID: 32d6082e35155a0a096806a6943d6f48c3d67459c64856e3d931f7c23e0710f9
                                        • Opcode Fuzzy Hash: 30caec0efc745099040319085d406cd9bdcff08e218f1b0552064e12ef4373be
                                        • Instruction Fuzzy Hash: 59618971202709A6EE34892B88967BF63949F6D314F10342FE983DB3C1D65DDD82931E
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 341ce5e44018b0d8febb5363e57dd776d1ec6df4a054cddc6676df713c6a7dda
                                        • Instruction ID: 5d22fc1bcc5d638cf6a4a0606be4d5c4d5bba199c703cf788a7f99cafe8d65e8
                                        • Opcode Fuzzy Hash: 341ce5e44018b0d8febb5363e57dd776d1ec6df4a054cddc6676df713c6a7dda
                                        • Instruction Fuzzy Hash: 12615871602718A6DA38592B88977BF2384EB2D344F94351BE483DB3C1D75EAD43871E
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                        • Instruction ID: 6c705508b021f12d90b9f9697341ee8142861c1d23b7247138392dbd6e0aa073
                                        • Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                        • Instruction Fuzzy Hash: 59517671603604A7EF3445AB85567BF63899B0E304F18395FE882C73C2C52DDE02875E
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                        • Instruction ID: 84bf5d8b6cf777f915eff3509e2c27b9c7ae744ab127a35c194aadb47efed811
                                        • Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                        • Instruction Fuzzy Hash: E1517761E0660557DF38892A94D67BF23A59B4E308F18351FE483CB3C2C65EEE06835E
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5391bdb46e7b363b15ab8dfbfe7515acbec1a5683836347dd09947684361f79a
                                        • Instruction ID: d4d389248adab082d17fbdeb677dfbf93ddf16fcbb8c162b69e64d6cf0e33668
                                        • Opcode Fuzzy Hash: 5391bdb46e7b363b15ab8dfbfe7515acbec1a5683836347dd09947684361f79a
                                        • Instruction Fuzzy Hash: 61615B72A083059BC308DF35E481A5FB7E4AFCC718F814E2EF595D6151EA74EA08CB86
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                        • Instruction ID: 582e3a7babb983407823034c482dc4f24404013c153b7f4d28c3fef3b0c68a44
                                        • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                        • Instruction Fuzzy Hash: 43113B7720034183D60CAA6DC4B45BBD795EADE320FBD627FF0414B744CA2AD4459508
                                        APIs
                                        • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418ECB
                                        • CreateCompatibleDC.GDI32(00000000), ref: 00418ED8
                                          • Part of subcall function 00419360: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419390
                                        • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F4E
                                        • DeleteDC.GDI32(00000000), ref: 00418F65
                                        • DeleteDC.GDI32(00000000), ref: 00418F68
                                        • DeleteObject.GDI32(00000000), ref: 00418F6B
                                        • SelectObject.GDI32(00000000,00000000), ref: 00418F8C
                                        • DeleteDC.GDI32(00000000), ref: 00418F9D
                                        • DeleteDC.GDI32(00000000), ref: 00418FA0
                                        • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418FC4
                                        • GetCursorInfo.USER32(?), ref: 00418FE2
                                        • GetIconInfo.USER32(?,?), ref: 00418FF8
                                        • DeleteObject.GDI32(?), ref: 00419027
                                        • DeleteObject.GDI32(?), ref: 00419034
                                        • DrawIcon.USER32(00000000,?,?,?), ref: 00419041
                                        • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 00419077
                                        • GetObjectA.GDI32(00000000,00000018,?), ref: 004190A3
                                        • LocalAlloc.KERNEL32(00000040,00000001), ref: 00419110
                                        • GlobalAlloc.KERNEL32(00000000,?), ref: 0041917F
                                        • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 004191A3
                                        • DeleteDC.GDI32(?), ref: 004191B7
                                        • DeleteDC.GDI32(00000000), ref: 004191BA
                                        • DeleteObject.GDI32(00000000), ref: 004191BD
                                        • GlobalFree.KERNEL32(?), ref: 004191C8
                                        • DeleteObject.GDI32(00000000), ref: 0041927C
                                        • GlobalFree.KERNEL32(?), ref: 00419283
                                        • DeleteDC.GDI32(?), ref: 00419293
                                        • DeleteDC.GDI32(00000000), ref: 0041929E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIconInfo$BitmapBitsCursorDisplayDrawEnumLocalSelectSettingsStretch
                                        • String ID: DISPLAY
                                        • API String ID: 4256916514-865373369
                                        • Opcode ID: 2247b608c21a3b8abac63767662b5221d2e7e1e487ff91865d3b7fb692dc0e69
                                        • Instruction ID: e1b8f987aa81746083de8242de432fb1856ba331ec6d7e725e66c1191a76d441
                                        • Opcode Fuzzy Hash: 2247b608c21a3b8abac63767662b5221d2e7e1e487ff91865d3b7fb692dc0e69
                                        • Instruction Fuzzy Hash: 64C14C71504301AFD720DF25DC48BABBBE9EB88715F04482EF98993291DB34ED45CB6A
                                        APIs
                                          • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                          • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D558
                                        • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D56B
                                        • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D584
                                        • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D5B4
                                          • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,004752F0,pth_unenc,0040D0F3,004752D8,004752F0,?,pth_unenc), ref: 0040B8F6
                                          • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B902
                                          • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2A2,00000000,?,pth_unenc), ref: 0040B910
                                          • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466478,00000000,00000000,0040D434,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C4C1
                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D7FF
                                        • ExitProcess.KERNEL32 ref: 0040D80B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                        • String ID: """, 0$")$8SG$@qF$@qF$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("$xdF$xpF
                                        • API String ID: 1861856835-1269936466
                                        • Opcode ID: 779bd8c3fa979e6212a70a7ec10a956c9f97f6caeed947a2cb61efc57b251fae
                                        • Instruction ID: 9f807323933333198641953f201c1fc8368d74e19fdabe041c5449f7db564f80
                                        • Opcode Fuzzy Hash: 779bd8c3fa979e6212a70a7ec10a956c9f97f6caeed947a2cb61efc57b251fae
                                        • Instruction Fuzzy Hash: 8791B0716082005AC315FB62D8529AF77A8AFD4309F10443FB64AA71E3EF7C9D49C65E
                                        APIs
                                        • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418171
                                        • GetProcAddress.KERNEL32(00000000), ref: 00418174
                                        • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00418185
                                        • GetProcAddress.KERNEL32(00000000), ref: 00418188
                                        • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 00418199
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041819C
                                        • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004181AD
                                        • GetProcAddress.KERNEL32(00000000), ref: 004181B0
                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418252
                                        • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041826A
                                        • GetThreadContext.KERNEL32(?,00000000), ref: 00418280
                                        • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004182A6
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418328
                                        • TerminateProcess.KERNEL32(?,00000000), ref: 0041833C
                                        • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041837C
                                        • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00418446
                                        • SetThreadContext.KERNEL32(?,00000000), ref: 00418463
                                        • ResumeThread.KERNEL32(?), ref: 00418470
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418487
                                        • GetCurrentProcess.KERNEL32(?), ref: 00418492
                                        • TerminateProcess.KERNEL32(?,00000000), ref: 004184AD
                                        • GetLastError.KERNEL32 ref: 004184B5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                        • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                        • API String ID: 4188446516-3035715614
                                        • Opcode ID: c823a5a523639eb235f5adfe7c5fce7303d6972b4bd708db87ed0c766a231877
                                        • Instruction ID: d7ba82c79e3f17b97bd8f2c1aaed993f07984c16d96ff77cb9dc1491e823fc6f
                                        • Opcode Fuzzy Hash: c823a5a523639eb235f5adfe7c5fce7303d6972b4bd708db87ed0c766a231877
                                        • Instruction Fuzzy Hash: 69A15FB0604305AFDB209F64DD85B6B7BE8FF48705F00482EF685D6291EB78D844CB59
                                        APIs
                                          • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                          • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E0
                                        • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1F3
                                        • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D223
                                        • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D232
                                          • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,004752F0,pth_unenc,0040D0F3,004752D8,004752F0,?,pth_unenc), ref: 0040B8F6
                                          • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B902
                                          • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2A2,00000000,?,pth_unenc), ref: 0040B910
                                          • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,771B3530,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,004752F0), ref: 0041BA30
                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D44D
                                        • ExitProcess.KERNEL32 ref: 0040D454
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                        • String ID: ")$.vbs$8SG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("$xdF$xpF
                                        • API String ID: 3797177996-2858374497
                                        • Opcode ID: dd8319ffc67d1054beefb8b0b566d77839d74a362affede773f697cf057b9661
                                        • Instruction ID: f7f00373e35faeae073ffedb9d5543756e5675edee5c5b567d0d61755fae189b
                                        • Opcode Fuzzy Hash: dd8319ffc67d1054beefb8b0b566d77839d74a362affede773f697cf057b9661
                                        • Instruction Fuzzy Hash: 6181AF716082405AC315FB62D8529AF77A8AFD0308F10483FB58A671E3EF7C9E49C65E
                                        APIs
                                        • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750E4,00000003), ref: 004124CF
                                        • ExitProcess.KERNEL32(00000000), ref: 004124DB
                                        • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00412555
                                        • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412564
                                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0041256F
                                        • CloseHandle.KERNEL32(00000000), ref: 00412576
                                        • GetCurrentProcessId.KERNEL32 ref: 0041257C
                                        • PathFileExistsW.SHLWAPI(?), ref: 004125AD
                                        • GetTempPathW.KERNEL32(00000104,?), ref: 00412610
                                        • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 0041262A
                                        • lstrcatW.KERNEL32(?,.exe), ref: 0041263C
                                          • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466478,00000000,00000000,0040D434,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C4C1
                                        • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0041267C
                                        • Sleep.KERNEL32(000001F4), ref: 004126BD
                                        • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 004126D2
                                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126DD
                                        • CloseHandle.KERNEL32(00000000), ref: 004126E4
                                        • GetCurrentProcessId.KERNEL32 ref: 004126EA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                        • String ID: .exe$8SG$WDH$exepath$open$temp_
                                        • API String ID: 2649220323-436679193
                                        • Opcode ID: 1c913ae08a5e17ca5ba38718309b211a0371373e46d4682c3eff5b2ddab4b42e
                                        • Instruction ID: ea0e71dbd1735df2f0ffa6a76a18ae54bfb239dee3d1740714ca762960b89f4c
                                        • Opcode Fuzzy Hash: 1c913ae08a5e17ca5ba38718309b211a0371373e46d4682c3eff5b2ddab4b42e
                                        • Instruction Fuzzy Hash: 4C51C871A00215BBDB10ABA09C99EFE336D9B04715F1041ABF501E71D2EF7C8E858A5D
                                        APIs
                                        • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B1CD
                                        • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B1E1
                                        • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660B4), ref: 0041B209
                                        • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00474EE0,00000000), ref: 0041B21F
                                        • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B260
                                        • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B278
                                        • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B28D
                                        • SetEvent.KERNEL32 ref: 0041B2AA
                                        • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B2BB
                                        • CloseHandle.KERNEL32 ref: 0041B2CB
                                        • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B2ED
                                        • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B2F7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                        • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
                                        • API String ID: 738084811-2094122233
                                        • Opcode ID: 1d877dcbc1b23002afbada965c9bddf541debd2a79e700171488071fa355c7d2
                                        • Instruction ID: 904a2ea9ee052b7cd0d2885f28b370526ea16529c5f4723dacad6ab52bd59ce6
                                        • Opcode Fuzzy Hash: 1d877dcbc1b23002afbada965c9bddf541debd2a79e700171488071fa355c7d2
                                        • Instruction Fuzzy Hash: 015193B12842056ED314B731DC96ABF779CDB80359F10053FB246621E2EF789D498AAE
                                        APIs
                                        • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                        • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
                                        • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
                                        • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
                                        • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
                                        • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
                                        • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
                                        • WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
                                        • WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
                                        • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
                                        • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
                                        • WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
                                        • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
                                        • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$Write$Create
                                        • String ID: RIFF$WAVE$data$fmt
                                        • API String ID: 1602526932-4212202414
                                        • Opcode ID: bdde9fe629d6d0b3cb01441b1d036ed99aff71c5e0b2c5a0236a53ffdd76988e
                                        • Instruction ID: e437df56db769974f3bb03b9acf3047b6271bea3308615ff466a61b001f8e6b8
                                        • Opcode Fuzzy Hash: bdde9fe629d6d0b3cb01441b1d036ed99aff71c5e0b2c5a0236a53ffdd76988e
                                        • Instruction Fuzzy Hash: D1413F72644218BAE210DB51DD85FBB7FECEB89B50F40441AFA44D60C0E7A5E909DBB3
                                        APIs
                                        • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe,00000001,00407688,C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe,00000003,004076B0,004752D8,00407709), ref: 004072BF
                                        • GetProcAddress.KERNEL32(00000000), ref: 004072C8
                                        • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072DD
                                        • GetProcAddress.KERNEL32(00000000), ref: 004072E0
                                        • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072F1
                                        • GetProcAddress.KERNEL32(00000000), ref: 004072F4
                                        • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00407305
                                        • GetProcAddress.KERNEL32(00000000), ref: 00407308
                                        • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 00407319
                                        • GetProcAddress.KERNEL32(00000000), ref: 0040731C
                                        • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040732D
                                        • GetProcAddress.KERNEL32(00000000), ref: 00407330
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressHandleModuleProc
                                        • String ID: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                        • API String ID: 1646373207-1132512192
                                        • Opcode ID: f3da3711bb85931ca03a42678d4c0c1881451176f862cc8ba737a85fa656c6e8
                                        • Instruction ID: 405170eedd050388d8f538cead316ce70cca9a1d875d15a5a69166cce564cbe9
                                        • Opcode Fuzzy Hash: f3da3711bb85931ca03a42678d4c0c1881451176f862cc8ba737a85fa656c6e8
                                        • Instruction Fuzzy Hash: 0A0152A0E4431676D711AF7AAC44D577E9D9E41351311487BB405E2292EEBCE800CD6E
                                        APIs
                                        • _wcslen.LIBCMT ref: 0040CE42
                                        • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE5B
                                        • CopyFileW.KERNEL32(C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe,00000000,00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040CF0B
                                        • _wcslen.LIBCMT ref: 0040CF21
                                        • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CFA9
                                        • CopyFileW.KERNEL32(C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe,00000000,00000000), ref: 0040CFBF
                                        • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFFE
                                        • _wcslen.LIBCMT ref: 0040D001
                                        • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040D018
                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004750E4,0000000E), ref: 0040D068
                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000001), ref: 0040D086
                                        • ExitProcess.KERNEL32 ref: 0040D09D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                        • String ID: 6$C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe$del$open$xdF
                                        • API String ID: 1579085052-2114964801
                                        • Opcode ID: 1f26a9a137c80f5632c92eb2222ab7f2ba6ebdcc1e6d02a5e4a10b2a6e82a7e9
                                        • Instruction ID: 98553dc1b0994f0aa09194d7cf3a18af63584d9ff732256a229fdfb73b573f5c
                                        • Opcode Fuzzy Hash: 1f26a9a137c80f5632c92eb2222ab7f2ba6ebdcc1e6d02a5e4a10b2a6e82a7e9
                                        • Instruction Fuzzy Hash: 3151E820208302ABD615B7359C92A6F679D9F8471DF00443FF60AA61E3EF7C9D05866E
                                        APIs
                                        • lstrlenW.KERNEL32(?), ref: 0041C0C7
                                        • _memcmp.LIBVCRUNTIME ref: 0041C0DF
                                        • lstrlenW.KERNEL32(?), ref: 0041C0F8
                                        • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041C133
                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C146
                                        • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C18A
                                        • lstrcmpW.KERNEL32(?,?), ref: 0041C1A5
                                        • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C1BD
                                        • _wcslen.LIBCMT ref: 0041C1CC
                                        • FindVolumeClose.KERNEL32(?), ref: 0041C1EC
                                        • GetLastError.KERNEL32 ref: 0041C204
                                        • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C231
                                        • lstrcatW.KERNEL32(?,?), ref: 0041C24A
                                        • lstrcpyW.KERNEL32(?,?), ref: 0041C259
                                        • GetLastError.KERNEL32 ref: 0041C261
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                        • String ID: ?
                                        • API String ID: 3941738427-1684325040
                                        • Opcode ID: f867a525b16976b99bb039d508de341a2eaf9024ee8651fbc1bead663617605c
                                        • Instruction ID: 8d48ee17a24f37a9bc83e71ffc922dd471ae74eb47091415c6e266b1ff6a60c4
                                        • Opcode Fuzzy Hash: f867a525b16976b99bb039d508de341a2eaf9024ee8651fbc1bead663617605c
                                        • Instruction Fuzzy Hash: B541A671584316EBD720DFA0DC889DBB7ECEB84745F00092BF545D2162EB78CA88CB96
                                        APIs
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412B08
                                          • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,771B3530,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,004752F0), ref: 0041BA30
                                          • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E84), ref: 004185B9
                                          • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84,?,?,004040F5,00465E84), ref: 004185C2
                                        • Sleep.KERNEL32(0000000A,00465E84), ref: 00412C5A
                                        • Sleep.KERNEL32(0000000A,00465E84,00465E84), ref: 00412CFC
                                        • Sleep.KERNEL32(0000000A,00465E84,00465E84,00465E84), ref: 00412D9E
                                        • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E00
                                        • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E37
                                        • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E73
                                        • Sleep.KERNEL32(000001F4,00465E84,00465E84,00465E84), ref: 00412E8D
                                        • Sleep.KERNEL32(00000064), ref: 00412ECF
                                          • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                        • String ID: /stext "$,aF$0TG$0TG$NG$NG
                                        • API String ID: 1223786279-4119708859
                                        • Opcode ID: 94a5bbb10df897a3dcc3a825f47840a0e76583b49b06aa9b4f2162d9b7ac73d6
                                        • Instruction ID: 10d3359c81a21c2239512d2238f4034584c87ebec4848cfd83014516dee20f06
                                        • Opcode Fuzzy Hash: 94a5bbb10df897a3dcc3a825f47840a0e76583b49b06aa9b4f2162d9b7ac73d6
                                        • Instruction Fuzzy Hash: 2F0268315083414AC325FB62D891AEFB3E5AFD4348F50483FF58A931E2EF785A49C65A
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$EnvironmentVariable$_wcschr
                                        • String ID:
                                        • API String ID: 3899193279-0
                                        • Opcode ID: a471c829ddd5e79256b59335d7b350d61db07916532beff835d4a4e17985a3d6
                                        • Instruction ID: 2409d22e097b45b84bdb59948eb4ebc1cd1141af37d2d18b4001dba56dac1aed
                                        • Opcode Fuzzy Hash: a471c829ddd5e79256b59335d7b350d61db07916532beff835d4a4e17985a3d6
                                        • Instruction Fuzzy Hash: E3D135B1D003006FFB24AF799D82A6B7BA8EF01314F05417FE945A7382EB7D99098759
                                        APIs
                                        • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00408D1E
                                        • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D56
                                        • __aulldiv.LIBCMT ref: 00408D88
                                          • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                          • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                        • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408EAB
                                        • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408EC6
                                        • CloseHandle.KERNEL32(00000000), ref: 00408F9F
                                        • CloseHandle.KERNEL32(00000000,00000052), ref: 00408FE9
                                        • CloseHandle.KERNEL32(00000000), ref: 00409037
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                        • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $xdF$NG
                                        • API String ID: 3086580692-3944908133
                                        • Opcode ID: d1236d5277051a74a8d0eb1d924e96be3c8a686d98197a44253422edb13a818e
                                        • Instruction ID: 3fce176daff91a8ac67d7e00268aa6ddaa8eb0a69c3dc15cdf5b3728eb075172
                                        • Opcode Fuzzy Hash: d1236d5277051a74a8d0eb1d924e96be3c8a686d98197a44253422edb13a818e
                                        • Instruction Fuzzy Hash: CCB1A1316083409BC314FB26C941AAFB7E5AFC4358F40492FF589622D2EF789945CB8B
                                        APIs
                                        • Sleep.KERNEL32(00001388), ref: 0040A77B
                                          • Part of subcall function 0040A6B0: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A788), ref: 0040A6E6
                                          • Part of subcall function 0040A6B0: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                          • Part of subcall function 0040A6B0: Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                          • Part of subcall function 0040A6B0: CloseHandle.KERNEL32(00000000,?,?,?,0040A788), ref: 0040A729
                                        • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A7B7
                                        • GetFileAttributesW.KERNEL32(00000000), ref: 0040A7C8
                                        • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7DF
                                        • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0040A859
                                          • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                        • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466478,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A962
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                        • String ID: 8SG$8SG$pQG$pQG$xdF$PG$PG
                                        • API String ID: 3795512280-661585845
                                        • Opcode ID: db686e10471e88e88e6c2a6410797b3bbe7a67903047043a717f9aa792139144
                                        • Instruction ID: 2a79d88b44a8fc0b04dcb000ea34af81e4c48788ca5147296d011aa32960a087
                                        • Opcode Fuzzy Hash: db686e10471e88e88e6c2a6410797b3bbe7a67903047043a717f9aa792139144
                                        • Instruction Fuzzy Hash: B6516E716043015ACB15BB72C866ABE77AA9F80349F00483FF646B71E2DF7C9D09865E
                                        APIs
                                        • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D66B
                                        • GetCursorPos.USER32(?), ref: 0041D67A
                                        • SetForegroundWindow.USER32(?), ref: 0041D683
                                        • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D69D
                                        • Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D6EE
                                        • ExitProcess.KERNEL32 ref: 0041D6F6
                                        • CreatePopupMenu.USER32 ref: 0041D6FC
                                        • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D711
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                        • String ID: Close
                                        • API String ID: 1657328048-3535843008
                                        • Opcode ID: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                                        • Instruction ID: ffebe08b42ddc2cad69fc5dc181b4667ce265f065f51bc56e4a7814a85689449
                                        • Opcode Fuzzy Hash: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                                        • Instruction Fuzzy Hash: 2D213BB1544209FFDF155FA4ED0EAAA3F35EB08302F000125F909951B2D779EDA1EB19
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$Info
                                        • String ID:
                                        • API String ID: 2509303402-0
                                        • Opcode ID: 6f6fc0ac27b4b2f00b1102b51bee0220b0be09f2ed36c41455f2b0a14b53fe9c
                                        • Instruction ID: 03d8b0dccc9171d7b4ee81f85837dfa1205ba0d7832ce976ccf3d084d520ac26
                                        • Opcode Fuzzy Hash: 6f6fc0ac27b4b2f00b1102b51bee0220b0be09f2ed36c41455f2b0a14b53fe9c
                                        • Instruction Fuzzy Hash: AFB1CE719002059FEB21DF69C881BEEBBF4BF09304F15842EF495A7242DB79AC458B69
                                        APIs
                                          • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                          • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                          • Part of subcall function 00413733: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004752F0), ref: 0041374F
                                          • Part of subcall function 00413733: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00413768
                                          • Part of subcall function 00413733: RegCloseKey.KERNEL32(00000000), ref: 00413773
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D894
                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D9F3
                                        • ExitProcess.KERNEL32 ref: 0040D9FF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                        • String ID: """, 0$.vbs$8SG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open$xdF
                                        • API String ID: 1913171305-1736969612
                                        • Opcode ID: 8bbe4f0fb6c88a2abc4eeafe0384b11dbe09999f44ef1c7605111127e7698097
                                        • Instruction ID: 6f299f75ad759bd4c56b3f4cab90e5e1fe41ff60d22e8747b975e3d2bb757992
                                        • Opcode Fuzzy Hash: 8bbe4f0fb6c88a2abc4eeafe0384b11dbe09999f44ef1c7605111127e7698097
                                        • Instruction Fuzzy Hash: 9B4129719001155ACB15FBA2DC56DEEB778AF50709F10017FB10AB21E2FF785E8ACA98
                                        APIs
                                        • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414E10
                                        • LoadLibraryA.KERNEL32(?), ref: 00414E52
                                        • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E72
                                        • FreeLibrary.KERNEL32(00000000), ref: 00414E79
                                        • LoadLibraryA.KERNEL32(?), ref: 00414EB1
                                        • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414EC3
                                        • FreeLibrary.KERNEL32(00000000), ref: 00414ECA
                                        • GetProcAddress.KERNEL32(00000000,?), ref: 00414ED9
                                        • FreeLibrary.KERNEL32(00000000), ref: 00414EF0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                        • String ID: \ws2_32$\wship6$getaddrinfo
                                        • API String ID: 2490988753-3078833738
                                        • Opcode ID: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                                        • Instruction ID: 3d65f6a93fba2a0b2eac8854c7d2b2934d6e6a161d7d6dc9994b6ec54a408268
                                        • Opcode Fuzzy Hash: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                                        • Instruction Fuzzy Hash: 5E31C4B1905315A7D7209F65CC84DDF76DCAB84754F004A2AF944A3210D738D985CBAE
                                        APIs
                                        • ___free_lconv_mon.LIBCMT ref: 0045138A
                                          • Part of subcall function 00450582: _free.LIBCMT ref: 0045059F
                                          • Part of subcall function 00450582: _free.LIBCMT ref: 004505B1
                                          • Part of subcall function 00450582: _free.LIBCMT ref: 004505C3
                                          • Part of subcall function 00450582: _free.LIBCMT ref: 004505D5
                                          • Part of subcall function 00450582: _free.LIBCMT ref: 004505E7
                                          • Part of subcall function 00450582: _free.LIBCMT ref: 004505F9
                                          • Part of subcall function 00450582: _free.LIBCMT ref: 0045060B
                                          • Part of subcall function 00450582: _free.LIBCMT ref: 0045061D
                                          • Part of subcall function 00450582: _free.LIBCMT ref: 0045062F
                                          • Part of subcall function 00450582: _free.LIBCMT ref: 00450641
                                          • Part of subcall function 00450582: _free.LIBCMT ref: 00450653
                                          • Part of subcall function 00450582: _free.LIBCMT ref: 00450665
                                          • Part of subcall function 00450582: _free.LIBCMT ref: 00450677
                                        • _free.LIBCMT ref: 0045137F
                                          • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                          • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                        • _free.LIBCMT ref: 004513A1
                                        • _free.LIBCMT ref: 004513B6
                                        • _free.LIBCMT ref: 004513C1
                                        • _free.LIBCMT ref: 004513E3
                                        • _free.LIBCMT ref: 004513F6
                                        • _free.LIBCMT ref: 00451404
                                        • _free.LIBCMT ref: 0045140F
                                        • _free.LIBCMT ref: 00451447
                                        • _free.LIBCMT ref: 0045144E
                                        • _free.LIBCMT ref: 0045146B
                                        • _free.LIBCMT ref: 00451483
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                        • String ID:
                                        • API String ID: 161543041-0
                                        • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                        • Instruction ID: 2428002f6fd8eb1a99257b9b861ac38f7c05b5b97acacff09fd9d8cf260fe807
                                        • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                        • Instruction Fuzzy Hash: 403193715003009FEB20AA39D846F5B73E8EF02315F62992FE849D7662DF78AD44C729
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 0041A04A
                                        • GdiplusStartup.GDIPLUS(00474ACC,?,00000000), ref: 0041A07C
                                        • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A108
                                        • Sleep.KERNEL32(000003E8), ref: 0041A18E
                                        • GetLocalTime.KERNEL32(?), ref: 0041A196
                                        • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A285
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                        • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$PG$PG$PG
                                        • API String ID: 489098229-1431523004
                                        • Opcode ID: ef3a2b2680ef5ec4cf1756d8d4e3928048fec3981f722f661be4b2a60a96407b
                                        • Instruction ID: 12d64888f2a2aa40a87de1a625a26b3edd7a2139bf4817292c9f8cf1352d8a2d
                                        • Opcode Fuzzy Hash: ef3a2b2680ef5ec4cf1756d8d4e3928048fec3981f722f661be4b2a60a96407b
                                        • Instruction Fuzzy Hash: 7A517D70A002159ACB14BBB5C8529FD77A9AF54308F40407FF509AB1E2EF7C9D85C799
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free
                                        • String ID:
                                        • API String ID: 269201875-0
                                        • Opcode ID: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                                        • Instruction ID: 80ca3ff3fa16d46db3e6ae4c9b8471dba03f652ca918f9f25067e0b92ee87d4d
                                        • Opcode Fuzzy Hash: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                                        • Instruction Fuzzy Hash: 30C183B6D40204ABEB20DBA9CC43FDE77F8AB09705F150166FE04EB283D6B49D459768
                                        APIs
                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                        • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                        • CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E4C
                                        • closesocket.WS2_32(000000FF), ref: 00404E5A
                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E91
                                        • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404EA2
                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404EA9
                                        • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBA
                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBF
                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EC4
                                        • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED1
                                        • CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED6
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                        • String ID:
                                        • API String ID: 3658366068-0
                                        • Opcode ID: 6e2d3047bbcd54dd6fb538b66de187a0499e62ad67d4cfb628094cbec65cae59
                                        • Instruction ID: 681aebbacbf541c1c6cd6dfca6fba55586e42b113d9ea1c0d4e3a90daa9851ad
                                        • Opcode Fuzzy Hash: 6e2d3047bbcd54dd6fb538b66de187a0499e62ad67d4cfb628094cbec65cae59
                                        • Instruction Fuzzy Hash: DE21EA71154B04AFDB216B26DC49B1BBBA1FF40326F104A2DE2E211AF1CB79B851DB58
                                        APIs
                                          • Part of subcall function 00455929: CreateFileW.KERNEL32(00000000,00000000,?,00455D04,?,?,00000000,?,00455D04,00000000,0000000C), ref: 00455946
                                        • GetLastError.KERNEL32 ref: 00455D6F
                                        • __dosmaperr.LIBCMT ref: 00455D76
                                        • GetFileType.KERNEL32(00000000), ref: 00455D82
                                        • GetLastError.KERNEL32 ref: 00455D8C
                                        • __dosmaperr.LIBCMT ref: 00455D95
                                        • CloseHandle.KERNEL32(00000000), ref: 00455DB5
                                        • CloseHandle.KERNEL32(?), ref: 00455EFF
                                        • GetLastError.KERNEL32 ref: 00455F31
                                        • __dosmaperr.LIBCMT ref: 00455F38
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                        • String ID: H
                                        • API String ID: 4237864984-2852464175
                                        • Opcode ID: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                        • Instruction ID: 7cd045c9b8f196398d23f94ba58010557f508cd7b58f44c29b3e784ccbbfb847
                                        • Opcode Fuzzy Hash: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                        • Instruction Fuzzy Hash: 44A14532A106049FDF19AF68DC657BE3BA0EB06325F24015EEC11AB392D6398D1AC759
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free
                                        • String ID: \&G$\&G$`&G
                                        • API String ID: 269201875-253610517
                                        • Opcode ID: 4c79e0627c8f19053a14b01c9d065665146560bb3788e30f1103ba49badb8175
                                        • Instruction ID: 59c4f5d9f803fa3be21c2588ad204ea2c1e8261bb9e1a4607c4596bf86990b35
                                        • Opcode Fuzzy Hash: 4c79e0627c8f19053a14b01c9d065665146560bb3788e30f1103ba49badb8175
                                        • Instruction Fuzzy Hash: 86610E75900205AFDB21DF69C842B9ABBF4EF06710F24426BED44EB242E774AD45CB58
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: 65535$udp
                                        • API String ID: 0-1267037602
                                        • Opcode ID: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                        • Instruction ID: a9902b4e2b63063b067a15c036b171ad6d3a8658db747517b03e91dd9f9ead29
                                        • Opcode Fuzzy Hash: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                        • Instruction Fuzzy Hash: FB51D431605301ABDB609B14E905BFB77E8ABC5754F08042FF88597390E76CCCC1969E
                                        APIs
                                        • __Init_thread_footer.LIBCMT ref: 0040AD73
                                        • Sleep.KERNEL32(000001F4), ref: 0040AD7E
                                        • GetForegroundWindow.USER32 ref: 0040AD84
                                        • GetWindowTextLengthW.USER32(00000000), ref: 0040AD8D
                                        • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040ADC1
                                        • Sleep.KERNEL32(000003E8), ref: 0040AE8F
                                          • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,00000000,0040B245,00000000), ref: 0040A69D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                        • String ID: [${ User has been idle for $ minutes }$]
                                        • API String ID: 911427763-3954389425
                                        • Opcode ID: 430dc4abd07f39a6b13ec509c290215b6a75fd2b067629474df6fd6388a8dca8
                                        • Instruction ID: 479ab846abdc3ffa357cf8cfb056c4a9d7a1c57035fbb5610920680a3dc8d5cf
                                        • Opcode Fuzzy Hash: 430dc4abd07f39a6b13ec509c290215b6a75fd2b067629474df6fd6388a8dca8
                                        • Instruction Fuzzy Hash: 1251E2716043419BD714FB22D856AAE7795AF84308F10093FF986A22E2EF7C9D44C69F
                                        APIs
                                        • OpenClipboard.USER32 ref: 0041697C
                                        • EmptyClipboard.USER32 ref: 0041698A
                                        • CloseClipboard.USER32 ref: 00416990
                                        • OpenClipboard.USER32 ref: 00416997
                                        • GetClipboardData.USER32(0000000D), ref: 004169A7
                                        • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                        • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                        • CloseClipboard.USER32 ref: 004169BF
                                          • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                        • String ID: !D@$xdF
                                        • API String ID: 2172192267-3540039394
                                        • Opcode ID: f8122d187f84bcc61e207b62fa39c018abbf95af5271be06fc2a6e9b15f4b477
                                        • Instruction ID: c3dc955394dadbf9cb8fa72aed918e4e170398eafb94270add22466952777bd7
                                        • Opcode Fuzzy Hash: f8122d187f84bcc61e207b62fa39c018abbf95af5271be06fc2a6e9b15f4b477
                                        • Instruction Fuzzy Hash: AA014C31204301EFC714BB72DC49AAE7BA5AF88742F40047EF906861E2DF388C45C659
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A912
                                        • GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A91F
                                        • __dosmaperr.LIBCMT ref: 0043A926
                                        • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A952
                                        • GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A95C
                                        • __dosmaperr.LIBCMT ref: 0043A963
                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A9A6
                                        • GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A9B0
                                        • __dosmaperr.LIBCMT ref: 0043A9B7
                                        • _free.LIBCMT ref: 0043A9C3
                                        • _free.LIBCMT ref: 0043A9CA
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                        • String ID:
                                        • API String ID: 2441525078-0
                                        • Opcode ID: 289d0842b92f941f4feb2be478b72c6b1387c4c53bdf58ebb9c1b022d59fa5b6
                                        • Instruction ID: 3a2165a63a30732921e8d6571a772c998230e0148124485b419b79488018c54b
                                        • Opcode Fuzzy Hash: 289d0842b92f941f4feb2be478b72c6b1387c4c53bdf58ebb9c1b022d59fa5b6
                                        • Instruction Fuzzy Hash: 8631D5B180420AFBDF01AFA5CC45EAF3B6CEF09324F11451AF950662A1DB38CD61DB66
                                        APIs
                                        • SetEvent.KERNEL32(?,?), ref: 004054BF
                                        • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040556F
                                        • TranslateMessage.USER32(?), ref: 0040557E
                                        • DispatchMessageA.USER32(?), ref: 00405589
                                        • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
                                        • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405679
                                          • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                        • String ID: CloseChat$DisplayMessage$GetMessage
                                        • API String ID: 2956720200-749203953
                                        • Opcode ID: 52e40677220340df766a1066c6eba0187cdd1e922d62033c57619962968f1fb1
                                        • Instruction ID: d37e718accd843302ceacc2187c81124e04698433963f5de03abd71ab6b9016f
                                        • Opcode Fuzzy Hash: 52e40677220340df766a1066c6eba0187cdd1e922d62033c57619962968f1fb1
                                        • Instruction Fuzzy Hash: 39419071A04301ABCB14FB76DC5A86F37A9AB85704F40493EF516A31E1EF3C8905CB9A
                                        APIs
                                        • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00413D81
                                          • Part of subcall function 00413A90: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                          • Part of subcall function 00413A90: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413B26
                                          • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                        • RegCloseKey.ADVAPI32(00000000,004660B4,004660B4,00466478,00466478,00000071), ref: 00413EEF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseEnumInfoOpenQuerysend
                                        • String ID: (aF$,aF$xUG$xdF$NG$NG$TG
                                        • API String ID: 3114080316-4028018678
                                        • Opcode ID: 882ff7e01c3d08ca6fdfa6cac83639225ac0c66ad9ccab99784801e0feb7fca5
                                        • Instruction ID: 39136fa66a1b3d14a29046baa0c8a2124f92290552efa608aac098e6c3039c27
                                        • Opcode Fuzzy Hash: 882ff7e01c3d08ca6fdfa6cac83639225ac0c66ad9ccab99784801e0feb7fca5
                                        • Instruction Fuzzy Hash: 03419F316042005AC324F726D852AEF76A99FD1384F40883FF549671D2EF7C5949866E
                                        APIs
                                          • Part of subcall function 00417F67: __EH_prolog.LIBCMT ref: 00417F6C
                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660B4), ref: 00417E17
                                        • CloseHandle.KERNEL32(00000000), ref: 00417E20
                                        • DeleteFileA.KERNEL32(00000000), ref: 00417E2F
                                        • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DE3
                                          • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                        • String ID: 0VG$0VG$<$@$Temp
                                        • API String ID: 1704390241-2575729100
                                        • Opcode ID: 80ffa916d59d600171d9ca3e34e0670cc9ac865161bbbc65e8436c0bee0f72cd
                                        • Instruction ID: 01f79aac078c9204ae4226344def03f9678a0966abb138ad227abf0e83d93267
                                        • Opcode Fuzzy Hash: 80ffa916d59d600171d9ca3e34e0670cc9ac865161bbbc65e8436c0bee0f72cd
                                        • Instruction Fuzzy Hash: 18417E319002099ACB14FB62DC56AEE7735AF00318F50417EF50A761E1EF7C5A8ACB99
                                        APIs
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00410EA9
                                        • int.LIBCPMT ref: 00410EBC
                                          • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                          • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                        • std::_Facet_Register.LIBCPMT ref: 00410EFC
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00410F05
                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00410F23
                                        • __Init_thread_footer.LIBCMT ref: 00410F64
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                        • String ID: ,kG$0kG$@!G
                                        • API String ID: 3815856325-312998898
                                        • Opcode ID: 234cc645e6f2b623d94fc8cb2d29f52bc734eee13d30ec18b0bfe81019bed365
                                        • Instruction ID: 6b7561e6e5701aa818233467e21ea388c72e3112cb5a37ed7db11c94fdfc7bf8
                                        • Opcode Fuzzy Hash: 234cc645e6f2b623d94fc8cb2d29f52bc734eee13d30ec18b0bfe81019bed365
                                        • Instruction Fuzzy Hash: 682129329005249BCB14FB6AD8429DE77A9DF48324F21416FF404E72D1DFB9AD818B9D
                                        APIs
                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABAD
                                        • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABC4
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABD1
                                        • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABE0
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF1
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF4
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Service$CloseHandle$Open$ControlManager
                                        • String ID:
                                        • API String ID: 221034970-0
                                        • Opcode ID: 096e2c87fc6c65f47e4c6c752a7259066b900e282f660f6c8049b8ab8b72f741
                                        • Instruction ID: a7ddf6af562b27afc3fdb57d9320cc893b1711f81dd6882f7bac22400d97ef93
                                        • Opcode Fuzzy Hash: 096e2c87fc6c65f47e4c6c752a7259066b900e282f660f6c8049b8ab8b72f741
                                        • Instruction Fuzzy Hash: 1411E931501218BFD711AF64DC85CFF3B6CDB41B66B000426FA0692191EB689D46AAFA
                                        APIs
                                        • _free.LIBCMT ref: 004481B5
                                          • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                          • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                        • _free.LIBCMT ref: 004481C1
                                        • _free.LIBCMT ref: 004481CC
                                        • _free.LIBCMT ref: 004481D7
                                        • _free.LIBCMT ref: 004481E2
                                        • _free.LIBCMT ref: 004481ED
                                        • _free.LIBCMT ref: 004481F8
                                        • _free.LIBCMT ref: 00448203
                                        • _free.LIBCMT ref: 0044820E
                                        • _free.LIBCMT ref: 0044821C
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                        • Instruction ID: 68a5115f29dd4dda1e04096f5587add38bc33a27c3b2fba9646c6a67a64c999e
                                        • Opcode Fuzzy Hash: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                        • Instruction Fuzzy Hash: AA11E9B6901108BFDB01FF55C852CDD3B65FF05354B0244AAF9488F222DB75DE509B95
                                        APIs
                                        • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041C742
                                        • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041C786
                                        • RegCloseKey.ADVAPI32(?), ref: 0041CA50
                                        Strings
                                        • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0041C738
                                        • DisplayName, xrefs: 0041C7CD
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseEnumOpen
                                        • String ID: DisplayName$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                        • API String ID: 1332880857-3614651759
                                        • Opcode ID: 0758d2217d4cdf4be18b27332201ce298183b926a753a4e26667fde6bb3e7a3c
                                        • Instruction ID: 8204223968f620e226549da85b9b34a309c849e8d9bbed411749b7727356edba
                                        • Opcode Fuzzy Hash: 0758d2217d4cdf4be18b27332201ce298183b926a753a4e26667fde6bb3e7a3c
                                        • Instruction Fuzzy Hash: 3E8133311082459BC325EF11D851EEFB7E8BF94309F10492FB589921A2FF74AE49CA5A
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Eventinet_ntoa
                                        • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
                                        • API String ID: 3578746661-3604713145
                                        • Opcode ID: 5c33d1f9f65c9c449aa35b26580c4cecb093cf1a2db0907efe7836f61556d110
                                        • Instruction ID: 5b49fc9f60f15aadef5e91219dcc0d557585a55aed20fbc46105045b647f8dc0
                                        • Opcode Fuzzy Hash: 5c33d1f9f65c9c449aa35b26580c4cecb093cf1a2db0907efe7836f61556d110
                                        • Instruction Fuzzy Hash: 5351D531A042015BC714FB36D95AAAE36A5AB84344F40453FFA06676F2EF7C8985C7CE
                                        APIs
                                        • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00417530
                                          • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                        • Sleep.KERNEL32(00000064), ref: 0041755C
                                        • DeleteFileW.KERNEL32(00000000), ref: 00417590
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$CreateDeleteExecuteShellSleep
                                        • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                        • API String ID: 1462127192-2001430897
                                        • Opcode ID: d0f70b8df9fe10b093b079c3319088e07b2679cc5b0ed1992e361cead8d3f0ee
                                        • Instruction ID: 6598d36db715e58345e35b35962d03aab6dacf30af49f41f33489dbeb2d48940
                                        • Opcode Fuzzy Hash: d0f70b8df9fe10b093b079c3319088e07b2679cc5b0ed1992e361cead8d3f0ee
                                        • Instruction Fuzzy Hash: 17313F71940119AADB04FB61DC96DED7735AF50309F00017EF606731E2EF785A8ACA9C
                                        APIs
                                        • GetCurrentProcess.KERNEL32(00472B14,00000000,004752D8,00003000,00000004,00000000,00000001), ref: 00407418
                                        • GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407691,C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe), ref: 004074D9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CurrentProcess
                                        • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                                        • API String ID: 2050909247-4242073005
                                        • Opcode ID: c959bd930998c8f390064940774d0a1512e2843fb7eeb626fe9b06c6253c3d56
                                        • Instruction ID: c8d37550e6f1e63eabf3c93e4c9511e0cbcdb01d3c289a22ccdf2b55afca88d7
                                        • Opcode Fuzzy Hash: c959bd930998c8f390064940774d0a1512e2843fb7eeb626fe9b06c6253c3d56
                                        • Instruction Fuzzy Hash: DE317EB1A44300ABD314EF65DD46F1677B8BB04705F10087EF509A6692EBB8B8458B6F
                                        APIs
                                        • _strftime.LIBCMT ref: 00401D50
                                          • Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                        • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000,?), ref: 00401E02
                                        • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
                                        • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                        • String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
                                        • API String ID: 3809562944-243156785
                                        • Opcode ID: 272d9e95f202b5b87e8d6f02197a65f7d4795c5aee8df22827821352ca84ba3d
                                        • Instruction ID: 12771182903f202c4b9d99511a6abf0f0559d076e6e3c56183b1657b5f9df8bc
                                        • Opcode Fuzzy Hash: 272d9e95f202b5b87e8d6f02197a65f7d4795c5aee8df22827821352ca84ba3d
                                        • Instruction Fuzzy Hash: AA318F315043019FC324EB22DC56A9E77A8FB84315F40443EF189A21F2EFB89A49CB5E
                                        APIs
                                        • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
                                        • waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000,00000024), ref: 00401C8F
                                        • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
                                        • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
                                        • waveInStart.WINMM ref: 00401CFE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                        • String ID: dMG$|MG$PG
                                        • API String ID: 1356121797-532278878
                                        • Opcode ID: 6aa69cd6a01d0fe2356010249b9bd36d42245e4d7c734ee1dd99acc2b44a8f66
                                        • Instruction ID: 1e392cdedf79dd274444ae0cc0b76d6cc185fd36309c60cea9b16e967c73269b
                                        • Opcode Fuzzy Hash: 6aa69cd6a01d0fe2356010249b9bd36d42245e4d7c734ee1dd99acc2b44a8f66
                                        • Instruction Fuzzy Hash: 51212A71604201AFC7399F66EE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C
                                        APIs
                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D507
                                          • Part of subcall function 0041D5A0: RegisterClassExA.USER32(00000030), ref: 0041D5EC
                                          • Part of subcall function 0041D5A0: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D607
                                          • Part of subcall function 0041D5A0: GetLastError.KERNEL32 ref: 0041D611
                                        • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D53E
                                        • lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D558
                                        • Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D56E
                                        • TranslateMessage.USER32(?), ref: 0041D57A
                                        • DispatchMessageA.USER32(?), ref: 0041D584
                                        • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041D591
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                        • String ID: Remcos
                                        • API String ID: 1970332568-165870891
                                        • Opcode ID: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                                        • Instruction ID: 0a96d410cd687733bc2db9baaca44b2a156926270a6f860d3af68fdb0bcdced8
                                        • Opcode Fuzzy Hash: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                                        • Instruction Fuzzy Hash: CA0152B1840244EBD7109FA5EC4CFABBB7CEBC5705F00406AF515931A1D778D885CB58
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ed6e8dde3cdd9862c5be3ded71a2773307dc59359bf90b76219a4653831d67c7
                                        • Instruction ID: c312da418a410335279f0cc1971bad4557be7deeadefc114a47e367d78dfde09
                                        • Opcode Fuzzy Hash: ed6e8dde3cdd9862c5be3ded71a2773307dc59359bf90b76219a4653831d67c7
                                        • Instruction Fuzzy Hash: 94C1FA70D04249AFEF11DFA8CC41BAE7BB0AF09304F19415AE915A7392C77C9941CB69
                                        APIs
                                        • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,004540DC,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00453EAF
                                        • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F32
                                        • __alloca_probe_16.LIBCMT ref: 00453F6A
                                        • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,004540DC,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FC5
                                        • __alloca_probe_16.LIBCMT ref: 00454014
                                        • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FDC
                                          • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                        • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00454058
                                        • __freea.LIBCMT ref: 00454083
                                        • __freea.LIBCMT ref: 0045408F
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                        • String ID:
                                        • API String ID: 201697637-0
                                        • Opcode ID: d666079201eac34123aff993431e960db56ae36dfd708acf9a18ada5241d4519
                                        • Instruction ID: 957693029e8655488503f3238c5b69ab87e72ad781d0cd1ca1c521277c14990f
                                        • Opcode Fuzzy Hash: d666079201eac34123aff993431e960db56ae36dfd708acf9a18ada5241d4519
                                        • Instruction Fuzzy Hash: 2B91D472E002069BDB208E65C846EEFBBF59F49756F14051BED00EB282D73DCD898769
                                        APIs
                                          • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                          • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                          • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                          • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                        • _memcmp.LIBVCRUNTIME ref: 004454A4
                                        • _free.LIBCMT ref: 00445515
                                        • _free.LIBCMT ref: 0044552E
                                        • _free.LIBCMT ref: 00445560
                                        • _free.LIBCMT ref: 00445569
                                        • _free.LIBCMT ref: 00445575
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$ErrorLast$_abort_memcmp
                                        • String ID: C
                                        • API String ID: 1679612858-1037565863
                                        • Opcode ID: 270cf3bb6288f401d2b81aec4bec5e705b2579f2f1b63f3c4bd6d63e951100ee
                                        • Instruction ID: c5fa7cd4a0def74fccfc383a36f0c71fd12082b8797d706f49daa7c6421ebafc
                                        • Opcode Fuzzy Hash: 270cf3bb6288f401d2b81aec4bec5e705b2579f2f1b63f3c4bd6d63e951100ee
                                        • Instruction Fuzzy Hash: D4B13775A016199FEB24DF18C885BAEB7B4FF48304F5085EAE809A7351E774AE90CF44
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: tcp$udp
                                        • API String ID: 0-3725065008
                                        • Opcode ID: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                        • Instruction ID: 4fb2fbaa1818e082f2863e0a7c91e4ace7fe62ed23b491eff3584b955907a2f3
                                        • Opcode Fuzzy Hash: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                        • Instruction Fuzzy Hash: FC7197706083028FDB248F55D4817ABB7E4AFC8355F20482FF88697351E778DE858B9A
                                        APIs
                                        • __Init_thread_footer.LIBCMT ref: 004018BE
                                        • ExitThread.KERNEL32 ref: 004018F6
                                        • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00474EE0,00000000), ref: 00401A04
                                          • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                        • String ID: PkG$XMG$NG$NG
                                        • API String ID: 1649129571-3151166067
                                        • Opcode ID: 2d9b879654642e1cb38bacb082170558b63e255e5d7d9ef3184acd3b4935e6a6
                                        • Instruction ID: 94ec9d015e3317cd6a1a8c0f3f0e5257b1b149af30ff9c9aaa6ade548e88cebb
                                        • Opcode Fuzzy Hash: 2d9b879654642e1cb38bacb082170558b63e255e5d7d9ef3184acd3b4935e6a6
                                        • Instruction Fuzzy Hash: 7441D5312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D4AC71D
                                        APIs
                                        • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00474EE0,00465FB4,?,00000000,00408037,00000000), ref: 00407A00
                                        • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,00408037,00000000,?,?,0000000A,00000000), ref: 00407A48
                                          • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                        • CloseHandle.KERNEL32(00000000,?,00000000,00408037,00000000,?,?,0000000A,00000000), ref: 00407A88
                                        • MoveFileW.KERNEL32(00000000,00000000), ref: 00407AA5
                                        • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AD0
                                        • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AE0
                                          • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00474EF8,00404C49,00000000,00000000,00000000,?,00474EF8,?), ref: 00404BA5
                                          • Part of subcall function 00404B96: SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040548B), ref: 00404BC3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                        • String ID: .part
                                        • API String ID: 1303771098-3499674018
                                        • Opcode ID: 3afc2f85f810e2c46033f561f8352aaa8f531af2af3959b11cfb50950e871b37
                                        • Instruction ID: fa021c15c5d1e87e569c09a19ead990ccf19330fc060556597d24b4305e87d8f
                                        • Opcode Fuzzy Hash: 3afc2f85f810e2c46033f561f8352aaa8f531af2af3959b11cfb50950e871b37
                                        • Instruction Fuzzy Hash: 3A31B571508345AFC310EB61D84599FB3A8FF94359F00493FB945A21D2EB78EE08CB9A
                                        APIs
                                        • AllocConsole.KERNEL32(00475338), ref: 0041CE35
                                        • GetConsoleWindow.KERNEL32 ref: 0041CE3B
                                        • ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                        • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Console$Window$AllocOutputShow
                                        • String ID: Remcos v$5.1.3 Pro$CONOUT$
                                        • API String ID: 4067487056-2212855755
                                        • Opcode ID: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                                        • Instruction ID: 6efa3de70d430de9448838496adf33c47162c0890a3ad1875f095e209401f165
                                        • Opcode Fuzzy Hash: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                                        • Instruction Fuzzy Hash: A90144B1A80304BBD610F7F19C8BF9E77AC9B14B05F500527BA04A70D2EB6DD944466E
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042DD92,?,?,?,0044AF1A,00000001,00000001,?), ref: 0044AD23
                                        • __alloca_probe_16.LIBCMT ref: 0044AD5B
                                        • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042DD92,?,?,?,0044AF1A,00000001,00000001,?), ref: 0044ADA9
                                        • __alloca_probe_16.LIBCMT ref: 0044AE40
                                        • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AEA3
                                        • __freea.LIBCMT ref: 0044AEB0
                                          • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                        • __freea.LIBCMT ref: 0044AEB9
                                        • __freea.LIBCMT ref: 0044AEDE
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                        • String ID:
                                        • API String ID: 3864826663-0
                                        • Opcode ID: b8cd4310d0de59be5354cf63c717d249675af8b9c8b383ed5ef79fab109b86d3
                                        • Instruction ID: de232b2c18f644b0009b05ef7aad101f1c584e700cc6948cb3d999d9ae9be8cc
                                        • Opcode Fuzzy Hash: b8cd4310d0de59be5354cf63c717d249675af8b9c8b383ed5ef79fab109b86d3
                                        • Instruction Fuzzy Hash: 41514C72A80206AFFB258F64CC41EBF77A9DB44750F25462EFC14D7240EB38DC60869A
                                        APIs
                                        • SendInput.USER32 ref: 00419A25
                                        • SendInput.USER32(00000001,?,0000001C,00000000), ref: 00419A4D
                                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A74
                                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A92
                                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AB2
                                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AD7
                                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AF9
                                        • SendInput.USER32(00000001,00000000,0000001C), ref: 00419B1C
                                          • Part of subcall function 004199CE: MapVirtualKeyA.USER32(00000000,00000000), ref: 004199D4
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: InputSend$Virtual
                                        • String ID:
                                        • API String ID: 1167301434-0
                                        • Opcode ID: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                        • Instruction ID: b6cba15de7ba168fc32b54cb564de1fb898aed6d56f2455a0f9f7e0387a20004
                                        • Opcode Fuzzy Hash: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                        • Instruction Fuzzy Hash: 2431AE71218349A9E220DFA5DC41BDFBBECAF89B44F04080FF58457291CAA49D8C876B
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: __freea$__alloca_probe_16_free
                                        • String ID: a/p$am/pm$h{D
                                        • API String ID: 2936374016-2303565833
                                        • Opcode ID: 3f6e07506486b6d7dbef2a606a64f0e75de21b8703f606ba4f5b284e1050ed44
                                        • Instruction ID: c225e1f32c331ede1d29eb10815d0f52c76e58365e66366979e06629ded2ae5c
                                        • Opcode Fuzzy Hash: 3f6e07506486b6d7dbef2a606a64f0e75de21b8703f606ba4f5b284e1050ed44
                                        • Instruction Fuzzy Hash: 94D1E1719082068AFB299F68C845ABFB7B1EF05300F28455BE501AB351D73D9E43CBA9
                                        APIs
                                          • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                        • _free.LIBCMT ref: 00444E87
                                        • _free.LIBCMT ref: 00444E9E
                                        • _free.LIBCMT ref: 00444EBD
                                        • _free.LIBCMT ref: 00444ED8
                                        • _free.LIBCMT ref: 00444EEF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$AllocateHeap
                                        • String ID: KED
                                        • API String ID: 3033488037-2133951994
                                        • Opcode ID: dfa49ca82d32c8382211b9fb73ae343eb5cb7a7eabed5eea37687c7cf3770045
                                        • Instruction ID: 6eb5fd97c930506827bd935ec23fdf2bd7e2f8155051dcdfd38a61b70e77380a
                                        • Opcode Fuzzy Hash: dfa49ca82d32c8382211b9fb73ae343eb5cb7a7eabed5eea37687c7cf3770045
                                        • Instruction Fuzzy Hash: 2351B371A00604ABEB20DF29CC42B6B77F4FF89724B25456EE809D7751E739E901CB98
                                        APIs
                                        • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                        • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413B26
                                        • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00413BC6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Enum$InfoQueryValue
                                        • String ID: [regsplt]$xUG$TG
                                        • API String ID: 3554306468-1165877943
                                        • Opcode ID: 4d973db950c843e862455cd113a69fa2782c519e2990f350e5f0b2c943bf39e5
                                        • Instruction ID: 25111a67c66830bda9a991cbd11294aa9b1843c944dfd5f4caafe5fa1545c2ae
                                        • Opcode Fuzzy Hash: 4d973db950c843e862455cd113a69fa2782c519e2990f350e5f0b2c943bf39e5
                                        • Instruction Fuzzy Hash: 05512D71900219AADB11EB95DC86EEEB77DAF04305F10007AE505B6191EF746B48CBA9
                                        APIs
                                        • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,0044BBB1,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B47E
                                        • __fassign.LIBCMT ref: 0044B4F9
                                        • __fassign.LIBCMT ref: 0044B514
                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B53A
                                        • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BBB1,00000000,?,?,?,?,?,?,?,?,?,0044BBB1,?), ref: 0044B559
                                        • WriteFile.KERNEL32(?,?,00000001,0044BBB1,00000000,?,?,?,?,?,?,?,?,?,0044BBB1,?), ref: 0044B592
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                        • String ID:
                                        • API String ID: 1324828854-0
                                        • Opcode ID: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                        • Instruction ID: 262f0c9efa3d8d05c94b564727faad167cb6e35c827a04fe4b8fb241bd644287
                                        • Opcode Fuzzy Hash: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                        • Instruction Fuzzy Hash: 2151B470A00249AFDB10CFA8D845AEEFBF8EF09304F14456BE955E7291E734D941CBA9
                                        APIs
                                          • Part of subcall function 00413656: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,004750E4), ref: 00413678
                                          • Part of subcall function 00413656: RegQueryValueExW.ADVAPI32(?,0040F34E,00000000,00000000,?,00000400), ref: 00413697
                                          • Part of subcall function 00413656: RegCloseKey.ADVAPI32(?), ref: 004136A0
                                          • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                          • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                                        • _wcslen.LIBCMT ref: 0041B7F4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
                                        • String ID: .exe$8SG$http\shell\open\command$program files (x86)\$program files\
                                        • API String ID: 3286818993-122982132
                                        • Opcode ID: 21ce8c3951ea68e9f4768855c246d238a69c4de2a44f28aaa4944944c55ea733
                                        • Instruction ID: 00334f857bbe6022557327a28fa8f115e820bd32ca6b34e50ab8c41aa79dd428
                                        • Opcode Fuzzy Hash: 21ce8c3951ea68e9f4768855c246d238a69c4de2a44f28aaa4944944c55ea733
                                        • Instruction Fuzzy Hash: 42218872A001046BDB14BAB59CD6AFE766D9B48728F10043FF505B72C3EE3C9D49426D
                                        APIs
                                          • Part of subcall function 004135E1: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                          • Part of subcall function 004135E1: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00413622
                                          • Part of subcall function 004135E1: RegCloseKey.KERNEL32(?), ref: 0041362D
                                        • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BFA6
                                        • PathFileExistsA.SHLWAPI(?), ref: 0040BFB3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                        • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                        • API String ID: 1133728706-4073444585
                                        • Opcode ID: 931a5b46099edba555754af8d3fc3ae0e9575fe21c51a29e7772e7c1f07a3c17
                                        • Instruction ID: a06d8339010b4a31413dea3cf8b7af81beee50618fccc2c871009a62ab4f9f33
                                        • Opcode Fuzzy Hash: 931a5b46099edba555754af8d3fc3ae0e9575fe21c51a29e7772e7c1f07a3c17
                                        • Instruction Fuzzy Hash: BC215230A40219A6CB14F7F1CC969EE77299F50744F80017FE502B71D1EB7D6945C6DA
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3e1437a1f94eb298758500833f4fd37ec9f384a351c1712870bfe34c5990e753
                                        • Instruction ID: d4e598e7927038c57750db0ba161657e9615562456f8c919f0676739ef068bdb
                                        • Opcode Fuzzy Hash: 3e1437a1f94eb298758500833f4fd37ec9f384a351c1712870bfe34c5990e753
                                        • Instruction Fuzzy Hash: 931127B2504214BBEB216F768C05D1F7A5CEB86726B52062EFD55C7292DA3CCC0186A8
                                        APIs
                                        • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466478,00000000,00000000,0040D434,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C4C1
                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041C4DE
                                        • CloseHandle.KERNEL32(00000000), ref: 0041C4EA
                                        • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041C4FB
                                        • CloseHandle.KERNEL32(00000000), ref: 0041C508
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$CloseHandle$CreatePointerWrite
                                        • String ID: xpF
                                        • API String ID: 1852769593-354647465
                                        • Opcode ID: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                        • Instruction ID: 0233a984b642d2e84dd4fc2cab076f06cd7f632185dc4648213adf39284592b7
                                        • Opcode Fuzzy Hash: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                        • Instruction Fuzzy Hash: 6311E571288215BFE7104A24ACC8EBB739CEB46365F10862BF912D22D0C624DC418639
                                        APIs
                                          • Part of subcall function 00450CC1: _free.LIBCMT ref: 00450CEA
                                        • _free.LIBCMT ref: 00450FC8
                                          • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                          • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                        • _free.LIBCMT ref: 00450FD3
                                        • _free.LIBCMT ref: 00450FDE
                                        • _free.LIBCMT ref: 00451032
                                        • _free.LIBCMT ref: 0045103D
                                        • _free.LIBCMT ref: 00451048
                                        • _free.LIBCMT ref: 00451053
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                        • Instruction ID: 345e916fd15b447c36d88a7a8914fd19e4c3e0710e9d23c2e9f19f8556552687
                                        • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                        • Instruction Fuzzy Hash: C111D231402704AAE621BB72CC03FCB779CAF03304F454D2EBEA967153C7ACB4185654
                                        APIs
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 004111AB
                                        • int.LIBCPMT ref: 004111BE
                                          • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                          • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                        • std::_Facet_Register.LIBCPMT ref: 004111FE
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00411207
                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00411225
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                        • String ID: (mG
                                        • API String ID: 2536120697-4059303827
                                        • Opcode ID: 1b5c7adf1a629fe2bc242511ea8b9d41abd54e1fd7f2f3a966b13196985dc313
                                        • Instruction ID: b4facbf35e110c19f3eede998f69f9310dce987b63f856d60fe44c7d5fb17b17
                                        • Opcode Fuzzy Hash: 1b5c7adf1a629fe2bc242511ea8b9d41abd54e1fd7f2f3a966b13196985dc313
                                        • Instruction Fuzzy Hash: 42112732900114A7CB14EB9AD8018DEB7699F44364F11456FF904F72E1DB789E45CBC8
                                        APIs
                                        • GetLastError.KERNEL32(?,?,0043A3D1,0043933E), ref: 0043A3E8
                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A3F6
                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A40F
                                        • SetLastError.KERNEL32(00000000,?,0043A3D1,0043933E), ref: 0043A461
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLastValue___vcrt_
                                        • String ID:
                                        • API String ID: 3852720340-0
                                        • Opcode ID: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                        • Instruction ID: 228fd8bb196f6ae1284969ba5442ea73dc67404c1df350b3d70410c0baad6fb0
                                        • Opcode Fuzzy Hash: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                        • Instruction Fuzzy Hash: 87019C322483515EA61027797C8A62B2648EB293B9F30523FF518805F1EF984C90910D
                                        APIs
                                        • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe), ref: 0040760B
                                          • Part of subcall function 00407538: _wcslen.LIBCMT ref: 0040755C
                                          • Part of subcall function 00407538: CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                        • CoUninitialize.OLE32 ref: 00407664
                                        Strings
                                        • [+] before ShellExec, xrefs: 0040762C
                                        • C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe, xrefs: 004075EB, 004075EE, 00407640
                                        • [+] ucmCMLuaUtilShellExecMethod, xrefs: 004075F0
                                        • [+] ShellExec success, xrefs: 00407649
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: InitializeObjectUninitialize_wcslen
                                        • String ID: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                        • API String ID: 3851391207-3088509019
                                        • Opcode ID: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                        • Instruction ID: e4e7d1672fbddd81374e29e92f863be8f9bad83f72bb7a306ddb251afa86686e
                                        • Opcode Fuzzy Hash: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                        • Instruction Fuzzy Hash: 4501D272B087116BE2246B65DC4AF6B3748DB41B25F11053FF901A62C1EAB9FC0146AB
                                        APIs
                                        • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BB18
                                        • GetLastError.KERNEL32 ref: 0040BB22
                                        Strings
                                        • [Chrome Cookies not found], xrefs: 0040BB3C
                                        • UserProfile, xrefs: 0040BAE8
                                        • [Chrome Cookies found, cleared!], xrefs: 0040BB48
                                        • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAE3
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: DeleteErrorFileLast
                                        • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                        • API String ID: 2018770650-304995407
                                        • Opcode ID: 40cbd1d017226246a01c6e55be9682f761922b1e96e2188b9bd7b4daff8d9f2f
                                        • Instruction ID: 5dee569c6883bfd73109a670bb68234af0f28e4caad238985ba957b2c74b96e7
                                        • Opcode Fuzzy Hash: 40cbd1d017226246a01c6e55be9682f761922b1e96e2188b9bd7b4daff8d9f2f
                                        • Instruction Fuzzy Hash: 5B01DF71A402055BCA04B7B6CC1B9BE7B24E922704B50017FF502726D6FE3E5D0986CE
                                        Strings
                                        • xdF, xrefs: 004076E4
                                        • Rmc-XH0QAV, xrefs: 00407715
                                        • C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe, xrefs: 004076FF
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe$Rmc-XH0QAV$xdF
                                        • API String ID: 0-1955132587
                                        • Opcode ID: 76fb36a6468107bc6bcf7edae7d85ad02bbabba37b75d9201cd6870646e6a122
                                        • Instruction ID: 5ffff352cfcc2e87221e4fa572a01d73507d198e899e6baa5594ec663d9dd15d
                                        • Opcode Fuzzy Hash: 76fb36a6468107bc6bcf7edae7d85ad02bbabba37b75d9201cd6870646e6a122
                                        • Instruction Fuzzy Hash: 8DF02BB0E04600EBCB1477345D296AA3656A780397F40487BF507EB2F2EBBD5C41871E
                                        APIs
                                        • __allrem.LIBCMT ref: 0043ACE9
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD05
                                        • __allrem.LIBCMT ref: 0043AD1C
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD3A
                                        • __allrem.LIBCMT ref: 0043AD51
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD6F
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                        • String ID:
                                        • API String ID: 1992179935-0
                                        • Opcode ID: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                                        • Instruction ID: c7cd181284538591ee8af1586cca3d38175ba7b34bac8e5aa56d350f01832762
                                        • Opcode Fuzzy Hash: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                                        • Instruction Fuzzy Hash: 5F815972A40B05ABE7209F29CC41B6FB3A99F48324F24152FF591D67C1E77CE910875A
                                        APIs
                                        • Sleep.KERNEL32(00000000,0040D29D), ref: 004044C4
                                          • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: H_prologSleep
                                        • String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
                                        • API String ID: 3469354165-3054508432
                                        • Opcode ID: fef66e343663587799a4fb7e411b7be832f70b8e55665d4bb62892141d3c40a9
                                        • Instruction ID: df1e58e957a7578ae16e417911435538e3341edc64810737793f4aa4f8849b6c
                                        • Opcode Fuzzy Hash: fef66e343663587799a4fb7e411b7be832f70b8e55665d4bb62892141d3c40a9
                                        • Instruction Fuzzy Hash: A751E171A042106BCA14FB369D0A66E3755ABC4748F00443FFA0A676E2DF7D8E45839E
                                        APIs
                                          • Part of subcall function 004117D7: SetLastError.KERNEL32(0000000D,00411D57,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 004117DD
                                        • SetLastError.KERNEL32(000000C1,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411D72
                                        • GetNativeSystemInfo.KERNEL32(?,0040D2DD,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411DE0
                                        • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?), ref: 00411E04
                                          • Part of subcall function 00411CDE: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411E22,?,00000000,00003000,00000040,00000000,?,?), ref: 00411CEE
                                        • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,?), ref: 00411E4B
                                        • HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 00411E52
                                        • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411F65
                                          • Part of subcall function 004120B2: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F72,?,?,?,?,?), ref: 00412122
                                          • Part of subcall function 004120B2: HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 00412129
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                        • String ID:
                                        • API String ID: 3950776272-0
                                        • Opcode ID: 718d42136e622159178195cb0efe2cc12f9c08079781f225a480952b3bcd75f7
                                        • Instruction ID: da58ab861bd0a84ec3871346ef31e8b8814b9d9500880b3a3e1890ad13292c25
                                        • Opcode Fuzzy Hash: 718d42136e622159178195cb0efe2cc12f9c08079781f225a480952b3bcd75f7
                                        • Instruction Fuzzy Hash: F761A270700611ABCB209F66C981BAA7BA5AF44704F14411AFF05877A2D77CE8C2CBD9
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: __cftoe
                                        • String ID:
                                        • API String ID: 4189289331-0
                                        • Opcode ID: 8a4c5be280cb6c814f8e43a2c8dbee5c21d103d485289201cbd24c59527051e2
                                        • Instruction ID: b93b8478136607885b926496a305f1bfb884a7f6acf724e610c81469f19cb9e5
                                        • Opcode Fuzzy Hash: 8a4c5be280cb6c814f8e43a2c8dbee5c21d103d485289201cbd24c59527051e2
                                        • Instruction Fuzzy Hash: 2551FD72500605ABFF209B598C81EAF77A8EF45334F25421FF915A6293DB3DD900C66D
                                        APIs
                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD19
                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A41F,00000000), ref: 0041AD2D
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD3A
                                        • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD6F
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD81
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD84
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                        • String ID:
                                        • API String ID: 493672254-0
                                        • Opcode ID: 465ab7c2e076ec59a8d270df8ce72ad0174e5281a4bfe7e39c5caa5367581a5e
                                        • Instruction ID: 77e668261cf9ee2bd18e5a0e87596c089765e66a1be6d3c981f75cbf7ed2a716
                                        • Opcode Fuzzy Hash: 465ab7c2e076ec59a8d270df8ce72ad0174e5281a4bfe7e39c5caa5367581a5e
                                        • Instruction Fuzzy Hash: A7016D311462157AD6111B34AC4EFFB3B6CDB02772F10032BF625965D1DA68CE8195AB
                                        APIs
                                        • GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                        • _free.LIBCMT ref: 004482CC
                                        • _free.LIBCMT ref: 004482F4
                                        • SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                        • SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                        • _abort.LIBCMT ref: 00448313
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLast$_free$_abort
                                        • String ID:
                                        • API String ID: 3160817290-0
                                        • Opcode ID: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                                        • Instruction ID: 8d34d3ffa9a8a5ca7629c839d325bdddc3ef58a145117f7ac1d0225592351e3a
                                        • Opcode Fuzzy Hash: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                                        • Instruction Fuzzy Hash: 8EF0A435101B006BF611772A6C06B6F26599BD3B69F36042FFD18962D2EF6DCC42816D
                                        APIs
                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB46
                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB5A
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB67
                                        • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB76
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB88
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB8B
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Service$CloseHandle$Open$ControlManager
                                        • String ID:
                                        • API String ID: 221034970-0
                                        • Opcode ID: f94ae9c5674c9adfc346e263051d54d626d5e40d867c234dda8e9c50f9d09011
                                        • Instruction ID: 443f58cffa4f299642b313368f914f767bd977a6fac550f0ec2f38f013616b5a
                                        • Opcode Fuzzy Hash: f94ae9c5674c9adfc346e263051d54d626d5e40d867c234dda8e9c50f9d09011
                                        • Instruction Fuzzy Hash: E4F0F631541318BBD7116F259C49DFF3B6CDB45B62F000026FE0992192EB68DD4595F9
                                        APIs
                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC4A
                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC5E
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC6B
                                        • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC7A
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8C
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8F
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Service$CloseHandle$Open$ControlManager
                                        • String ID:
                                        • API String ID: 221034970-0
                                        • Opcode ID: 497ef82d1474d54709910eeaca97da118b40a23fe9dfeecc14ddd5be20b51566
                                        • Instruction ID: 80b71cf000cc834045a6d48b23744411b71cc7e49355023a2f572df053a73ec4
                                        • Opcode Fuzzy Hash: 497ef82d1474d54709910eeaca97da118b40a23fe9dfeecc14ddd5be20b51566
                                        • Instruction Fuzzy Hash: 73F0C231501218ABD611AF65AC4AEFF3B6CDB45B62F00002AFE0992192EB38CD4595E9
                                        APIs
                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACB1
                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACC5
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACD2
                                        • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACE1
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF3
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF6
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Service$CloseHandle$Open$ControlManager
                                        • String ID:
                                        • API String ID: 221034970-0
                                        • Opcode ID: cf41fc214d4f8651c842d323f4a9434d7ee1c2a315675ff23975f89e6a089888
                                        • Instruction ID: 4c72e2560426042a93d841201029be6eaa37955ba2c7d49e75f16ae618c5df44
                                        • Opcode Fuzzy Hash: cf41fc214d4f8651c842d323f4a9434d7ee1c2a315675ff23975f89e6a089888
                                        • Instruction Fuzzy Hash: 85F0F631501228BBD7116F25AC49DFF3B6CDB45B62F00002AFE0992192EB38CD46A6F9
                                        APIs
                                        • GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B1AD
                                        • wsprintfW.USER32 ref: 0040B22E
                                          • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,00000000,0040B245,00000000), ref: 0040A69D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: EventLocalTimewsprintf
                                        • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                        • API String ID: 1497725170-248792730
                                        • Opcode ID: 1ed3b47e3077d0fd067737743fa4ad86772719c251829b8ffb3efac0b2a4a081
                                        • Instruction ID: 4bcbbea8953a56f0834a7592719eb704c83d71ae81c48fe005db4fd1b538d991
                                        • Opcode Fuzzy Hash: 1ed3b47e3077d0fd067737743fa4ad86772719c251829b8ffb3efac0b2a4a081
                                        • Instruction Fuzzy Hash: 88114272404118AACB19AB96EC55CFE77BCEE48315B00012FF506A61D1FF7C5A45C6AD
                                        APIs
                                        • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A788), ref: 0040A6E6
                                        • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                        • Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                        • CloseHandle.KERNEL32(00000000,?,?,?,0040A788), ref: 0040A729
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$CloseCreateHandleSizeSleep
                                        • String ID: XQG
                                        • API String ID: 1958988193-3606453820
                                        • Opcode ID: bd687066b5cbb8e815070d7a929d8c1079e18074e8845f285221059fdbc6b2c9
                                        • Instruction ID: fa029248b1ac628aedb802b18ed81a98d1a4018e107c0b234daa3009ae89debe
                                        • Opcode Fuzzy Hash: bd687066b5cbb8e815070d7a929d8c1079e18074e8845f285221059fdbc6b2c9
                                        • Instruction Fuzzy Hash: 96110130600740AADA31A734988961F7BA9DB45356F44483EF1866B6D3C67DDC64C71F
                                        APIs
                                        • RegisterClassExA.USER32(00000030), ref: 0041D5EC
                                        • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D607
                                        • GetLastError.KERNEL32 ref: 0041D611
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ClassCreateErrorLastRegisterWindow
                                        • String ID: 0$MsgWindowClass
                                        • API String ID: 2877667751-2410386613
                                        • Opcode ID: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                        • Instruction ID: e808ecd18ef19f47bd472c0c6462b34ef8490c58390ad3ae495a6aa035ed2a4b
                                        • Opcode Fuzzy Hash: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                        • Instruction Fuzzy Hash: 1F0125B1D00219ABDB00DFA5EC849EFBBBCEA08355F40453AF914A6241EB7589058AA4
                                        APIs
                                        • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 004077D6
                                        • CloseHandle.KERNEL32(?), ref: 004077E5
                                        • CloseHandle.KERNEL32(?), ref: 004077EA
                                        Strings
                                        • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004077CC
                                        • C:\Windows\System32\cmd.exe, xrefs: 004077D1
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseHandle$CreateProcess
                                        • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                        • API String ID: 2922976086-4183131282
                                        • Opcode ID: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                        • Instruction ID: 1887ccd63cb29ce90d3c4a9dee080bc6fb52b3336ad705aa4023eed0db3a7680
                                        • Opcode Fuzzy Hash: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                        • Instruction Fuzzy Hash: 04F09672D4029C76CB20ABD7AC0EEDF7F3CEBC5B11F00051AF904A2045DA745400CAB5
                                        APIs
                                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044338B,?,?,0044332B,?), ref: 004433FA
                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044340D
                                        • FreeLibrary.KERNEL32(00000000,?,?,?,0044338B,?,?,0044332B,?), ref: 00443430
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressFreeHandleLibraryModuleProc
                                        • String ID: CorExitProcess$mscoree.dll
                                        • API String ID: 4061214504-1276376045
                                        • Opcode ID: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                        • Instruction ID: d7bd46dfab834bb5d48edea7818df211002af85bf4a2e706b61bd78119be3437
                                        • Opcode Fuzzy Hash: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                        • Instruction Fuzzy Hash: 4EF04931900208FBDB159F65DC45B9EBF74EF04753F0040A5F805A2251DB758E40CA99
                                        APIs
                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405120
                                        • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 0040512C
                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405137
                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405140
                                          • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                        • String ID: KeepAlive | Disabled
                                        • API String ID: 2993684571-305739064
                                        • Opcode ID: 79b17cb61ca097f2dd87540d91e49b40a86234966918d688794a6c742f2a43ed
                                        • Instruction ID: dc79248355977efa3495ea8e96f68553e1f2867eb32bbe7dc6984d352a193ca4
                                        • Opcode Fuzzy Hash: 79b17cb61ca097f2dd87540d91e49b40a86234966918d688794a6c742f2a43ed
                                        • Instruction Fuzzy Hash: 5DF06D71904711BBDB203B758D0AAAB7E95AB06315F0009BEF982916E2D6798C408F9A
                                        APIs
                                          • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                        • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041AE83
                                        • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE91
                                        • Sleep.KERNEL32(00002710), ref: 0041AE98
                                        • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AEA1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: PlaySound$HandleLocalModuleSleepTime
                                        • String ID: Alarm triggered
                                        • API String ID: 614609389-2816303416
                                        • Opcode ID: 7392df8db2022c5dabbdd0a7ddbeb5ff2cdfd3fc416767bfd221d1b9e2b6ff7c
                                        • Instruction ID: 264e31dd7f8ae4a58c3cd97330858728e5483d82e525179ed11d996d756d41c5
                                        • Opcode Fuzzy Hash: 7392df8db2022c5dabbdd0a7ddbeb5ff2cdfd3fc416767bfd221d1b9e2b6ff7c
                                        • Instruction Fuzzy Hash: 3EE0D826A40220779A10337B6D0FD6F3D29CAC3B2570100BFFA05660C2DD540C01C6FB
                                        APIs
                                        • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CE7E), ref: 0041CDF3
                                        • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041CE7E), ref: 0041CE00
                                        • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041CE7E), ref: 0041CE0D
                                        • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041CE7E), ref: 0041CE20
                                        Strings
                                        • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CE13
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Console$AttributeText$BufferHandleInfoScreen
                                        • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                        • API String ID: 3024135584-2418719853
                                        • Opcode ID: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                        • Instruction ID: 3099d3b49c49d1df3d44327ff87017ee7d1b0803ff7cdb2815dc6b7c28d9377e
                                        • Opcode Fuzzy Hash: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                        • Instruction Fuzzy Hash: B6E04872504315E7E31027B5EC4DCAB7B7CE745613B100266FA16915D39A749C41C6B5
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 52d86c3ce57e0cfe0599c5a04198a87027602046587802b200418d3fba34e127
                                        • Instruction ID: 15e211ccade7fc2a5debfa8ad78d9bfa955d5b29a73147504924d067d3782226
                                        • Opcode Fuzzy Hash: 52d86c3ce57e0cfe0599c5a04198a87027602046587802b200418d3fba34e127
                                        • Instruction Fuzzy Hash: 2771D4319012569BEB21CF55C884AFFBB75EF55310F19412BE815672A0DB78CCC1CBA8
                                        APIs
                                        • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F244), ref: 0044944F
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 004494C7
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 004494F4
                                        • _free.LIBCMT ref: 0044943D
                                          • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                          • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                        • _free.LIBCMT ref: 00449609
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                        • String ID:
                                        • API String ID: 1286116820-0
                                        • Opcode ID: 5cd2e88b37ead4a53a3ad7e2b8222e2e62bf3e8d34a7aba608fbabac987024fa
                                        • Instruction ID: 45cf5ea20785abb2a7eec221213eb08c1b8584214e6df16efc40294c4842d026
                                        • Opcode Fuzzy Hash: 5cd2e88b37ead4a53a3ad7e2b8222e2e62bf3e8d34a7aba608fbabac987024fa
                                        • Instruction Fuzzy Hash: 1B51EC71900205ABEB14EF69DD819AFB7B8EF44724F20066FE418D3291EB789D41DB58
                                        APIs
                                          • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                          • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F956
                                        • Process32FirstW.KERNEL32(00000000,?), ref: 0040F97A
                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F989
                                        • CloseHandle.KERNEL32(00000000), ref: 0040FB40
                                          • Part of subcall function 0041C076: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F634,00000000,?,?,00475338), ref: 0041C08B
                                          • Part of subcall function 0041C076: IsWow64Process.KERNEL32(00000000,?,?,?,00475338), ref: 0041C096
                                          • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                          • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FB31
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                        • String ID:
                                        • API String ID: 2180151492-0
                                        • Opcode ID: e4e1d0f3d27edefaad325ac88cef6ac8a82aac9ee83952c6973d9a67551d4db4
                                        • Instruction ID: d02cab962e177bd28921c4f9a71df23b762ba7d31cecf8da060328e0f3db66c6
                                        • Opcode Fuzzy Hash: e4e1d0f3d27edefaad325ac88cef6ac8a82aac9ee83952c6973d9a67551d4db4
                                        • Instruction Fuzzy Hash: 5F4136311083419BC325F722DC51AEFB3A5AF94305F50493EF58A921E2EF385A49C65A
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free
                                        • String ID:
                                        • API String ID: 269201875-0
                                        • Opcode ID: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                        • Instruction ID: bbec49e9ccdd5c2af131aecc9b6810ea24321c3eb42f74c08fbdd36582e243a3
                                        • Opcode Fuzzy Hash: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                        • Instruction Fuzzy Hash: 5F41E232E00200AFEB14DF78C881A5EB3B5EF89B18F1545AEE915EB351D735AE05CB84
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(?,00000000,?,00000000,00000000,00000000,0042DD92,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92), ref: 004511F9
                                        • __alloca_probe_16.LIBCMT ref: 00451231
                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,00000000,0042DD92,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92,?), ref: 00451282
                                        • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92,?,00000002,00000000), ref: 00451294
                                        • __freea.LIBCMT ref: 0045129D
                                          • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                        • String ID:
                                        • API String ID: 313313983-0
                                        • Opcode ID: 695a5f3fdf384fa9d4863fe56c7c43b71593cfbe7e8d533d6dff3d4dffab5c55
                                        • Instruction ID: f723c28c07ecd650b398e20bb728631ced1c531215915adb10fa1f31571a6cea
                                        • Opcode Fuzzy Hash: 695a5f3fdf384fa9d4863fe56c7c43b71593cfbe7e8d533d6dff3d4dffab5c55
                                        • Instruction Fuzzy Hash: F7310331A0020AABDF249F65DC41EAF7BA5EB04701F0445AAFC08E72A2E739CC55CB94
                                        APIs
                                        • GetEnvironmentStringsW.KERNEL32 ref: 0044F3E3
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F406
                                          • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F42C
                                        • _free.LIBCMT ref: 0044F43F
                                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F44E
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                        • String ID:
                                        • API String ID: 336800556-0
                                        • Opcode ID: 5a321bf6ad982bb41f22afd847bffa7b7f2aa598f804dd442cdb837d811de21f
                                        • Instruction ID: b6d7bf627ac8e1e23e8e90154f8049d5dc13ee9613ce4caf203d647ba434722a
                                        • Opcode Fuzzy Hash: 5a321bf6ad982bb41f22afd847bffa7b7f2aa598f804dd442cdb837d811de21f
                                        • Instruction Fuzzy Hash: 2401DF72602721BF37211ABB5C8DC7F6AACDEC6FA5355013AFD04D2202DE688D0691B9
                                        APIs
                                        • GetLastError.KERNEL32(?,00000000,00000000,0043BCD6,00000000,00000000,?,0043BD5A,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044831E
                                        • _free.LIBCMT ref: 00448353
                                        • _free.LIBCMT ref: 0044837A
                                        • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448387
                                        • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448390
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLast$_free
                                        • String ID:
                                        • API String ID: 3170660625-0
                                        • Opcode ID: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                                        • Instruction ID: 5af5a014564f127a9d6b3613d5887cb4baea3ca98ff5bc54bcf39f1731b7af1a
                                        • Opcode Fuzzy Hash: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                                        • Instruction Fuzzy Hash: 3401F936100B006BB7117A2A5C45E6F3259DBD2B75B35093FFD1892292EF7ECC02812D
                                        APIs
                                        • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                        • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                        • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0041C2B9
                                        • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C2C4
                                        • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C2CC
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$CloseHandleOpen$FileImageName
                                        • String ID:
                                        • API String ID: 2951400881-0
                                        • Opcode ID: e1074fac5642d3b73ea46f905cbac139ffb473db2c7b30d838fbef5372722d9f
                                        • Instruction ID: 82f86893bb8475317186349f6084970b7a3011258d8579340058f5d8518f4318
                                        • Opcode Fuzzy Hash: e1074fac5642d3b73ea46f905cbac139ffb473db2c7b30d838fbef5372722d9f
                                        • Instruction Fuzzy Hash: 9C01F231680215ABD61066949C8AFA7B66C8B84756F0001ABFA08D22A2EF74CD81466A
                                        APIs
                                        • _free.LIBCMT ref: 00450A54
                                          • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                          • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                        • _free.LIBCMT ref: 00450A66
                                        • _free.LIBCMT ref: 00450A78
                                        • _free.LIBCMT ref: 00450A8A
                                        • _free.LIBCMT ref: 00450A9C
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                        • Instruction ID: 72fff71e7c38304dd33e0b5962bcef44c8ad6e5fbb3f6de42623dcf71f8de19c
                                        • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                        • Instruction Fuzzy Hash: F7F012765053006B9620EB5DE883C1773D9EA157117A68C1BF549DB652C778FCC0866C
                                        APIs
                                        • _free.LIBCMT ref: 00444106
                                          • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                          • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                        • _free.LIBCMT ref: 00444118
                                        • _free.LIBCMT ref: 0044412B
                                        • _free.LIBCMT ref: 0044413C
                                        • _free.LIBCMT ref: 0044414D
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                        • Instruction ID: 0e9c2896d1a2baf17e4b980eca3efa8a556ca0a6e45d827b59e8921ed08f8926
                                        • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                        • Instruction Fuzzy Hash: 91F03AB18025208FA731AF2DBD528053BA1A705720356853BF40C62A71C7B849C2DFDF
                                        APIs
                                        • _strpbrk.LIBCMT ref: 0044E7B8
                                        • _free.LIBCMT ref: 0044E8D5
                                          • Part of subcall function 0043BD68: IsProcessorFeaturePresent.KERNEL32(00000017,0043BD3A,00405103,?,00000000,00000000,004020A6,00000000,00000000,?,0043BD5A,00000000,00000000,00000000,00000000,00000000), ref: 0043BD6A
                                          • Part of subcall function 0043BD68: GetCurrentProcess.KERNEL32(C0000417,?,00405103), ref: 0043BD8C
                                          • Part of subcall function 0043BD68: TerminateProcess.KERNEL32(00000000,?,00405103), ref: 0043BD93
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                        • String ID: *?$.
                                        • API String ID: 2812119850-3972193922
                                        • Opcode ID: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                                        • Instruction ID: bbc13fc8ee10fdca904a4e9292213e09ebfa005f106ef5a16faeda3ce4fd08f7
                                        • Opcode Fuzzy Hash: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                                        • Instruction Fuzzy Hash: C251B175E00209AFEF14DFAAC881AAEF7B5FF58314F24416EE844E7341E6399A018B54
                                        APIs
                                        • GetKeyboardLayoutNameA.USER32(?), ref: 00409F0E
                                          • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                                          • Part of subcall function 0041C5A6: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409F96,00474EE0,?,00474EE0,00000000,00474EE0,00000000), ref: 0041C5BB
                                          • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CreateFileKeyboardLayoutNameconnectsend
                                        • String ID: XQG$NG$PG
                                        • API String ID: 1634807452-3565412412
                                        • Opcode ID: 6bed560874d505ca08c2aae125364b6bb82cbc26048fb0ed44c0f97602aa032c
                                        • Instruction ID: 86122f73fea86c9dce3a8c8dcd7d10d1556e7c038dfd98f63e082762e027ad1b
                                        • Opcode Fuzzy Hash: 6bed560874d505ca08c2aae125364b6bb82cbc26048fb0ed44c0f97602aa032c
                                        • Instruction Fuzzy Hash: 955120315082419BC328FB32D851AEFB3E5AFD4348F50493FF54AA71E2EF78594A8649
                                        APIs
                                        • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe,00000104), ref: 00443515
                                        • _free.LIBCMT ref: 004435E0
                                        • _free.LIBCMT ref: 004435EA
                                        Strings
                                        • C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe, xrefs: 0044350C, 00443513, 00443542, 0044357A
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$FileModuleName
                                        • String ID: C:\Users\user\Desktop\17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exe
                                        • API String ID: 2506810119-2697911529
                                        • Opcode ID: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                        • Instruction ID: e5efe6401a3e5f1db0e1141fbbc5a3d1caea7301f6195c2e8eaff0a3f5655f7e
                                        • Opcode Fuzzy Hash: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                        • Instruction Fuzzy Hash: D63193B1A00254BFEB21DF9A998199EBBF8EB84B15F10406BF40597311D6B88F41CB99
                                        APIs
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                                          • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,771B3530,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,004752F0), ref: 0041BA30
                                          • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E84), ref: 004185B9
                                          • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84,?,?,004040F5,00465E84), ref: 004185C2
                                          • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                        • Sleep.KERNEL32(000000FA,00465E84), ref: 00404138
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                        • String ID: /sort "Visit Time" /stext "$0NG
                                        • API String ID: 368326130-3219657780
                                        • Opcode ID: 19a75f4089cd682c196d93085774e8610958794b4b53e2c59ee42357a682b9a9
                                        • Instruction ID: 7a7c83aa22bf4ff3424ba87d95d637a61540eed1193ecfb54830ab602693969f
                                        • Opcode Fuzzy Hash: 19a75f4089cd682c196d93085774e8610958794b4b53e2c59ee42357a682b9a9
                                        • Instruction Fuzzy Hash: 2C316371A0011956CB15FBA6DC569ED7375AF90308F00007FF60AB71E2EF785D49CA99
                                        APIs
                                          • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                        • __Init_thread_footer.LIBCMT ref: 0040B7D2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Init_thread_footer__onexit
                                        • String ID: [End of clipboard]$[Text copied to clipboard]$xdF
                                        • API String ID: 1881088180-1310280921
                                        • Opcode ID: 961b7b1a26abc7e4daef6f01c6d0dc322bcd9b7c3ee2841ee0eb4e4cc83ad451
                                        • Instruction ID: 844f446031992ee5170c212df839aebd4a436c67f2956c9e8fe8aff684c3a130
                                        • Opcode Fuzzy Hash: 961b7b1a26abc7e4daef6f01c6d0dc322bcd9b7c3ee2841ee0eb4e4cc83ad451
                                        • Instruction Fuzzy Hash: 30217131A102198ACB14FBA6D8929EDB375AF54318F10443FE505771D2EF786D4ACA8C
                                        APIs
                                        • _wcslen.LIBCMT ref: 00416330
                                          • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                          • Part of subcall function 004138B2: RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                          • Part of subcall function 004138B2: RegCloseKey.KERNEL32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                          • Part of subcall function 00409E1F: _wcslen.LIBCMT ref: 00409E38
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _wcslen$CloseCreateValue
                                        • String ID: !D@$okmode$PG
                                        • API String ID: 3411444782-3370592832
                                        • Opcode ID: 32b767abda9d74a658984582e830535edcfbd4fa180c3dcb91f0b96cbdeabe52
                                        • Instruction ID: 097cdf197a66b89fefcd85ce8a19d7acc75244c7017ebd4eb32b8c3ef24b572d
                                        • Opcode Fuzzy Hash: 32b767abda9d74a658984582e830535edcfbd4fa180c3dcb91f0b96cbdeabe52
                                        • Instruction Fuzzy Hash: 1E11A571B442011BDA187B32D862BBD22969F84348F80843FF546AF2E2DFBD4C51975D
                                        APIs
                                          • Part of subcall function 0040C4FE: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C531
                                        • PathFileExistsW.SHLWAPI(00000000), ref: 0040C658
                                        • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C6C3
                                        Strings
                                        • User Data\Profile ?\Network\Cookies, xrefs: 0040C670
                                        • User Data\Default\Network\Cookies, xrefs: 0040C63E
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExistsFilePath
                                        • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                        • API String ID: 1174141254-1980882731
                                        • Opcode ID: 2a38480921e4d6be1d5b2529be3b715cdf247bf3a0a1df31f1585b54042120b5
                                        • Instruction ID: a3c4a2fc075df05cc4efb8d324c4514c6f5a9a9113215be8183f294a60e8cc46
                                        • Opcode Fuzzy Hash: 2a38480921e4d6be1d5b2529be3b715cdf247bf3a0a1df31f1585b54042120b5
                                        • Instruction Fuzzy Hash: 0621E27190011A96CB14FBA2DC96DEEBB7CAE50319B40053FF506B31D2EF789946C6D8
                                        APIs
                                          • Part of subcall function 0040C561: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C594
                                        • PathFileExistsW.SHLWAPI(00000000), ref: 0040C727
                                        • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C792
                                        Strings
                                        • User Data\Profile ?\Network\Cookies, xrefs: 0040C73F
                                        • User Data\Default\Network\Cookies, xrefs: 0040C70D
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExistsFilePath
                                        • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                        • API String ID: 1174141254-1980882731
                                        • Opcode ID: 48aa145b66dc80a11566b4620fdd9ce13eae5fb2ee34664654c02424daf75182
                                        • Instruction ID: 531025beeaae0c5c42121d483a56170e39db3028f8febaf9efde6b64dfa31b71
                                        • Opcode Fuzzy Hash: 48aa145b66dc80a11566b4620fdd9ce13eae5fb2ee34664654c02424daf75182
                                        • Instruction Fuzzy Hash: 4821127190011A96CB04F7A2DC96CEEBB78AE50359B40013FF506B31D2EF789946C6D8
                                        APIs
                                        • CreateThread.KERNEL32(00000000,00000000,0040A2B8,?,00000000,00000000), ref: 0040A239
                                        • CreateThread.KERNEL32(00000000,00000000,0040A2A2,?,00000000,00000000), ref: 0040A249
                                        • CreateThread.KERNEL32(00000000,00000000,0040A2C4,?,00000000,00000000), ref: 0040A255
                                          • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B1AD
                                          • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CreateThread$LocalTimewsprintf
                                        • String ID: Offline Keylogger Started
                                        • API String ID: 465354869-4114347211
                                        • Opcode ID: 1e3120ed3182c836d7244f4e95a692e041c786e93486a4ca8bb36869d82516a6
                                        • Instruction ID: fa9a7328340dc7f48b0d085764b542104813bfc3ea66268f7111ac5d0199d402
                                        • Opcode Fuzzy Hash: 1e3120ed3182c836d7244f4e95a692e041c786e93486a4ca8bb36869d82516a6
                                        • Instruction Fuzzy Hash: 1111ABB12003187ED210BB368C87CBB765DDA4139CB40057FF946221C2EA795D14CAFB
                                        APIs
                                          • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B1AD
                                          • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                          • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                        • CreateThread.KERNEL32(00000000,00000000,Function_0000A2A2,?,00000000,00000000), ref: 0040AFA9
                                        • CreateThread.KERNEL32(00000000,00000000,Function_0000A2C4,?,00000000,00000000), ref: 0040AFB5
                                        • CreateThread.KERNEL32(00000000,00000000,0040A2D0,?,00000000,00000000), ref: 0040AFC1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CreateThread$LocalTime$wsprintf
                                        • String ID: Online Keylogger Started
                                        • API String ID: 112202259-1258561607
                                        • Opcode ID: ca68cf39fc6d7dc1a346c019aa3ec03b3636d2d573533672713bc3837481a91b
                                        • Instruction ID: 1fd114496b08e8c1d91a2f23279a740fccf8855fe00c80ef0b78f2cd7c44f0e8
                                        • Opcode Fuzzy Hash: ca68cf39fc6d7dc1a346c019aa3ec03b3636d2d573533672713bc3837481a91b
                                        • Instruction Fuzzy Hash: 2A01C4A07003193EE62076368C8BDBF7A6DCA91398F4004BFF641362C2E97D1C1586FA
                                        APIs
                                        • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData), ref: 00406ABD
                                        • GetProcAddress.KERNEL32(00000000), ref: 00406AC4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressLibraryLoadProc
                                        • String ID: CryptUnprotectData$crypt32
                                        • API String ID: 2574300362-2380590389
                                        • Opcode ID: 905686a6130e311fdcec2a0cd22c75bab7e39712089f0cc697143e337071fc99
                                        • Instruction ID: 59ed3cbb63f31e38ea488d6bd85f24bb9ff1ce5495ed4d1509158228521d53cd
                                        • Opcode Fuzzy Hash: 905686a6130e311fdcec2a0cd22c75bab7e39712089f0cc697143e337071fc99
                                        • Instruction Fuzzy Hash: 2C01B975604216BBCB18CFAD9D449AF7BB4AB45300B00417EE956E3381DA74E9008B95
                                        APIs
                                        • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                                        • CloseHandle.KERNEL32(?), ref: 004051CA
                                        • SetEvent.KERNEL32(?), ref: 004051D9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseEventHandleObjectSingleWait
                                        • String ID: Connection Timeout
                                        • API String ID: 2055531096-499159329
                                        • Opcode ID: cfa6aba80e3ab73a333b17ef678a4c224e2718187884c1035a1560e2fee3ab95
                                        • Instruction ID: b176daa04f7f78a72cd0d213bf0bcd41e0e3849ccec9e2477ca34bbc74fb9340
                                        • Opcode Fuzzy Hash: cfa6aba80e3ab73a333b17ef678a4c224e2718187884c1035a1560e2fee3ab95
                                        • Instruction Fuzzy Hash: C901F530940F00AFD7216B368D8642BBFE0EF00306704093EE68356AE2D6789800CF89
                                        APIs
                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E86E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Exception@8Throw
                                        • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                        • API String ID: 2005118841-1866435925
                                        • Opcode ID: 393980db8800f491ea7c1a59f80fc085f11d752c19bfb05bf36f8e27219a3784
                                        • Instruction ID: 287a1f786264602a2f100ba68ee8cd07dacd1bfc9ef62352ff5e55a88b78f620
                                        • Opcode Fuzzy Hash: 393980db8800f491ea7c1a59f80fc085f11d752c19bfb05bf36f8e27219a3784
                                        • Instruction Fuzzy Hash: 59018F626583087AEB14B697CC03FBA33685B10708F10CC3BBD01765C2EA7D6A61C66F
                                        APIs
                                        • RegCreateKeyW.ADVAPI32(80000001,00000000,004752D8), ref: 0041385A
                                        • RegSetValueExW.ADVAPI32(004752D8,?,00000000,00000001,00000000,00000000,004752F0,?,0040F85E,pth_unenc,004752D8), ref: 00413888
                                        • RegCloseKey.ADVAPI32(004752D8,?,0040F85E,pth_unenc,004752D8), ref: 00413893
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseCreateValue
                                        • String ID: pth_unenc
                                        • API String ID: 1818849710-4028850238
                                        • Opcode ID: d69e82d7a202b39eabff8c6d6945ecb801863ff8e3666436e459375cd1f846cd
                                        • Instruction ID: 9133f253890910ff78e8f434c24b82038cc7026402723a24ca4ec17c3e6d8cb5
                                        • Opcode Fuzzy Hash: d69e82d7a202b39eabff8c6d6945ecb801863ff8e3666436e459375cd1f846cd
                                        • Instruction Fuzzy Hash: 15F0C271440218FBCF00AFA1EC45FEE376CEF00756F10452AF905A61A1E7759E04DA94
                                        APIs
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0040DFEC
                                        • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040E02B
                                          • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 004356EC
                                          • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 00435710
                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E051
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                        • String ID: bad locale name
                                        • API String ID: 3628047217-1405518554
                                        • Opcode ID: 358b3f1522e08b03a3202c9f95d61a93da44700bf44d5321e5e8d61ced44f7e6
                                        • Instruction ID: 7f9ccd90240ef42149755af47b5df127ed13e8783c268b42739d505c0e35a915
                                        • Opcode Fuzzy Hash: 358b3f1522e08b03a3202c9f95d61a93da44700bf44d5321e5e8d61ced44f7e6
                                        • Instruction Fuzzy Hash: 77F08131544A085AC338FA62D863DDA73B49F14358F50457FB406268D2EF78BA0CCA9D
                                        APIs
                                        • CreateThread.KERNEL32(00000000,00000000,Function_0001D4EE,00000000,00000000,00000000), ref: 00416C82
                                        • ShowWindow.USER32(00000009), ref: 00416C9C
                                        • SetForegroundWindow.USER32 ref: 00416CA8
                                          • Part of subcall function 0041CE2C: AllocConsole.KERNEL32(00475338), ref: 0041CE35
                                          • Part of subcall function 0041CE2C: GetConsoleWindow.KERNEL32 ref: 0041CE3B
                                          • Part of subcall function 0041CE2C: ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                          • Part of subcall function 0041CE2C: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Window$Console$Show$AllocCreateForegroundOutputThread
                                        • String ID: !D@
                                        • API String ID: 186401046-604454484
                                        • Opcode ID: dddbeebbe8cb821cdc8b1c7d2847af7eb141aaddcd72dd608c7fa4ca11ce81ef
                                        • Instruction ID: 9f5213224becab59645eda34593d96b16d6ada18beeab21aaf628210512d7754
                                        • Opcode Fuzzy Hash: dddbeebbe8cb821cdc8b1c7d2847af7eb141aaddcd72dd608c7fa4ca11ce81ef
                                        • Instruction Fuzzy Hash: ECF05E70149340EAD720AB62ED45AFA7B69EB54341F01487BF909C20F2DB389C94865E
                                        APIs
                                        • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041616B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExecuteShell
                                        • String ID: /C $cmd.exe$open
                                        • API String ID: 587946157-3896048727
                                        • Opcode ID: 16ef31fdaf301ba362d07f058173c5de43aaddf50e1ff7222e4b3bcda840a0cd
                                        • Instruction ID: 08f4dee505367bf09000beb2be63de5ecd082ae46aa0e0363999309db21c3e05
                                        • Opcode Fuzzy Hash: 16ef31fdaf301ba362d07f058173c5de43aaddf50e1ff7222e4b3bcda840a0cd
                                        • Instruction Fuzzy Hash: 5EE0C0B0204305ABC605F675DC96CBF73ADAA94749B50483F7142A20E2EF7C9D49C65D
                                        APIs
                                        • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8B1
                                        • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8DC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: DeleteDirectoryFileRemove
                                        • String ID: pth_unenc$xdF
                                        • API String ID: 3325800564-2448381268
                                        • Opcode ID: d40ba35bdc574994431a00040681681ffd5cebc2bb5ef4fca25f9a910d4daf75
                                        • Instruction ID: ee660421d7ec44f6c6eaad5e9e1fc6482a22fb53094cf60c5c3e5a772ac54322
                                        • Opcode Fuzzy Hash: d40ba35bdc574994431a00040681681ffd5cebc2bb5ef4fca25f9a910d4daf75
                                        • Instruction Fuzzy Hash: 5AE04F314006109BC610BB218854AD6335CAB04316F00497BE4A3A35A1DF38AC49D658
                                        APIs
                                        • TerminateThread.KERNEL32(0040A2B8,00000000,004752F0,pth_unenc,0040D0F3,004752D8,004752F0,?,pth_unenc), ref: 0040B8F6
                                        • UnhookWindowsHookEx.USER32(004750F0), ref: 0040B902
                                        • TerminateThread.KERNEL32(0040A2A2,00000000,?,pth_unenc), ref: 0040B910
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: TerminateThread$HookUnhookWindows
                                        • String ID: pth_unenc
                                        • API String ID: 3123878439-4028850238
                                        • Opcode ID: e1cbc6e2d6c434028aa849536a2aaf0ad10149223ccd3897ab004e8dbc05b34a
                                        • Instruction ID: 372ac16de24f92ae7b862ff59389ff52a9cc8b3ac2037ffe6dc6d1e564519698
                                        • Opcode Fuzzy Hash: e1cbc6e2d6c434028aa849536a2aaf0ad10149223ccd3897ab004e8dbc05b34a
                                        • Instruction Fuzzy Hash: 71E01272204315EFD7201F909C888667AADEE1539632409BEF6C261BB6CB7D4C54C79D
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: __alldvrm$_strrchr
                                        • String ID:
                                        • API String ID: 1036877536-0
                                        • Opcode ID: 70c324bd787235ec34b4410bef6e6c487e79153caf11c4279a27308c3ab035ac
                                        • Instruction ID: 8ce1af842cd152cb2b2428f5d584a25f6c9224aafe101b92c03b71ca88d34985
                                        • Opcode Fuzzy Hash: 70c324bd787235ec34b4410bef6e6c487e79153caf11c4279a27308c3ab035ac
                                        • Instruction Fuzzy Hash: 87A156729846829FF721CF58C8817AEBBA5FF15314F2841AFE8859B381D27C8C51C75A
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free
                                        • String ID:
                                        • API String ID: 269201875-0
                                        • Opcode ID: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                                        • Instruction ID: 6f8591e81a910498abf0b0e408487d1c0faf04506bf4bd3dd9e850377c22d226
                                        • Opcode Fuzzy Hash: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                                        • Instruction Fuzzy Hash: 34413931B00104AAEB207B7A9C4666F3AB5DF45735F570A1FFD28C7293DA7C481D426A
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                        • Instruction ID: b0a34e1ed6630e1fb57c9e62860a3601010315cd62f19612bff23542d182db60
                                        • Opcode Fuzzy Hash: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                        • Instruction Fuzzy Hash: 70412AB1600704BFE724AF79CD41B5EBBE8EB88714F10462FF145DB281E3B999058798
                                        APIs
                                        Strings
                                        • Cleared browsers logins and cookies., xrefs: 0040C130
                                        • [Cleared browsers logins and cookies.], xrefs: 0040C11F
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Sleep
                                        • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                        • API String ID: 3472027048-1236744412
                                        • Opcode ID: 1d84a610968c0f989614364af8c032c8251bfa68e213ae620782c32fadd9a619
                                        • Instruction ID: 5a72b8a34604a64e244bad04561a930bad76f77e78bf22f3e088d6afb7384554
                                        • Opcode Fuzzy Hash: 1d84a610968c0f989614364af8c032c8251bfa68e213ae620782c32fadd9a619
                                        • Instruction Fuzzy Hash: A431A805648381EDD6116BF514967AB7B824A53748F0882BFB8C4373C3DA7A4808C79F
                                        APIs
                                          • Part of subcall function 00413733: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004752F0), ref: 0041374F
                                          • Part of subcall function 00413733: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00413768
                                          • Part of subcall function 00413733: RegCloseKey.KERNEL32(00000000), ref: 00413773
                                        • Sleep.KERNEL32(00000BB8), ref: 004127B5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseOpenQuerySleepValue
                                        • String ID: 8SG$exepath$xdF
                                        • API String ID: 4119054056-3578471011
                                        • Opcode ID: abb323afdf3d65a8fcb9fe28f99c1048d11d133e5e733d2859862f82a45f57bd
                                        • Instruction ID: 51bf296395b05d3efeb7b41814c334b1d8e13e95dfba71b8de44539041ec8c28
                                        • Opcode Fuzzy Hash: abb323afdf3d65a8fcb9fe28f99c1048d11d133e5e733d2859862f82a45f57bd
                                        • Instruction Fuzzy Hash: 3521F4A1B003042BD604B6365D4AAAF724D8B80318F40897FBA56E72D3DFBC9D45826D
                                        APIs
                                          • Part of subcall function 0041C5E2: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041C5F2
                                          • Part of subcall function 0041C5E2: GetWindowTextLengthW.USER32(00000000), ref: 0041C5FB
                                          • Part of subcall function 0041C5E2: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041C625
                                        • Sleep.KERNEL32(000001F4), ref: 0040A5AE
                                        • Sleep.KERNEL32(00000064), ref: 0040A638
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Window$SleepText$ForegroundLength
                                        • String ID: [ $ ]
                                        • API String ID: 3309952895-93608704
                                        • Opcode ID: e3c1de537be80067876ef70e6a789dfde08fa912f151d6d6ce86b7d0ea258fd3
                                        • Instruction ID: 6255842b65d5da3793f092b3f1447ea5db7efb23f61c0c2d19f8aa6a86066f85
                                        • Opcode Fuzzy Hash: e3c1de537be80067876ef70e6a789dfde08fa912f151d6d6ce86b7d0ea258fd3
                                        • Instruction Fuzzy Hash: CB119F315143006BC614BB26CC579AF77A8AB90348F40083FF552661E3EF79AE18869B
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: SystemTimes$Sleep__aulldiv
                                        • String ID:
                                        • API String ID: 188215759-0
                                        • Opcode ID: 32d4930cb2be9b30136c829dd369e4a23351f3455ccfda4be26c85d87a7cef4d
                                        • Instruction ID: 634937a4cd8d43e921f59083ecd148feda9109121ee8127270144c35be039893
                                        • Opcode Fuzzy Hash: 32d4930cb2be9b30136c829dd369e4a23351f3455ccfda4be26c85d87a7cef4d
                                        • Instruction Fuzzy Hash: D01133B35043456BC304EAB5CD85DEF779CEBC4358F040A3EF64982061EE29E94986A6
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                                        • Instruction ID: 2af8e1c260e5220142bf0b5f8a7e988c949d9a3a1697e0ff4d6bcf25ce69da1b
                                        • Opcode Fuzzy Hash: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                                        • Instruction Fuzzy Hash: 7E01F2B26093557EFA202E786CC2F67630DCB51FBAB31033BB520612D2DB68DD40452C
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                                        • Instruction ID: 437de9af4247593539f95cdbb70b1dc5411192884b5f12beac7b10196549b189
                                        • Opcode Fuzzy Hash: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                                        • Instruction Fuzzy Hash: CB01ADB26096527ABA202E796CC5E27634CDB42BBA335037BF821512E3DF68DE054169
                                        APIs
                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue), ref: 00448618
                                        • GetLastError.KERNEL32(?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000,00000364,?,00448367), ref: 00448624
                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000), ref: 00448632
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: LibraryLoad$ErrorLast
                                        • String ID:
                                        • API String ID: 3177248105-0
                                        • Opcode ID: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                        • Instruction ID: 239c22332ac31c5199b3ba4764290be2907fca328f5d1df1ca03bb1201a614b6
                                        • Opcode Fuzzy Hash: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                        • Instruction Fuzzy Hash: D401FC32602322EBDB618A78EC4495F7758AF15BA2B22093AF909D3241DF24DC01C6EC
                                        APIs
                                        • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 0041C543
                                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041C568
                                        • CloseHandle.KERNEL32(00000000), ref: 0041C576
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$CloseCreateHandleReadSize
                                        • String ID:
                                        • API String ID: 3919263394-0
                                        • Opcode ID: ea631e93aeae4d86132659a3c821e70bd950fb822780c369254ddbb306c6d1ec
                                        • Instruction ID: 4673af35f3eeaf13de89ae80f5e83caf65f56e40ae5cb47f4621101913e6d1ef
                                        • Opcode Fuzzy Hash: ea631e93aeae4d86132659a3c821e70bd950fb822780c369254ddbb306c6d1ec
                                        • Instruction Fuzzy Hash: 50F0C2B1241318BFE6101B25ADC9EBB369DDB866A9F10063EF802A22D1DA698D055139
                                        APIs
                                        • ___BuildCatchObject.LIBVCRUNTIME ref: 004398FA
                                          • Part of subcall function 00439F32: ___AdjustPointer.LIBCMT ref: 00439F7C
                                        • _UnwindNestedFrames.LIBCMT ref: 00439911
                                        • ___FrameUnwindToState.LIBVCRUNTIME ref: 00439923
                                        • CallCatchBlock.LIBVCRUNTIME ref: 00439947
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                        • String ID:
                                        • API String ID: 2633735394-0
                                        • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                        • Instruction ID: 1eef882e9718bbd9a0ab38cd68ce054dbb3f9d4064fa539f417e17899f1f7293
                                        • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                        • Instruction Fuzzy Hash: 38010532000109BBCF125F56CC01EDA3BAAEF5C754F05901AF95865221C3BAE862ABA4
                                        APIs
                                        • GetSystemMetrics.USER32(0000004C), ref: 0041942B
                                        • GetSystemMetrics.USER32(0000004D), ref: 00419431
                                        • GetSystemMetrics.USER32(0000004E), ref: 00419437
                                        • GetSystemMetrics.USER32(0000004F), ref: 0041943D
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: MetricsSystem
                                        • String ID:
                                        • API String ID: 4116985748-0
                                        • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                        • Instruction ID: fd4820a3fb0c8fcfb80096478546269f04700e3de9cdf271d69d174aa35805c7
                                        • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                        • Instruction Fuzzy Hash: 3FF0A4B1B043155BD700EE758C51A6B6ADAEBD4364F10043FF60887281EFB8DC468B84
                                        APIs
                                        • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438FB1
                                        • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438FB6
                                        • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438FBB
                                          • Part of subcall function 0043A4BA: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A4CB
                                        • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438FD0
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                        • String ID:
                                        • API String ID: 1761009282-0
                                        • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                        • Instruction ID: 3a6c9073cd349407f79861cc5a63413a30b4b1af88e8d748f4708d1390bfb410
                                        • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                        • Instruction Fuzzy Hash: 8DC04C44080381552C50B6B2110B2AF83521C7E38CF9074DFBDD1579474D5D052F553F
                                        APIs
                                        • __startOneArgErrorHandling.LIBCMT ref: 00442D3D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorHandling__start
                                        • String ID: pow
                                        • API String ID: 3213639722-2276729525
                                        • Opcode ID: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                        • Instruction ID: 2abd0c7c8e13d4a8cd2c8141c546921d868ac315c0d238e81b652aa6ec7fde8b
                                        • Opcode Fuzzy Hash: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                        • Instruction Fuzzy Hash: 92515AE1E0460296FB167714CE4137B6794AB50741F70497BF0D6823EAEA7C8C859B4F
                                        APIs
                                        • GdiplusStartup.GDIPLUS(00474ACC,?,00000000,00000000), ref: 004187FA
                                          • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                                          • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: GdiplusStartupconnectsend
                                        • String ID: ,aF$NG
                                        • API String ID: 1957403310-2168067942
                                        • Opcode ID: f4235fb510d9c80f064b31a7b0f77f321443860040ba35e7fa4f9ded93e3b307
                                        • Instruction ID: 646e85ae029ebb21aec6d49858a727e037fa7bb3a6359959f193cd142bf324ca
                                        • Opcode Fuzzy Hash: f4235fb510d9c80f064b31a7b0f77f321443860040ba35e7fa4f9ded93e3b307
                                        • Instruction Fuzzy Hash: 8E41D4713042015BC208FB22D892ABF7396ABC0358F50493FF54A672D2EF7C5D4A869E
                                        APIs
                                        • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418AF9
                                          • Part of subcall function 00418691: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418B0C,00000000,?,?,?,?,00000000), ref: 004186A5
                                        • SHCreateMemStream.SHLWAPI(00000000), ref: 00418B46
                                          • Part of subcall function 00418706: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B62,00000000,?,?), ref: 00418718
                                          • Part of subcall function 004186B4: GdipDisposeImage.GDIPLUS(?,00418BBD), ref: 004186BD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                        • String ID: image/jpeg
                                        • API String ID: 1291196975-3785015651
                                        • Opcode ID: 1a6cd23bb326207906ee55eab088e22a045b333238033622bcf03b289c973c7d
                                        • Instruction ID: 4d0b5c8bb5c89928ccad9adfa1773eea8e0f3015d74a4b244142dc53e7d0f70c
                                        • Opcode Fuzzy Hash: 1a6cd23bb326207906ee55eab088e22a045b333238033622bcf03b289c973c7d
                                        • Instruction Fuzzy Hash: B5316D71604300AFC301EF65C884DAFBBE9EF8A304F00496EF985A7251DB7999048BA6
                                        APIs
                                        • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00451E12,?,00000050,?,?,?,?,?), ref: 00451C92
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: ACP$OCP
                                        • API String ID: 0-711371036
                                        • Opcode ID: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                        • Instruction ID: 09b953eaa346ea86c897215e5a2a15a508f8bcb16f9b984b1dadcb699cf7d301
                                        • Opcode Fuzzy Hash: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                        • Instruction Fuzzy Hash: E821D862A80204A6DB36CF14C941BAB7266DB54B13F568426ED0AD7322F73BED45C35C
                                        APIs
                                        • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418BE5
                                          • Part of subcall function 00418691: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418B0C,00000000,?,?,?,?,00000000), ref: 004186A5
                                        • SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,?,?,?,?,00000000), ref: 00418C0A
                                          • Part of subcall function 00418706: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B62,00000000,?,?), ref: 00418718
                                          • Part of subcall function 004186B4: GdipDisposeImage.GDIPLUS(?,00418BBD), ref: 004186BD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                        • String ID: image/png
                                        • API String ID: 1291196975-2966254431
                                        • Opcode ID: c053decb124affeca1ca8e7c910363171ca68cdd065e9a4048a61e85df625b55
                                        • Instruction ID: 3c300d9a249dbea914adbc87700f03e6b767f6cab6163cd9bde1f728fb98d86d
                                        • Opcode Fuzzy Hash: c053decb124affeca1ca8e7c910363171ca68cdd065e9a4048a61e85df625b55
                                        • Instruction Fuzzy Hash: ED219071204211AFC701AB61CC88CBFBBACEFCA754F10052EF54693261DB399955CBA6
                                        APIs
                                        • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405030
                                          • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                        • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405087
                                        Strings
                                        • KeepAlive | Enabled | Timeout: , xrefs: 0040501F
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: LocalTime
                                        • String ID: KeepAlive | Enabled | Timeout:
                                        • API String ID: 481472006-1507639952
                                        • Opcode ID: 6a6dd04c78f1243afd3adc0c709adc44285d3ed02cea83161db4516a3b8aa8d1
                                        • Instruction ID: e3b05ee6596aa2f5bef7afedc99ae4e94a3de8d8e2082a6dce2ef35069f0368d
                                        • Opcode Fuzzy Hash: 6a6dd04c78f1243afd3adc0c709adc44285d3ed02cea83161db4516a3b8aa8d1
                                        • Instruction Fuzzy Hash: 8D2104719107806BD700B736980A76F7B64E751308F44097EE8491B2E2EB7D5A88CBEF
                                        APIs
                                        • Sleep.KERNEL32 ref: 0041667B
                                        • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166DD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: DownloadFileSleep
                                        • String ID: !D@
                                        • API String ID: 1931167962-604454484
                                        • Opcode ID: 05864501e3066f261fa3773e90e58814017deb9033068c5665e3f6f63e0eedc9
                                        • Instruction ID: 05e88009b36717a37a8ab5ea381c0ce1ab0270976c353b8abb87c8adb32aa340
                                        • Opcode Fuzzy Hash: 05864501e3066f261fa3773e90e58814017deb9033068c5665e3f6f63e0eedc9
                                        • Instruction Fuzzy Hash: F21142716083029AC614FF72D8969AE77A4AF50348F400C7FF546531E2EE3C9949C65A
                                        APIs
                                        • GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: LocalTime
                                        • String ID: | $%02i:%02i:%02i:%03i
                                        • API String ID: 481472006-2430845779
                                        • Opcode ID: 52f1b42f153ed4b644b91f11fc4c23a59010ae0a013f6087acbd7f2f1f111652
                                        • Instruction ID: 036da7e0cd4114b6fa9428aab3af546923e8b827a5fb64715830670d2b1b9b5a
                                        • Opcode Fuzzy Hash: 52f1b42f153ed4b644b91f11fc4c23a59010ae0a013f6087acbd7f2f1f111652
                                        • Instruction Fuzzy Hash: 091190714082455AC304FB62D8519FFB3E9AB84348F50093FF88AA21E1EF3CDA45C69E
                                        APIs
                                        • PathFileExistsW.SHLWAPI(00000000), ref: 0041ADCD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExistsFilePath
                                        • String ID: alarm.wav$hYG
                                        • API String ID: 1174141254-2782910960
                                        • Opcode ID: 36777b58f562ae880fe065173d7388d0cb1aec3caf481dd9519d79c18cec9ee7
                                        • Instruction ID: 4122455f09fb97d0238bc6f6df8f07100adf7eded08faacdf9dae369850c3b42
                                        • Opcode Fuzzy Hash: 36777b58f562ae880fe065173d7388d0cb1aec3caf481dd9519d79c18cec9ee7
                                        • Instruction Fuzzy Hash: 6401B57078831156CA04F77688166EE77959B80718F00847FF64A162E2EFBC9E59C6CF
                                        APIs
                                          • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B1AD
                                          • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                          • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                        • CloseHandle.KERNEL32(?), ref: 0040B0EF
                                        • UnhookWindowsHookEx.USER32 ref: 0040B102
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                        • String ID: Online Keylogger Stopped
                                        • API String ID: 1623830855-1496645233
                                        • Opcode ID: 5c1ef11ff9a74ffdec2b51700aff9b60d5214403fdce7dbdd5e2d5b2d04e2712
                                        • Instruction ID: 2c7fc3a8f12b1f8c565497f75251163d8124a4eac963031352a4caf2a1bdec21
                                        • Opcode Fuzzy Hash: 5c1ef11ff9a74ffdec2b51700aff9b60d5214403fdce7dbdd5e2d5b2d04e2712
                                        • Instruction Fuzzy Hash: 6F01F530600610ABD7217B35C81B7BE7B729B41304F4004BFE982265C2EBB91856C7DE
                                        APIs
                                        • waveInPrepareHeader.WINMM(005ED338,00000020,?,?,00476B50,00474EE0,?,00000000,00401A15), ref: 00401849
                                        • waveInAddBuffer.WINMM(005ED338,00000020,?,00000000,00401A15), ref: 0040185F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: wave$BufferHeaderPrepare
                                        • String ID: XMG
                                        • API String ID: 2315374483-813777761
                                        • Opcode ID: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                                        • Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
                                        • Opcode Fuzzy Hash: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                                        • Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free
                                        • String ID: $G
                                        • API String ID: 269201875-4251033865
                                        • Opcode ID: 0435164efccf50aa8117c2daa51ec46fe1437c867187ee89b2aa6ea167946eb6
                                        • Instruction ID: 4a6f060c21597e0392f33703011e6e0157da39883ddad7ec559e06d861eb6f1f
                                        • Opcode Fuzzy Hash: 0435164efccf50aa8117c2daa51ec46fe1437c867187ee89b2aa6ea167946eb6
                                        • Instruction Fuzzy Hash: 64E0E532A0152014F6713A3B6D1665B45C68BC1B3AF22423FF425962C2DFAC8946516E
                                        APIs
                                        • IsValidLocale.KERNEL32(00000000,kKD,00000000,00000001,?,?,00444B6B,?,?,?,?,00000004), ref: 00448BB2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: LocaleValid
                                        • String ID: IsValidLocaleName$kKD
                                        • API String ID: 1901932003-3269126172
                                        • Opcode ID: e2be842f2307acef5cef967ff3e72c46beaafbec9f28b2cc6d0622aebebc3446
                                        • Instruction ID: c774fcfd7954269485cc3e12fd2bed3330e0a6a7af379781e67d062e13931268
                                        • Opcode Fuzzy Hash: e2be842f2307acef5cef967ff3e72c46beaafbec9f28b2cc6d0622aebebc3446
                                        • Instruction Fuzzy Hash: 9BF05230A80708FBDB016B60DC06FAE7B54CB44B12F10007EFD046B291DE799E0091ED
                                        APIs
                                        • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C531
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExistsFilePath
                                        • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                        • API String ID: 1174141254-4188645398
                                        • Opcode ID: 67a37633ad4a3934eb7a9710067efd7b2c9a9b469ed032209e18e61634ff2717
                                        • Instruction ID: 9b0ec594f197676e752fca63164bf20e3c748e9c9f1ad615e42e10c79405690b
                                        • Opcode Fuzzy Hash: 67a37633ad4a3934eb7a9710067efd7b2c9a9b469ed032209e18e61634ff2717
                                        • Instruction Fuzzy Hash: FEF05E30A00219A6CA04BBB69C478AF7B289910759B40017FBA01B21D3EE78994586DD
                                        APIs
                                        • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C594
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExistsFilePath
                                        • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                        • API String ID: 1174141254-2800177040
                                        • Opcode ID: 7414731bf553168197ebf71208b97339720711320eac3921dee6b082f9eb1638
                                        • Instruction ID: ebfb9b6c20c42028ef61fa2b9513503d2b9bf0243ac81fc6585c9643e3935da3
                                        • Opcode Fuzzy Hash: 7414731bf553168197ebf71208b97339720711320eac3921dee6b082f9eb1638
                                        • Instruction Fuzzy Hash: F1F05E70A0021AE6CA04BBB69C478EF7B2C9910755B40017BBA01721D3FE7CA94586ED
                                        APIs
                                        • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 0040C5F7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExistsFilePath
                                        • String ID: AppData$\Opera Software\Opera Stable\
                                        • API String ID: 1174141254-1629609700
                                        • Opcode ID: 8000172e7e681251177a335894fd2e2a37e3823944c94c6a399ddcaad00f7658
                                        • Instruction ID: 695210f55460e2722832162fecb8267ed9c5d90cd61684e29202a639a57ef244
                                        • Opcode Fuzzy Hash: 8000172e7e681251177a335894fd2e2a37e3823944c94c6a399ddcaad00f7658
                                        • Instruction Fuzzy Hash: 38F05E30A00219D6CA14BBB69C478EF7B2C9950755F1005BBBA01B21D3EE789941C6ED
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free
                                        • String ID: $G
                                        • API String ID: 269201875-4251033865
                                        • Opcode ID: c3cbfa58486471b9b0b5450975d814376b4bfcef5d9edc52bbd6be3dc13577df
                                        • Instruction ID: 5d396c1abc39b18bdc3e623667384c8b5cce6391ee106473ff554fc58991571d
                                        • Opcode Fuzzy Hash: c3cbfa58486471b9b0b5450975d814376b4bfcef5d9edc52bbd6be3dc13577df
                                        • Instruction Fuzzy Hash: 7CE0E532A0652041F675763B2D05A5B47C55FC2B3AF22033BF028861C1DFEC494A606E
                                        APIs
                                        • GetKeyState.USER32(00000011), ref: 0040B686
                                          • Part of subcall function 0040A41B: GetForegroundWindow.USER32 ref: 0040A451
                                          • Part of subcall function 0040A41B: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                                          • Part of subcall function 0040A41B: GetKeyboardLayout.USER32(00000000), ref: 0040A464
                                          • Part of subcall function 0040A41B: GetKeyState.USER32(00000010), ref: 0040A46E
                                          • Part of subcall function 0040A41B: GetKeyboardState.USER32(?), ref: 0040A479
                                          • Part of subcall function 0040A41B: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A49C
                                          • Part of subcall function 0040A41B: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4FC
                                          • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,00000000,0040B245,00000000), ref: 0040A69D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                        • String ID: [AltL]$[AltR]
                                        • API String ID: 2738857842-2658077756
                                        • Opcode ID: fa93664948dcb0f020004388e922df39f0c15565708f89507acb73c0046c3751
                                        • Instruction ID: d407634c764e35d79823ffb94670adf82ecea3c262ef0a09b09082b5b6a355d5
                                        • Opcode Fuzzy Hash: fa93664948dcb0f020004388e922df39f0c15565708f89507acb73c0046c3751
                                        • Instruction Fuzzy Hash: B2E0652171032052C859363D592FABE2D11CB41B64B42097FF842AB7D6DABF4D5543CF
                                        APIs
                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161E3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExecuteShell
                                        • String ID: !D@$open
                                        • API String ID: 587946157-1586967515
                                        • Opcode ID: eb4567e96d42521689c96e83ef1aa2a6a7df05ac31277aa5078135f6cb8d6bca
                                        • Instruction ID: 3b2857edeaddefe186f4a0a52e989bb70d7a4cfa1db765b6d796ce97600c5b03
                                        • Opcode Fuzzy Hash: eb4567e96d42521689c96e83ef1aa2a6a7df05ac31277aa5078135f6cb8d6bca
                                        • Instruction Fuzzy Hash: 4AE012712483059AD214EA72DC92EFEB35CAB54755F404C3FF506524E2EF3C5C49C66A
                                        APIs
                                        • GetKeyState.USER32(00000012), ref: 0040B6E0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: State
                                        • String ID: [CtrlL]$[CtrlR]
                                        • API String ID: 1649606143-2446555240
                                        • Opcode ID: 533432bc897d172b5aee8caafc533d6d1d6dab6a7602291f4f1d8f3613ae2efb
                                        • Instruction ID: b338140f060b4cc34328e336f8905ed3f99262ec5dadafe534bff25dd27afc5e
                                        • Opcode Fuzzy Hash: 533432bc897d172b5aee8caafc533d6d1d6dab6a7602291f4f1d8f3613ae2efb
                                        • Instruction Fuzzy Hash: CFE04F2160072052C5243A7D561A67A2911C7C2764F41057BE9826B7C6DABE891452DF
                                        APIs
                                          • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                        • __Init_thread_footer.LIBCMT ref: 00410F64
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Init_thread_footer__onexit
                                        • String ID: ,kG$0kG
                                        • API String ID: 1881088180-2015055088
                                        • Opcode ID: bf6eaf7ad603c651630b5b847c32adb66bdf614d62153d48efbad85f1494e607
                                        • Instruction ID: 52a075922dd803dc3791164d579436726ad124eb3de8ddc986de269a183bf650
                                        • Opcode Fuzzy Hash: bf6eaf7ad603c651630b5b847c32adb66bdf614d62153d48efbad85f1494e607
                                        • Instruction Fuzzy Hash: A8E0D8315149208EC514B729E542AC53395DB0E324B21907BF014D72D2CBAE78C28E5D
                                        APIs
                                        • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040D17F,00000000,004752D8,004752F0,?,pth_unenc), ref: 00413A6C
                                        • RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 00413A80
                                        Strings
                                        • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A6A
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: DeleteOpenValue
                                        • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                        • API String ID: 2654517830-1051519024
                                        • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                        • Instruction ID: 8a242acd51d06e7ce72e997358fe7bb9804e2c240f13b939b69747d851efcbee
                                        • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                        • Instruction Fuzzy Hash: FFE0C231244208FBEF104FB1DD06FFA7B2CDB01F42F1006A9BA0692192C626CE049664
                                        APIs
                                        • TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                        • WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ObjectProcessSingleTerminateWait
                                        • String ID: pth_unenc
                                        • API String ID: 1872346434-4028850238
                                        • Opcode ID: a2eb2d9afd673111ff5afcc9fde18e5bb16fff8f446b795bb15600cc5347fa32
                                        • Instruction ID: 30425768eaae71e8f6d4d073063fb5581f05561c6d480f36d281b696a9d2b878
                                        • Opcode Fuzzy Hash: a2eb2d9afd673111ff5afcc9fde18e5bb16fff8f446b795bb15600cc5347fa32
                                        • Instruction Fuzzy Hash: DBD01234149312FFD7310F60EE4DB443B589705362F140361F439552F1C7A589D4AB58
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CountInfoInputLastTick
                                        • String ID: NG
                                        • API String ID: 3478931382-1651712548
                                        • Opcode ID: 1072e3c2261f103fc32e137a75d3669dd2f4511b29ca1c5cc6daf9e0edaf2e7e
                                        • Instruction ID: 91b37e9d9b7f8f393223e5bf0be67cbbeb1ccf95644ad96dbec1e326022f3834
                                        • Opcode Fuzzy Hash: 1072e3c2261f103fc32e137a75d3669dd2f4511b29ca1c5cc6daf9e0edaf2e7e
                                        • Instruction Fuzzy Hash: 84D0C97180060CABDB04AFA5EC4D99DBBBCEB05212F1042A5E84992210DA71AA548A95
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D77
                                        • GetLastError.KERNEL32 ref: 00440D85
                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440DE0
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ByteCharMultiWide$ErrorLast
                                        • String ID:
                                        • API String ID: 1717984340-0
                                        • Opcode ID: b039ec4469df985fcedc89be96e173b9c6b75658958c27081834ba59c0289411
                                        • Instruction ID: 51be13377619d21db21fabe69686c0ed70cae26876ac5a8e773c252addda8789
                                        • Opcode Fuzzy Hash: b039ec4469df985fcedc89be96e173b9c6b75658958c27081834ba59c0289411
                                        • Instruction Fuzzy Hash: 2D412670A00212AFEF218FA5C8447BBBBA4EF41310F2045AAFA59573E1DB399C31C759
                                        APIs
                                        • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411BC7
                                        • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411C93
                                        • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411CB5
                                        • SetLastError.KERNEL32(0000007E,00411F2B), ref: 00411CCC
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3711432351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.3711387779.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711581094.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711632888.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.3711752683.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLastRead
                                        • String ID:
                                        • API String ID: 4100373531-0
                                        • Opcode ID: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                        • Instruction ID: 65e884089caabfe283b2879acbb60db065d5dd9ad58be7743d127bf22715a70c
                                        • Opcode Fuzzy Hash: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                        • Instruction Fuzzy Hash: 60419D716443059FEB248F19DC84BA7B3E4FF44714F00082EEA4A876A1F738E845CB99